Forgot your password?
typodupeerror
Security

Writing Down Passwords? 428

Posted by Cliff
from the would-you-write-down-your-safe's-combination dept.
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
This discussion has been archived. No new comments can be posted.

Writing Down Passwords?

Comments Filter:
  • can anyone recommend a centralized password storage software solution that works well for them?
    • by cursion (257184) on Wednesday June 08, 2005 @05:44PM (#12762245) Homepage
      I've got this thing called a spiral bound notebook...
      • I've got this thing called a spiral bound notebook...

        Then just lock it in a safe. The problem with that is I wrote the combination on a sticky note somewhere and I can't find it. As a backup I copied it into a text file and uploaded it to a remote server with a non-obvious name but unfortunately I forgot what I called it. :-( Next time I'm just going to keep the combination taped to the front of the safe.

        • by rjelks (635588) on Wednesday June 08, 2005 @06:04PM (#12762493) Homepage
          It's a good idea to hide passwords that you've written on paper - but you don't need a safe. Just stick it to the bottom of the keyboard like I do. No one will every find it there.
    • Re:recommendations? (Score:3, Interesting)

      by rd4tech (711615) *
      PGP disk.
      You can then store your passwords in any format you like, xls, txt..etc
    • can anyone recommend a centralized password storage software solution that works well for them?

      Bruce Schneier's Password Safe [schneier.com].

    • Re:recommendations? (Score:2, Informative)

      by m85476585 (884822)
      Password Safe [sourceforge.net]
    • A straight ascii text file, that you manually encrypt and decrypt. create encryption programs or use standard ones so that your data is accessible no matter what computer/os you are using.
    • by bano (410)
      Yes email them to me, along with your credit card numbers.
    • Radius [gnu.org]
    • I like to use a comma seperated file on my linux box. No point in encrypting because if you break in you got the key anyway...

    • by ikewillis (586793) on Wednesday June 08, 2005 @05:57PM (#12762418) Homepage
      vim has integrated cryptographic functionality through VimCrypt. :help :X for more information.

      I have a rather large master password list for every server at work which I store this way. It's quite handy.

    • http://passwordsafe.sourceforge.net/ [sourceforge.net]

      Originally developed by Bruce Schneier so you know the crypto doesn't suck, this software is both free and very easy to use. I don't know what I'd do without it.
    • Re:recommendations? (Score:2, Interesting)

      by rider_prider (698555)
      KeePass http://keepass.sourceforge.net/ [sourceforge.net]
    • by skroz (7870)
      I like KeePass [sourceforge.net] for password storage. It's secure, well organized, AND I get to say "Keep Ass" a lot. I don't know why that's funny, it just is.
    • I don't bother. I've got 3 levels of password security.

      Low level has 3 different passwords I use.

      Intermediate level has 3.

      High has a unique for each account but I only have abour 4 accounts that qualify as high

      so at any given time I need to remember about 10 diferent passwords, which aint that hard. High level passwords get changed every few months. Intermediate about once a year. Low I couldn't give a shit.

      Its worked for me so far.

    • Buy a cheap key fob that stores a couple megs of data. The USB type.
      Then put a password safe program on it. Make your passwords long and safe. Make it so you need the key fob to get into you accounts. You copy the first 32 chars (which were encrypted on the fob) from the fob and then add your short password to the end (or beginner, or middle) of the password and access your stuff.
    • I like to tattoo them upside down on my stomach. That way I don't forget them every ten minutes.
    • I use Strip (http://www.zetetic.net/solutions/strip/ [zetetic.net]) on my Palm PDA. Works good, and it's GPL'd.
    • Though a centralized password tool like Bruce's Password Safe [sourceforge.net] works great for those already on a trusted system. What about accessing this data when all you have are untrusted systems available (ie: public terminal). It'd be nice to see something which can do OPIE calculations and also store password, yet all fit on a phone, or other handy/small/available/trusted(phone?) device.
    • Re:recommendations? (Score:5, Interesting)

      by nizo (81281) * on Wednesday June 08, 2005 @06:15PM (#12762593) Homepage Journal
      Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:


      a-E9 b-?p c-&m
      d-6K e-aY f-eP
      g-!S h-gn i-D=
      j-Hd k-vw l-Cb
      m-W5 n-4$ o-R3
      p-x% q-7M r-NF
      s-+2 t-s* u-Ay
      v-fL w-zG x-Zu
      y-cX z-Qr


