Writing Down Passwords? 428
Atryn wonders: "I was recently checking for the latest firmware for a Netgear router when I decided to click on their Guide to Internet Security where it states: 'Contrary to much 'expert' advice, there is very little risk writing down passwords. In fact, years from now you may discover you need them to access old files.' I'm wondering what Slashdot thinks of Netgear's recommendation." Update: 06/08 21:19 GMT by T : Reader 654043 reminds us of the Microsoft recommendation to write down passwords which ran a few weeks back, and which has some pretty sound reasoning behind it.
recommendations? (Score:2, Funny)
Re:recommendations? (Score:5, Insightful)
Re:recommendations? (Score:2, Funny)
Then just lock it in a safe. The problem with that is I wrote the combination on a sticky note somewhere and I can't find it. As a backup I copied it into a text file and uploaded it to a remote server with a non-obvious name but unfortunately I forgot what I called it. :-( Next time I'm just going to keep the combination taped to the front of the safe.
Re:recommendations? (Score:5, Funny)
Re:recommendations? (Score:4, Interesting)
PAYROLL ACCOUNT MASTER LOGIN
I ripped it down and handed it to her, telling her somewhat angrily that she needed to lock it in a secure location, or I would escalate it to the head of HR and the head of IT. I came back everyday for a week, and periodically for a few months afterward, at times when the user was not there to ensure that it had not been placed in any semi-obvious location, and that all of the cabinet drawers were locked. I still ended up telling the mentioned managers, but in a more general way that they needed to do more to focus on security of accounts, among other things. They implemented training a couple of weeks later, fortunately.
Re:recommendations? (Score:3, Insightful)
There is something to be said for a report like Microsoft's, which has proper reasoning behind it, etc. But NetGear's idea of telling the average end-user that "the experts are wrong, there's no problem writing your password down" just encourages people to write their laptop password on a post-it and stick it to their laptop (which is *always* a stupid thing to do).
If you're going to tell people to do something that may risk security, you _must_ tell t
Re:recommendations? (Score:3, Interesting)
You can then store your passwords in any format you like, xls, txt..etc
Re:recommendations? (Score:3, Funny)
Re:recommendations? (Score:2)
Bruce Schneier's Password Safe [schneier.com].
Re:recommendations? (Score:2, Informative)
Re:recommendations? (Score:2)
Re:recommendations? (Score:2, Funny)
One word (Score:2)
Re:recommendations? (Score:2)
vim has integrated encryption (Score:4, Informative)
I have a rather large master password list for every server at work which I store this way. It's quite handy.
Re:vim has integrated encryption (Score:2)
Password Safe (Score:2)
Originally developed by Bruce Schneier so you know the crypto doesn't suck, this software is both free and very easy to use. I don't know what I'd do without it.
Re:recommendations? (Score:2, Interesting)
KeePass (Score:2)
Re:recommendations? (Score:2)
Low level has 3 different passwords I use.
Intermediate level has 3.
High has a unique for each account but I only have abour 4 accounts that qualify as high
so at any given time I need to remember about 10 diferent passwords, which aint that hard. High level passwords get changed every few months. Intermediate about once a year. Low I couldn't give a shit.
Its worked for me so far.
Re:recommendations? (Score:3, Funny)
My whole system was running like a greased skillet until you mentioned that.
Now I can't remember a damn thing...
Re:recommendations? (Score:2)
Then put a password safe program on it. Make your passwords long and safe. Make it so you need the key fob to get into you accounts. You copy the first 32 chars (which were encrypted on the fob) from the fob and then add your short password to the end (or beginner, or middle) of the password and access your stuff.
Re:recommendations? (Score:2)
Re:recommendations? (Score:2)
Re:recommendations? (Score:2)
Re:recommendations? (Score:5, Interesting)
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
Re:recommendations? (Score:3)
Re:recommendations? (Score:4, Informative)
Re:recommendations? (Score:5, Funny)
Re:recommendations? (Score:3, Interesting)
Well, it's assuming that any one web site they visit stores a non-hashed version of the password.
I once had a well respected commercial web site mail me my password. Not only was the fact that they sent it in email bad, but it was also obviously stored on their machines unhashed. And it was a password that could be used to access my credit card info that they had on record.
