Writing Down Passwords? 428
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
Re:keepass.sourceforge.net (Score:3, Informative)
Re:keepass.sourceforge.net (Score:3, Informative)
It runs in my system tray and I can click, enter my master password and have access to all my passwords. It has also let me use long random passwords for my very important sites since I don't need to remember them any more.
Also you can use a USB key as part of the key to unlock the database so you have the something you know + something you have security.
Re:recommendations? (Score:2, Informative)
Also in Crypto-Gram (2001) (Score:2, Informative)
vim has integrated encryption (Score:4, Informative)
I have a rather large master password list for every server at work which I store this way. It's quite handy.
Get a keyring (Score:5, Informative)
A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.
So? (Score:2, Informative)
So? Seems to me you may be addressing a point that the author is not raising. He's not asking if having a password is better than not having one; he's asking about the advantages and disadvantages of writing down a password?
Suppose you value the loss of a piece of data at, say, over $50,000. Consider how you would feel about carrying the passwords to that data in your wallet.
Sound like a bad idea?
OK, does carrying around the keys to a new Mercedes sound like a bad idea?
So, if we've established its not necessarily ridiculous to write your passwords down provided that you take the same care of them you do your car keys, the question remains whether there are advantages and disadvantages. The disadvantage is that your wallet may be stolen. The advantage is that you can use a key that is cryptographically hard to break, as opposed to ginning up something you can remember.
Threat assessment is key I think.
The password to your work account may be a good candidate for the wallet treatment. A pickpocket has to know where you work, and what your user id is, to make use of your password.
The PIN to your ATM is a bad idea, because the pickpocket gets a complete set of what he needs to get access to your account: the card and the PIN.
Re:recommendations? (Score:2, Informative)
Besides, if all they need to do is encrypt a single file containing the passwords, they don't need PGP disk; PGP or GPG will work fine to encrypt the single file, with the plus side being that in ten years you don't need to find a copy of Windows XP and a copy of PGP disk to install just to retrieve 143 bytes' worth of text.
Re:recommendations? (Score:4, Informative)
Re:recommendations? (Score:2, Informative)
Also, a "dictionary attack" doesn't have to mean someone scripting logons based on a dictionary. In fact, such a thing would usually not work. Assuming you could try 100 passwords/sec (pretty unlikely) it would take many, many years to exhaust an 8 char password with a 26 char keyspace. Success of a dictionary attack typically requires you have the hash and can generate & compare as many passwords/sec as you have compute power.