      I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
      Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

      • could you paste the lines of perl here or provide a website?
  • by jusdisgi (617863) on Wednesday June 08, 2005 @05:42PM (#12762221)
    No, no, just post them to Google Groups! That way you can always get back to them no matter where you are!
    • Heh, I do store low value passwords in gmail.
    • Re:Google groups (Score:5, Interesting)

      by Janitha (817744) on Wednesday June 08, 2005 @05:47PM (#12762298) Homepage
      Ive actually done that... should I be shot? Not plain text of course, simply use a word shift encryption which can be easily deciphered by hand. I posted all my current passwords like that and it has come in handy quite a bit. (I also have posted same list on slashdot comments)
    • No, no, just post them to Google Groups! That way you can always get back to them no matter where you are!

      Nah, just give your passwords to me. I'll email them back to you if you forget.

    • What genius! and here's an even better idea: post them in public and then go to an online forum that gets, like, a bazillion hits a day and TELL EVERYONE you did it! That way when the MIB show up to ask you about those quesitonable images they heard about or your activities online the other night when MSN went dark, they won't have to bother with breaking out the demerol and the rubber hose to "coax" those PGP passphrases out of you...
    • Re:Google groups (Score:3, Interesting)

      by zippthorne (748122)
      actually that's not a half bad idea:

      Make a random post to some newsgroup (well make it relevant) use a hash of that post (ascii-ized of course) as your password. If you make your post in a group related to your password, you'll be able to find the passwords you're looking for easily.

      Or you could pick someone else who posts fairly infrequently and use their posts as your password-hash basis.
  • by winkydink (650484) * <sv.dude@gmail.com> on Wednesday June 08, 2005 @05:42PM (#12762222) Homepage Journal
    Aren't all the reasons that this is a good/bad idea the same as they were then?
  • Has anyone used this product at all? http://keepass.sourceforge.net/ [sourceforge.net] If so would you care to comment on using it?
    • My experience with it is that it is ok. I'm not a raving proponent, but it works as advertised.
    • I use it and it works well. I started when I got an online banking account that wouldn't let me use my standard username. I had to have mixed case and numbers in both my username and password. I got KeepPass and now store everything in there.

      It runs in my system tray and I can click, enter my master password and have access to all my passwords. It has also let me use long random passwords for my very important sites since I don't need to remember them any more.

      Also you can use a USB key as part of the key
    • Keep ass? (Score:3, Insightful)

      by Intron (870560)
      Kiss your ass goodbye if you lose that password!
    • Has anyone used this product at all? http://keepass.sourceforge.net/ [sourceforge.net] [sourceforge.net] If so would you care to comment on using it?

      I for one have been keeping my ass for quite many years now, and it has worked fine for me. YMMV
  • sound reasoning? (Score:2, Insightful)

    by rd4tech (711615) *
    which ran a few weeks back, and which has some pretty sound reasoning behind it.

    I do believe that there is also "some pretty sound reasoning" when the users decide to share their whole drive together with the passwords on P2P. I mean, by doing that, one can sleep peacefully knowing that his password is redundantly stored, for the next n years.

    Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of c
    • There is a need to protect your email password because even email has a legal standing as a form of communication.

      Which is odd, since you don't need a password to send an e-mail.

  • Common sense! (Score:2, Insightful)

    by timthorn (690924)
    In your own home, who else is going to find a piece of paper with your password on? For a router that you configure and forget, writing down the password sounds reasonably sensible to me.
  • Personally... (Score:2, Interesting)

    I don't write them down because I generate passwords with a little app that I wrote that scrambles together 2 or 3 passwords I can remember and generates a upper/lower/number/letter/symbol password for my usage... but I don't see a problem with writing down a password. I would probably keep it in my wallet or whatever and not just have it laying around. Maybe even do something clever like make all the consanants upper case and the vowels lower case but write it down in reverse, or add two to the numbers a
  • it's in my wallet (Score:2, Interesting)

    by udderly (890305)
    I figure that it would be a lot safer to have a secure password in my wallet than an insecure one committed to memory.