Of course I told them their computer security staff should be fired
Google groups (Score:3, Funny)
Re:Google groups (Score:2)
Re:Google groups (Score:5, Interesting)
Re:Google groups (Score:2, Funny)
Nah, just give your passwords to me. I'll email them back to you if you forget.
Smart! (Score:2)
Re:Google groups (Score:3, Interesting)
Make a random post to some newsgroup (well make it relevant) use a hash of that post (ascii-ized of course) as your password. If you make your post in a group related to your password, you'll be able to find the passwords you're looking for easily.
Or you could pick someone else who posts fairly infrequently and use their posts as your password-hash basis.
Has something changed in the past 2 weeks? (Score:4, Insightful)
keepass.sourceforge.net (Score:2)
Re:keepass.sourceforge.net (Score:3, Informative)
Re:keepass.sourceforge.net (Score:3, Informative)
It runs in my system tray and I can click, enter my master password and have access to all my passwords. It has also let me use long random passwords for my very important sites since I don't need to remember them any more.
Also you can use a USB key as part of the key
Keep ass? (Score:3, Insightful)
Re:keepass.sourceforge.net (Score:2, Insightful)
I for one have been keeping my ass for quite many years now, and it has worked fine for me. YMMV
sound reasoning? (Score:2, Insightful)
I do believe that there is also "some pretty sound reasoning" when the users decide to share their whole drive together with the passwords on P2P. I mean, by doing that, one can sleep peacefully knowing that his password is redundantly stored, for the next n years.
Give me a break. Security is designed by the need for it. There is a need to protect your email password because even email has a legal standing as a form of c
Re:sound reasoning? (Score:2)
Which is odd, since you don't need a password to send an e-mail.
Re:sound reasoning? (Score:2)
My own personal experience has been at numerous companies where I have been a consultant and am assigned a phone extension with voice mail. Has anyone else experienced ultra-secure voice mail? I'm talking about no less than 8 digit passwords, no repeating digits or sequential digits (ascending or descending)... all to protect my stupid voice mail. The LAN password security is less stringent than the voicemail security.
So, a good example of when I write
Common sense! (Score:2, Insightful)
Personally... (Score:2, Interesting)
it's in my wallet (Score:2, Interesting)
However, I imagine that there's merits to both sides of the argument.
Re:it's in my wallet (Score:4, Funny)
Re:it's in my wallet (Score:2, Funny)
Re:it's in my wallet (Score:2)
Having draconian polcies against writing down passwords will most likely result in people choosing really poor, easily guessed passwords. It's overall security that matters, not how you get there.
Incidentally, Bruce Schneier has said that he keeps passwords written down in his wallet.
(Aside: there is a very funny chapter called something like "Feynman, the genius sa
Yep (Score:2, Insightful)
Everything's protected by a master password and triple DES, so it's fairly secure.
Even better - KeePass (Score:3, Insightful)
If you wanted portability, you could keep your password database on a USB memory drive and carry that around with you.
I see that they just released 1.0 on June 4th - congrats!! I highly recommend people check it out!
discourse on the method for proper pass storage (Score:2)
this seems like it MIGHT not be a bad idea.... (Score:2, Funny)
Archival passwords (Score:2)
There are those who do leave their front door key under the mat, but even they don't hang a bloody great sign on the door to remind them where it is.
Passwords? Blog 'em! (Score:4, Funny)
Dumbness (Score:2, Insightful)
A year back at my old school, a teacher left her password for school network access taped to her monitor. A student found it used that to take down the enire network. Took down everything from the entire school's grades, email, library system and of course internet access.
Either that, (Score:3, Funny)
They always seem to know what it is.
We're on a first name basis.
As with everything, it depends.. (Score:2)
Is the username with the password?
Did you munge the password you wrote down by some scheme known only to you? (example: first character of password is off by one position [ a becomes b], last character is off by the number of characters in the pw)
Is your choice between a simple pw like "kitten" which you remember, or "z0rtvoid-numrut" which you write down..
I do write down pw's, after having forgotten a root pw twice and h
Context! (Score:4, Insightful)
Despite what some people seem to think, there's no "right" answer other than following the context. I live in the US and routinely drive on the left hand side of the road... on one way streets where I'll be turning left soon. I've done it on interstates... where the right hand lanes were closed due to construction and the oncoming traffic was moved onto the access road.
