Writing Down Passwords?

Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.

Re:recommendations?

I've got this thing called a spiral bound notebook...

Re:recommendations?

It's a good idea to hide passwords that you've written on paper - but you don't need a safe. Just stick it to the bottom of the keyboard like I do. No one will every find it there.

Re:recommendations?

Just as long as they're being appropriately hidden. One of the few times that I ever snapped at a user without being provoked was when I saw, in the HR department, the name of the bank, dial-up number, account number, and password for the payroll account on a Post-It on the user's bulletin board, with the following words in big letters:

PAYROLL ACCOUNT MASTER LOGIN

I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.

vim has integrated encryption

vim has integrated cryptographic functionality through VimCrypt. :help :X for more information.

I have a rather large master password list for every server at work which I store this way. It's quite handy.

Re:recommendations?

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:recommendations?

i wrote this in 2 seconds, but it duplicates what the original post does. you need string::random [cpan.org], you could roll your own but i'm lazy and counterstrike is calling my name. enjoy!

use String::Random;

$pass = new String::Random;

for($i=0;$i<26;$i+=3)
{
printf("%c-%s\t",($i+65),$pass->randpattern("...") );
printf("%c-%s\t",($i+66),$pass->randpattern("...") );
printf("%c-%s\n",($i+67),$pass->randpattern("...") );
}

-dk

Re:recommendations?

I thought what he had posted was the Perl script.

Google groups

No, no, just post them to Google Groups! That way you can always get back to them no matter where you are!

Re:Google groups

Ive actually done that... should I be shot? Not plain text of course, simply use a word shift encryption which can be easily deciphered by hand. I posted all my current passwords like that and it has come in handy quite a bit. (I also have posted same list on slashdot comments)

Has something changed in the past 2 weeks?

Aren't all the reasons that this is a good/bad idea the same as they were then?

Who cares?

If you are willing and able to get into the wire room by any means ( either by breaking in, or sneaking in, or even walking in ), why would you bother with the password? You could just insall a hidden tap and be done with it.

Re:it's in my wallet

would your password be 'trojanman' or 'lifestyles', by chance?

Even better - KeePass

I found out about KeePass (http://keepass.sourceforge.net/ [sourceforge.net]) on that previous story, so I've started using it. It's a very handy utility to have! It can keep track of all my passwords for various email accounts, websites, etc. It's a simple program that (based on my experience so far), just works!

If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.

I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!

Passwords? Blog 'em!

Hide them where cr@ck3rz will least expect them - your blog!

Either that,

Either that, or call the help desk like I do.

They always seem to know what it is.

We're on a first name basis.

Context!

Should you drive on the left hand side of the road, or the right hand side?

Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.

Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.

But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.

Could be

Well, how good is your physical security?. If the system will be accessed from an environment where there are likely to be unauthorized people wandering around all the time (large office, public area, etc), then don't write it down. If the system will be accessed from a place that only people you trust have access to (home), then it's not a danger- and if your home is ever compromised, having your router password in plain sight is the least of your worries.

Jon Udell: Simple single sign-on

See Jon Udell's
Simple single sign-on [infoworld.com] article from May 2005:

It points out a few simple solutions that will solve many people's problems.

Like anything else

The security of writing down passwords depends upon the security of the paper they are written upon.

If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.

However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.

Get a keyring

A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.

PASSWORD SAFE!!!

Bruce Schniers (now Open Source) App:

Password Safe [schneier.com]

Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.

I have over 50 username/password combos stored in mine with a strong password to open the database itself.

If you need to write down a password, this is the way to do it.

best password mnemonic ever

1. pick a number (one to three digits probably)

2. add 5

3. multiply by 3

4. square this number

5. add the digits over and over until you get only one digit (i.e. 64=6+4=10=1+0=1)

6. if the number is less than 5 then add five otherwise subtract 4

7. multiply by 2

8. subtract 6

9. use this number to select a letter of the alphabet 1=A, 2=B, 3=C, etc.

10. pick the name of a country that begins with that letter

11. take the second letter in the country name and think of an animal that begins with that letter

but wait...

there are no elephants in Denmark!

physical password security

I tell my users that if they do write down their password/creds that they should treat it in the same way they do their drivers license or passport. After all, those are credentials too and it provides a good analogy so people can better understand what their responsibilites are regarding them.

That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.

Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.

Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.

Coincidentally...

I'm sitting here reading /. because I fucking can't remember the fucking root password to a server that I'm supposed to administer as a favor to a friend. I changed it two months ago, haven't needed to get on the fucking machine since and now, when I need to fix it, I can't remember what the fuck I changed it to. And no, I can't just stick a rescue boot disk in because I don't know what fucking city the server is in.

Note to self: Next time, write down the fucking password and put it in the fucking file cabinet.

Note to poster: Did you ask this fucking question just to fuck with my mind or was it pure coincidence?

Have you tried...

..."fucking"?

I recommend writing passwords down.

Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.

Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.