Writing Down Passwords? 428
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
Personally... (Score:2, Interesting)
Re:recommendations? (Score:3, Interesting)
You can then store your passwords in any format you like, xls, txt..etc
it's in my wallet (Score:2, Interesting)
However, I imagine that there's merits to both sides of the argument.
Re:Google groups (Score:5, Interesting)
What I do.... (Score:1, Interesting)
Every so often, I make up a new "key." This may be the name of a friend, my favorite TV show, or whatever.
For each new or changed password, the password is key+nameofcomputer or key+nameofservice.
I also change o's to 0's and i's to 1's.
For example, next year my
StarTr3kSlashd0t
and the year after that
Battl3starGalact1caSlashd0t.
This way, I only have to remember the current and previous "master passwords."
For really important passwords, like those an employer or spouse may need, I write them down and put them behind lock and key, and make sure the people who will need access will have access when they need it.
Yeah I'm an anonymous coward for this, for obvious reasons.
Jon Udell: Simple single sign-on (Score:5, Interesting)
Simple single sign-on [infoworld.com] article from May 2005:
It points out a few simple solutions that will solve many people's problems.
Re:recommendations? (Score:2, Interesting)
this is a physical security nightmare... (Score:2, Interesting)
either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.
i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...
i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha numeric symbolic passwords from. esentially its my own leet speek. i write down a single hint on a sticky in my wallet that will remind me of the type of replacement i used. as i use the same type of replace ment for all phrases, though it changes regularly...
there is no real good reason to write down passwords to any thing you want to keep secure. write down a hint that only you will understand, and make sure that you will remeber what it means.
just to show you kinda what i do ill use one of my old phrases:
midgetslutsdontlikeanalsex
how are you not gonna remember that....now just replace two character with numbers (preferbly not 0 for o or anything like that..more like 3 for 0)
and then replace two more letters with special characters.
a possible password using this type of "encryption" could look like:
1i@get0l9y0@o)tlikea)alsex
that will probably take a long time to break...
Re:recommendations? (Score:5, Interesting)
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
Re:recommendations? (Score:2, Interesting)
I keep a few of my all-number passwords (that I can never remember) on my cellphone as bogus phone numbers in the phonebook.
Re:Get a keyring (Score:2, Interesting)
This sounds like the job for a $2.50 microcontroller.
Actually one of the TI TUSB3410 chip sample software comes to mind.
This is a great idea. (Score:2, Interesting)
When I find I need a new one, I just transfer them over. Manually. I am old-school.
Re:Google groups (Score:3, Interesting)
Make a random post to some newsgroup (well make it relevant) use a hash of that post (ascii-ized of course) as your password. If you make your post in a group related to your password, you'll be able to find the passwords you're looking for easily.
Or you could pick someone else who posts fairly infrequently and use their posts as your password-hash basis.
The Reset Button's Right Next to the Yellow Sticky (Score:3, Interesting)
Could some visitor climb under my desk and look at the password if they wanted? Yes, but they could also climb under the desk and hit the reset button, and it's not *that* big a stretch to figure out that the DHCP is now set for 192.168.0.0/24 instead of 192.168.1.0/24.
Re:recommendations? (Score:4, Interesting)
PAYROLL ACCOUNT MASTER LOGIN
I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.
Re:recommendations? (Score:2, Interesting)
I use a similar aproach but mine is kinda foolproof. I think of a word that I would know that's not in the dictionary... like blumpy. Then I pick a symbol like & or *. Then I take this and make, for example, my bank password: blumpy&bank, and lets say my slashdot password: blumpy&slashdot. So it's easy to remember, just remember blumpy& and change it ever so often if you want.
I recommend writing passwords down. (Score:3, Interesting)
Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.
Re:recommendations? (Score:3, Interesting)
Well, it's assuming that any one web site they visit stores a non-hashed version of the password.
I once had a well respected commercial web site mail me my password. Not only was the fact that they sent it in email bad, but it was also obviously stored on their machines unhashed. And it was a password that could be used to access my credit card info that they had on record.
Of course I told them their computer security staff should be fired immediately. Never heard back. They were probably the ones that read the email.
Devon