Writing down passwords is the same deal. It's a Bad Idea in your cubicle. It's a Cause For Termination Idea if you're a sysadmin.
But on a router at home, or in a locked wiring cabinet? It's a damn good idea. On a card in your wallet, especially in that zippered compartment so it can't accidently slip out? Good idea, unless you routinely leave your wallet unsecured. In which case you're an idiot with bigger problems than just writing down your passwords.
WTF? (Score:2)
Could be (Score:5, Insightful)
Re:Could be (Score:2)
Also in Crypto-Gram (2001) (Score:2, Informative)
I write down all my passwords... (Score:2)
writing down passwords.. (Score:2)
Netgear routers are inexpensive, and low on featur
Jon Udell: Simple single sign-on (Score:5, Interesting)
Simple single sign-on [infoworld.com] article from May 2005:
It points out a few simple solutions that will solve many people's problems.
Tabular sheet record. (Score:2)
Low Risk (Score:2)
Yes, it makes sense (Score:2)
If you write your passwords skillfully (for example, coded in even a simple way, scribbled amongst some other notes in your telephone directory or small paper notebook) chances anyone would get to them w
Webmail + symetric crypto (Score:2, Insightful)
Then I have a few *really* strong passwords that I use to encrypt text files holding passwords that either belong to myself or other entities (customers, etc.) using GPG's symetric method. I retain copies of these f
Like anything else (Score:5, Insightful)
If you have a router/firewall on your Internet connection, and you write the password(s) to the router on a piece of paper taped to the router, then you are not really reducing your security - if the bad guys are in the room reading the password you are already in trouble.
However, if you write your workstation password down on a piece of paper under your keyboard, and other people can reasonably be expected to have access to your office, then you are greatly reducing your security. If, on the other hand, you have your password written down on a piece of paper you keep in your wallet, then the reduction in security is fairly minimal - especially if there is nothing in your wallet that would lead the bad guys to your workstation.
The Reset Button's Right Next to the Yellow Sticky (Score:3, Interesting)
Get a keyring (Score:5, Informative)
A real, physical, password keyring. ThinkGeek has some rather expensive ones, but they'll definitely do the job. I have one of the earlier (cheaper) keyrings from the same company, and it's wonderful. I have strong passwords, I don't have to worry about forgetting them, and they're secure.
Good passwords.. (Score:2)
this is a physical security nightmare... (Score:2, Interesting)
either way this is no real sub for godd old fashioned remembering things... just change your passwords on a timely schedule.
i have 20+ sites/programs that i change my passwords for ranging form ssh tunneling, to remote email servers to FTP servers...
i have 5 master phrases, one for each type of password protedted app/protocal, that i use to create strong alpha nu
This works for me.. (Score:2)
split-hosting (Score:2)
record the last five characters of each password on a card. Even indicate which box is which.
Then, memorize the first three characters, and use them in all locations.
Works great.
PASSWORD SAFE!!! (Score:3, Insightful)
Password Safe [schneier.com]
Is exactly what you need to "write down" passwords with. You only need remember a single password to decrypt the database. And since the database uses Blowfish, it is pretty damn good.
I have over 50 username/password combos stored in mine with a strong password to open the database itself.
If you need to write down a password, this is the way to do it.
Yes. But not the way they mean. (Score:2)
This act turns the password into "something you have" instead of "something you know." Since passwords are not strong authentication by themselves this does not undermine security any more than relying on password security itself does.
Writing the password down and leaving it in a public area or in your desk, howe
I like kiskis (Score:2)
It's java - and it really runs on Win 98, Mandrake, CentOS, WinXP and Mac OS.
It's easy to use, the passwords are encrypted, and because I can run it on all of the OS' that I use, I can carry the app on my USB drive with n encrypted copy of my password DB and I can always use it.
It's open source, and I've found the developer to be receptive to helping.
YMMV, but I'm pleased.