    However, I imagine that there's merits to both sides of the argument.
  • Yep (Score:2, Insightful)

    by spydir31 (312329) *
    I write my passwords down, most of them anyway, on my Palm, using Keyring [sourceforge.net].
    Everything's protected by a master password and triple DES, so it's fairly secure.
  • by Draknor (745036) on Wednesday June 08, 2005 @05:45PM (#12762264) Homepage
    I found out about KeePass (http://keepass.sourceforge.net/ [sourceforge.net]) on that previous story, so I've started using it. It's a very handy utility to have! It can keep track of all my passwords for various email accounts, websites, etc. It's a simple program that (based on my experience so far), just works!

    If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.

    I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!
  • write down my password? ha! I have mine tattoo'd. In fact, all I need is a speculum and a magnifying mirror to retrieve it. it was the best i could come up with, other than Zaphod Beeblebrox brain-brand style. but that is just BIZARRE, you know?
  • ....because to get all your passwords, the l33t after-school hackers would have to *gasp* leave the basement, and presumably do some breaking and entering to get your list...
  • For archival use, it is OK to use the same password on a consistant basis, as the files are likely not to be as vulnerable to direct physical access. However, any thief who broke in and stole archive tapes would almost certainly steal the notebook beside it marked "archive passwords".


    There are those who do leave their front door key under the mat, but even they don't hang a bloody great sign on the door to remind them where it is.

  • by otisg (92803) on Wednesday June 08, 2005 @05:48PM (#12762310) Homepage Journal
    Hide them where cr@ck3rz will least expect them - your blog!
  • Dumbness (Score:2, Insightful)

    Writing the passwords down is good for remembering, and that itself is not what makes it a security issue. It is writing it down and leaving it for someone else to find that is bad.

    A year back at my old school, a teacher left her password for school network access taped to her monitor. A student found it used that to take down the enire network. Took down everything from the entire school's grades, email, library system and of course internet access.
  • by Scud (1607) on Wednesday June 08, 2005 @05:48PM (#12762321)
    Either that, or call the help desk like I do.

    They always seem to know what it is.

    We're on a first name basis.

  • Where are you writing it? On a whiteboard in your cube, or on a card in your wallet?

    Is the username with the password?

    Did you munge the password you wrote down by some scheme known only to you? (example: first character of password is off by one position [ a becomes b], last character is off by the number of characters in the pw)

    Is your choice between a simple pw like "kitten" which you remember, or "z0rtvoid-numrut" which you write down..

    I do write down pw's, after having forgotten a root pw twice and h

  • Context! (Score:4, Insightful)

    by coyote-san (38515) on Wednesday June 08, 2005 @05:50PM (#12762336)
    Should you drive on the left hand side of the road, or the right hand side?

    Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.

    Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.

    But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.
  • Sounds like something I would see on www.thedailtywtf.com .... not on Slashdot.
  • Could be (Score:5, Insightful)

    by Have Blue (616) on Wednesday June 08, 2005 @05:50PM (#12762346) Homepage
    Well, how good is your physical security?. If the system will be accessed from an environment where there are likely to be unauthorized people wandering around all the time (large office, public area, etc), then don't write it down. If the system will be accessed from a place that only people you trust have access to (home), then it's not a danger- and if your home is ever compromised, having your router password in plain sight is the least of your worries.
    • If your home gets compromised, it really doesn't matter all that much whether you have your password written down. Keep in mind that most wireless routers have a reset button which knocks it back to the factory defaults (including password).
  • .. in one now very huge text-file. The text-file is encrypted with a long master passwords which I hope I will never forget, because if I do, I am screwed. I use Another Password Generator http://www.adel.nursat.kz/apg/ [nursat.kz] to make random passwords for every new service I encounter, so no two services have the same password.. and they all look like tajEbAmAb or something. The way I do it limits me to using a lot of services from home, but it does give me good security and allows me to only remember that one pas
  • I think it depends on the environment. Is your router in a secure enough location that writing down the password and taping it to the bottom going to make it secure? If so, then by all means do it. This also allows you get select better passwords that you don't have to remember. Personally I think selecting a good password and taping it to the bottom of the router is far more secure than selecting your house number, or dogs name and not writing it down.

