Writing Down Passwords?

Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.

Personally...

[technomancer68]

I don't write them down because I generate passwords with a little app that I wrote that scrambles together 2 or 3 passwords I can remember and generates a upper/lower/number/letter/symbol password for my usage... but I don't see a problem with writing down a password. I would probably keep it in my wallet or whatever and not just have it laying around. Maybe even do something clever like make all the consanants upper case and the vowels lower case but write it down in reverse, or add two to the numbers and keep all numbers 0-7 .. you could get clever with it and still keep it simple to decode.

Re:recommendations?

[rd4tech]

PGP disk.
You can then store your passwords in any format you like, xls, txt..etc

it's in my wallet

[udderly]

I figure that it would be a lot safer to have a secure password in my wallet than an insecure one committed to memory.

However, I imagine that there's merits to both sides of the argument.

Re:Google groups

[Janitha]

Ive actually done that... should I be shot? Not plain text of course, simply use a word shift encryption which can be easily deciphered by hand. I posted all my current passwords like that and it has come in handy quite a bit. (I also have posted same list on slashdot comments)

What I do....

[Anonymous Coward]

I use the "key+computer" convention.

Every so often, I make up a new "key." This may be the name of a friend, my favorite TV show, or whatever.

For each new or changed password, the password is key+nameofcomputer or key+nameofservice.

I also change o's to 0's and i's to 1's.

For example, next year my /. password may be
StarTr3kSlashd0t
and the year after that
Battl3starGalact1caSlashd0t.

This way, I only have to remember the current and previous "master passwords."

For really important passwords, like those an employer or spouse may need, I write them down and put them behind lock and key, and make sure the people who will need access will have access when they need it.

Yeah I'm an anonymous coward for this, for obvious reasons.

Jon Udell: Simple single sign-on

[otisg]

See Jon Udell's
Simple single sign-on [infoworld.com] article from May 2005:

It points out a few simple solutions that will solve many people's problems.

Re:recommendations?

[rider_prider]

KeePass http://keepass.sourceforge.net/ [sourceforge.net]

this is a physical security nightmare...

[teksno]

so it may be good to write down your passwords, as long as they are secured either on your person at all time, or locked in a vault someplace...

either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.

i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...

i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha numeric symbolic passwords from. esentially its my own leet speek. i write down a single hint on a sticky in my wallet that will remind me of the type of replacement i used. as i use the same type of replace ment for all phrases, though it changes regularly...

there is no real good reason to write down passwords to any thing you want to keep secure. write down a hint that only you will understand, and make sure that you will remeber what it means.

just to show you kinda what i do ill use one of my old phrases:

midgetslutsdontlikeanalsex

how are you not gonna remember that....now just replace two character with numbers (preferbly not 0 for o or anything like that..more like 3 for 0)

and then replace two more letters with special characters.

a possible password using this type of "encryption" could look like:

1i@get0l9y0@o)tlikea)alsex

that will probably take a long time to break...

Re:recommendations?

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:recommendations?

[FlunkedFlank]

Great idea. I'm not sure I'd ever go through the trouble, but great idea nonetheless.

I keep a few of my all-number passwords (that I can never remember) on my cellphone as bogus phone numbers in the phonebook.

Re:Get a keyring

[Anonymous Coward]

May be what we need is a USB dongle that acts like a keyboard and would type in password when a switch on it is pressed.

This sounds like the job for a $2.50 microcontroller.

Actually one of the TI TUSB3410 chip sample software comes to mind.

This is a great idea.

[programic]

I keep all of mine in my palm pilot [officedepot.com], which is always conveniently situated in my back pocket.

When I find I need a new one, I just transfer them over. Manually. I am old-school.

Re:Google groups

[zippthorne]

actually that's not a half bad idea:

Make a random post to some newsgroup (well make it relevant) use a hash of that post (ascii-ized of course) as your password. If you make your post in a group related to your password, you'll be able to find the passwords you're looking for easily.

Or you could pick someone else who posts fairly infrequently and use their posts as your password-hash basis.

The Reset Button's Right Next to the Yellow Sticky

[billstewart]

This article was quite timely for me - I decided to change the DHCP range on my Linksys wired router this week (to make up for the cretinous brokenness of DHCP on my Netgear wireless router), and none of my half-dozen usual passwords or the examples in the Linksys documentation worked. So I had to break into the Linksys by pressing the reset button. And yes, I've set the password to something other than the default, and I was planning to put the new one on a yellow sticky, except I'm out of yellow stickies for the moment so I had to settle for scotch tape.

Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.

Re:recommendations?

[Martin Blank]

Just as long as they're being appropriately hidden. One of the few times that I ever snapped at a user without being provoked was when I saw, in the HR department, the name of the bank, dial-up number, account number, and password for the payroll account on a Post-It on the user's bulletin board, with the following words in big letters:

PAYROLL ACCOUNT MASTER LOGIN

I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.

Re:recommendations?

[milimetric]

that's a really cool idea, however, once someone realizes that each letter has a two character code, they could just do a dictionary attack on you and it would be fairly simple to "guess" the word you're using because the dictionary would guess it for you.

I use a similar aproach but mine is kinda foolproof. I think of a word that I would know that's not in the dictionary... like blumpy. Then I pick a symbol like & or *. Then I take this and make, for example, my bank password: blumpy&bank, and lets say my slashdot password: blumpy&slashdot. So it's easy to remember, just remember blumpy& and change it ever so often if you want.

I recommend writing passwords down.

[Njall]

Several years ago I came to realize that one can either work with human nature and win; or work against it and lose. In the arena of passwords anyone who recommends NOT WRITING passwords down is declaring themselves against human nature. I tell users, "By all means write your password(s) down. However, treat that piece of paper like it were a $1000 bill. You wouldn't put a $1000 bill in your desk or under your keyboard. Don't do it with a password." It isn't the written password that is the problem. It's the casual treatment of something valuable.

Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.

Re:recommendations?

[devonbowen]

That is assuming /. stores password in clear text of course.

Well, it's assuming that any one web site they visit stores a non-hashed version of the password.

I once had a well respected commercial web site mail me my password. Not only was the fact that they sent it in email bad, but it was also obviously stored on their machines unhashed. And it was a password that could be used to access my credit card info that they had on record.

Of course I told them their computer security staff should be fired immediately. Never heard back. They were probably the ones that read the email.

Devon