Respectfully,
Anomaly
Obfuscate them. (Score:2)
When I write down a password, I do two things:
1) Obfuscate them by adding an extra character to the beginning and end of the password. Make up your own variation on this. Prefix the password with a number, say, 4, and add an extra character to the password inserted 4 characters from the start of the password
2) Captain Obvious, don't write "PASSWORD" on your post it note.
Chris
Best practices often aren't. (Score:2)
People often pick awful passwords or pick the same password for unrelated uses, like they use their SuperSekrit company password that accesses all our financial data as their webmail password because two good passwords are hard to remember. I'd much rather people write two good passwords down than use a bad one, or use an important one in an insecure way. Just protect whatever you write
Stupid auditors (Score:2)
Granted, any security expert can tell y
Lock it up (Score:2)
easy solution here. (Score:2)
2. Implement it.
3. Put your password into a ROT-13 proggy and --write down-- the output of THAT.
If anyone finds the rot-13d password youve written down they wont get anywhere at all with it. Only you will know..
I'll write my password right here (Score:2)
"antidisestablishmentarianism(underscore)(my zip code)"
Ok. for a few days.
It all depends (Score:2)
On the other hand if it is something important I have Mnemonics that I use. I try to not have a lot of memorized passwords, and I will only memorize a password for a system where it will never change.
Considering the large number of passwords we have to use in today's world, I use
best password mnemonic ever (Score:4, Funny)
2. add 5
3. multiply by 3
4. square this number
5. add the digits over and over until you get only one digit (i.e. 64=6+4=10=1+0=1)
6. if the number is less than 5 then add five otherwise subtract 4
7. multiply by 2
8. subtract 6
9. use this number to select a letter of the alphabet 1=A, 2=B, 3=C, etc.
10. pick the name of a country that begins with that letter
11. take the second letter in the country name and think of an animal that begins with that letter
but wait...
there are no elephants in Denmark!
physical password security (Score:3, Insightful)
That's often not enough though. I also tell them the first time I see their creds in the open that I'll remind them of the policy. After that, their password documents will be destroyed immediately and without notice on sight if discovered in the open again... and that their password will be changed just as fast.
Call that a bit draconian if you will but I see it as a way to meet people in the middle. I can issue strong passwords without having to think about wether people will remember them, and as long as people treat their credentials like responsible adults I don't have to worry about adverse disclosures.
Truth is people are going to write down their passwords no matter what you tell them to do. Providing a climate where people aren't afraid of admitting it and setting an official policy regarding how that's handled can help you manage risks that otherwise would be hard to approach.
Coincidentally... (Score:5, Funny)
Note to self: Next time, write down the fucking password and put it in the fucking file cabinet.
Note to poster: Did you ask this fucking question just to fuck with my mind or was it pure coincidence?
Have you tried... (Score:4, Funny)
I recommend writing passwords down. (Score:3, Interesting)
Furthermore, I recommend that complicated passwords be allowed a lifetime of at least one year in all but the most sensitive areas. Ergo, a general user should usually be able to keep one for a minimum of a year. The systems administrator on the other hand, shouldn't keep a password longer than 60-90 days. That limited amount of time because most system administrators administrate multiple machines making their password very important.
Re:Write them online (Score:2)
Re:write them down without detail.... (Score:2, Insightful)
If you're a pocket-picking cracker with common sense, you'll probably realize that "Hey, this business card with nonsensical combinations of letters and numbers scribbled on it might actually have some sort of significance." Or maybe the owner just has an ASCII fetish.
Disassociating the passwords is of course a good idea *if* you must write down your passwords because this way if you just lose it, no one will know how to use the information. It doesn't protect you from a thief, however.
Re:It Depends... (Score:2)
I found this lovely old notebook from the 1920's, tall, wide and deep, with yellowed pages, embossed wood-backed smoky leather finish, and ruled. I was looking for something great to do with it, something really special, and then it hit me: use it as a hardcopy for all of my usernames and passwords. Losing this would be sacrelige, and thats even without the content. So wherever you store your passwords, make it somewhere that you would hate to lose even if you didn't store valuable information in it.
Re:It Depends... (Score:2)
Re:Can I take a walk through your wire room? (Score:2)
If someone is rummaging around looking for your password list, you have bigger problems to come than just a stolen computer. Like corporate spying.
Who cares? (Score:4, Insightful)