    Netgear routers are inexpensive, and low on featur
  • by otisg (92803) on Wednesday June 08, 2005 @05:54PM (#12762386) Homepage Journal
    See Jon Udell's
    Simple single sign-on [infoworld.com] article from May 2005:

    It points out a few simple solutions that will solve many people's problems.
  • I have them on a tabular sheet, slightly encoded in a unique method that I invented for myself. I store this sheet in the safe deposit box at the bank. I am very careful when transporting this information around, but other than that, if the crooks manage to get into the safe deposit box, I've got much bigger problems than some passwords to pr0n sites and such.
  • Writing them down is low risk assuming you're not using the password to keep someone on-site from accessing your data. In general, for something like a wireless access point, who cares if it is written down on a scrap of paper someplace? Most of those passwords are there to prevent external people from getting on your network or changing the config. Generally those people are trying to get in remotely. They'd have to break into your house to read that scrap of paper just so they can log into your AP. T
  • We are so much into digital age by now that writing something on paper with a pencil makes it much more secure than any computer files, because to read it you have to get physical access to it. And for preventing this or detecting it took place there are numbers of excellent methods evolved over centuries.

    If you write your passwords skillfully (for example, coded in even a simple way, scribbled amongst some other notes in your telephone directory or small paper notebook) chances anyone would get to them w

  • I have, burned into my brain, a handful of passwords. A few are low-security passwords I use for throw-away or low-security internet services (one-time gmail accounts, Netflix, Slashdot, K5, etc.), while the others are used for sites needing moderate security (my 2 online bank account, etc.).

    Then I have a few *really* strong passwords that I use to encrypt text files holding passwords that either belong to myself or other entities (customers, etc.) using GPG's symetric method. I retain copies of these f

  • Like anything else (Score:5, Insightful)

    by wowbagger (69688) on Wednesday June 08, 2005 @05:57PM (#12762432) Homepage Journal
    The security of writing down passwords depends upon the security of the paper they are written upon.

    If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.

    However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.

  • Get a keyring (Score:5, Informative)

    by 26199 (577806) on Wednesday June 08, 2005 @05:59PM (#12762444) Homepage

    A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.

  • Can someone recommend a good new root password for my box? LOL
  • so it may be good to write down your passwords, as long as they are secured either on your person at all time, or locked in a vault someplace...

    either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.

    i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...

    i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha nu
  • I have a few passwords that I use everywhere with variations. I write down the variations. For instance, schoolpass! means my school password followed by an exclamation point. workpassnosym means work pass with symbols removed (for when non-alnum chars are disallowed), etc. It's always fairly obvious looking at it what i mean. I have a few to work from that I've been using for a long time (and are sufficiently unguessable) and just go from there.
  • A really neat method I've used in the past:

    record the last five characters of each password on a card. Even indicate which box is which.

    Then, memorize the first three characters, and use them in all locations.

    Works great. :)
  • PASSWORD SAFE!!! (Score:3, Insightful)

    by Mr. Flibble (12943) on Wednesday June 08, 2005 @06:06PM (#12762509) Homepage
    Bruce Schniers (now Open Source) App:

    Password Safe [schneier.com]

    Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.

    I have over 50 username/password combos stored in mine with a strong password to open the database itself.

    If you need to write down a password, this is the way to do it.
  • You will even find this referenced in "secrets and lies." Writing down a password and keeping it under your sole control is not really any different than using some other token to access a system.

    This act turns the password into "something you have" instead of "something you know." Since passwords are not strong authentication by themselves this does not undermine security any more than relying on password security itself does.

    Writing the password down and leaving it in a public area or in your desk, howe
  • http://kiskis.sourceforge.net/ [sourceforge.net]

    It's java - and it really runs on Win 98, Mandrake, CentOS, WinXP and Mac OS.

    It's easy to use, the passwords are encrypted, and because I can run it on all of the OS' that I use, I can carry the app on my USB drive with n encrypted copy of my password DB and I can always use it.

    It's open source, and I've found the developer to be receptive to helping.

    YMMV, but I'm pleased.

    Respectfully,
    Anomaly

  • When I write down a password, I do two things:

    1) Obfuscate them by adding an extra character to the beginning and end of the password. Make up your own variation on this. Prefix the password with a number, say, 4, and add an extra character to the password inserted 4 characters from the start of the password

    2) Captain Obvious, don't write "PASSWORD" on your post it note.

    Chris

  • Not writing down your passwords isn't always good advice. Though it pains me to say it, Microsoft is right on this one.

    People often pick awful passwords or pick the same password for unrelated uses, like they use their SuperSekrit company password that accesses all our financial data as their webmail password because two good passwords are hard to remember. I'd much rather people write two good passwords down than use a bad one, or use an important one in an insecure way. Just protect whatever you write
  • In the educational industry, my clients have to worry about audits in order to stay accredited. These audits are now switching to a 3-month period on passwords. Against common security protocols, I'm telling my users to write the passwords down, even going so far as to say to keep their passwords in a notepad locked in their desk or cabinet, to avoid increasing the average "I don't remember my password" calls to their help desk staff from 5 per day to maybe 1 per day.

    Granted, any security expert can tell y
  • Just because you write it down doesn't mean that it has to be left out in the open. Write it down and lock the piece of paper in a desk draw or if you are really paranoid, or a password for a high security system, in a small safe.
  • 1. Choose your password and memorize it. (Yeah right!)

    2. Implement it.

    3. Put your password into a ROT-13 proggy and --write down-- the output of THAT.

    If anyone finds the rot-13d password youve written down they wont get anywhere at all with it. Only you will know..

  • for a few weeks I was using:

    "antidisestablishmentarianism(underscore)(my zip code)"

    Ok. for a few days.
  • On just how secure I want to be. If I'm on a system where some security nimrod has decided that I must use a bizzarre password that follows his rules and then change it every few weeks. I write it down and post it on the monitor.

    On the other hand if it is something important I have Mnemonics that I use. I try to not have a lot of memorized passwords, and I will only memorize a password for a system where it will never change.

    Considering the large number of passwords we have to use in today's world, I use
  • 1. pick a number (one to three digits probably)

    2. add 5

    3. multiply by 3

    4. square this number

    5. add the digits over and over until you get only one digit (i.e. 64=6+4=10=1+0=1)

    6. if the number is less than 5 then add five otherwise subtract 4

    7. multiply by 2

    8. subtract 6

    9. use this number to select a letter of the alphabet 1=A, 2=B, 3=C, etc.

    10. pick the name of a country that begins with that letter

    11. take the second letter in the country name and think of an animal that begins with that letter

    but wait...

    there are no elephants in Denmark!
  • by mr_burns (13129) on Wednesday June 08, 2005 @06:42PM (#12762860)
    I tell my users that if they do write down their password/creds that they should treat it in the same way they do their drivers license or passport. After all, those are credentials too and it provides a good analogy so people can better understand what their responsibilites are regarding them.

    That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.

    Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.

    Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.
  • by Skjellifetti (561341) on Wednesday June 08, 2005 @11:14PM (#12764961) Journal
    I'm sitting here reading /. because I fucking can't remember the fucking root password to a server that I'm supposed to administer as a favor to a friend. I changed it two months ago, haven't needed to get on the fucking machine since and now, when I need to fix it, I can't remember what the fuck I changed it to. And no, I can't just stick a rescue boot disk in because I don't know what fucking city the server is in.

    Note to self: Next time, write down the fucking password and put it in the fucking file cabinet.

    Note to poster: Did you ask this fucking question just to fuck with my mind or was it pure coincidence?
  • by Njall (132366) on Wednesday June 08, 2005 @11:59PM (#12765245)
    Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.

    Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.

Any sufficiently advanced bug is indistinguishable from a feature. -- Rich Kulawiec

Working...