Ask Slashdot: How To Protect Your Passwords From Amnesia? 381
Phopojijo writes "You can encrypt your password library using a client-side manager or encrypted file container. You could practice your password every day, keep no written record, and do everything else right. You then go in for a serious operation or get in a terrible accident and, when you wake up, suffer severe memory loss. Slashdot readers, what do you consider an acceptable trade-off between proper security and preventing a data-loss catastrophe? I will leave some details and assumptions up to interpretation (budget, whether you have friends or co-workers to rely on, whether your solution will defend against the Government, chance of success, and so forth). For instance, would you split your master password in pieces and pay an attorney to contact you with a piece of it in case of emergency? Would you get a safe deposit box? Some biometric device? Leave the password with your husband, wife, or significant other? What can Slashdot come up with?"
Secure safe. (Score:5, Funny)
Tell all your passwords to me, they'll be safe. Just don't forget who I am.
Re:Secure safe. (Score:5, Funny)
Like that'll ever happen. You post here all the damn time.
Re: (Score:3)
More seriously, envelope, lawyer, retainer, instructions to return if you are in a serious accident. Or several lawyers, each with part.
Or cheaper but less reliably tell two or three independent friends a part of the answer, and ask them to come and tell you the information if you ever get amnesia. Such as, "The password is in the book"; "Moby Dick"; "Page 27, Line 6". Don't tell them who the others are, and try to use people from different social circles.
Re:Secure safe. (Score:5, Funny)
"The password is in the book"; "Moby Dick"; "Page 27, Line 6"
Oops. Heh.
"unlock his bridegroom clasp--yet, sleeping as he was, he still hugged me tightly"
Oh Queequeg...
Re:Secure safe. (Score:5, Insightful)
A safe deposit box, say, won't last 10 seconds against The Man (unless you bank with the same Bespoke Swiss Wealth Management Entity whose gnomes have guarded your family's anonymous riches since the days when you were aristocracy); but is pretty much 100% bulletproof against hackers, malicious friends, and most other likely attackers with the possible exception of a malicious-but-once-trusted spouse. Plus, while it might be a bit of a hassle, especially if you face serious cognitive impairment, such an arrangement is well established enough, socially and legally, that regaining access to your box after an accident or something should be pretty doable.
Something like that would be too much of a hassle to routinely deposit updates to passwords you rotate frequently; but a good place for a long, hostile, master password for a password locker of some sort that you use day-to-day and store the passwords that actually get rotated in.
If the concern is The Man, of course, you could hardly do worse than that strategy. Depends on what you are worried about. If you aren't worried about the man, just putting it on paper in one of the institutions society has offered for secure storage for centuries now is the obvious strategy, and comes with the advantage that even 100% non-techies will be familiar with, and likely to be helpful with, such an arrangement. If you are worried about a warrant cutting through your security like a stray round through an innocent bystander, you'll need to get more creative, and hope that you have some social resources to employ.
Biometrics are always a terrible plan, of course (sure, your fingerprint will be fine after you get out of the burn ward, no problem...) and KISS is probably a good idea if your concern is the potential for unplanned mental degradation (whether pure memory, or cognition as well). The fancier you get, the worse your odds of remembering how your fancy plan to remember your passwords worked.
Re:Secure safe. (Score:5, Insightful)
A similar problem lies in most of the other "tell N friends to give you the clues needed to find the password" approaches. What happens if one or more friends fail to return the clue they possess? It's like having a hard drive array as a simple spanned volume. Lose one drive and everything is lost. Trying to include a checksum or similar function seems needlessly complex IMHO.
I think most folks are over-thinking this. Lets stipulate that I have lost my memory for whatever reason. All my passwords are generated using a relatively simple pattern. If I was amnesiac, I still have all those passwords saved in my browser, chat and email clients. Amnesiac me can collect email and log into sites that I use as long as my computer is intact. My wife knows the pattern but not the current passwords, if I can't get into the password lockers, my wife can give me the starting point. From there I can access my passwords with as little as 5 tries. However, as long as my email client still has useful passwords, the vast majority of my password list can be reset with a simple "I forgot my password" request. If, for whatever reason, those two options aren't good enough, I really don't care y'know? If I'm amnesiac, I have much bigger problems on my plate than whether I can access any social sites, member-only areas of sites and so on. Given the kind of brain trauma needed to get significant amnesia, I probably would not have much use for email for the first while anyway.
Re:Secure safe.(Shamir Secret Sharing) (Score:5, Interesting)
Just post it on Slashdot (Score:5, Funny)
And then, whenever you need your password, just "ask Slashdot"! Of course there will then be some jokers who post incorrect passwords, but they will be modded down rapidly since anyone can check whether the password is correct or not. Just go with the "+5 informative" one.
Re:Just post it on Slashdot (Score:5, Funny)
Remember, posting your password on the internet [bash.org] will show the password to you as as your password, but others will see it as stars.
See, look at my password ************
So now if I get amnesia all I have to do is come back and check my comment history and I'll find my password.
Re:Just post it on Slashdot (Score:5, Funny)
Re:Just post it on Slashdot (Score:4, Funny)
Remember, posting your password on the internet [bash.org] will show the password to you as as your password, but others will see it as stars.
See, look at my password ************
So now if I get amnesia all I have to do is come back and check my comment history and I'll find my password.
So your password is hunter2?
Re: (Score:2)
Michel! ffs man! I've been trying to contact you since your accident!
Your password is "LargeAndInCharge69". I hope you recover all your data.
Re: (Score:2)
Re: (Score:2)
What good does a line of stars do?
Re:Just post it on Slashdot (Score:4, Insightful)
Paranoid much? (Score:2, Funny)
Amnesia is most often associated with major brain damage, which means you have a lot more to worry about than your passwords. Now zombies, those are real, which is why I'm holed up here in the middle of Nebraska with enough ammo to put the entire state out. You hear that zombies, you'll never take me alive!
Re:Paranoid much? (Score:4, Insightful)
Amnesia is most often associated with major brain damage, which means you have a lot more to worry about than your passwords.
Also with ageing - not just in dementia. My parents in their 60s/70s both struggle with remembering secure passwords.
Re: (Score:2)
Just let them pick a sentence as a password?
Re: (Score:2)
For personal local passwords, yea you could use a sentence password. But many websites, especially banking sites, require capital letters and numbers. Once you throw those into the mix it's game over and you can easily forget it.
A piece of paper in a drawer (Score:3, Funny)
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
For my personal passwords, I rely on security through obscurity: I don't believe that anyone can find my passwords in the giant mess that I call my office. If I get sick, I can use the recovery time to clean up my office. It will take weeks, if not months.
Btw, I don't need a terrible accident to forget passwords. It happens a lot for those passwords that I don't need too often.
Re:A piece of paper in a drawer (Score:4, Interesting)
A trusted executor is really the way to go here. Store the passwords in an encrypted format and then give the key to a trusted party that will only unseal the encrypted database in the event that you are incapacitated. For added security, split the key into multiple parts and give it to multiple parties. It would probably be best to transport the key in a physical format and make it clear that the importance of the document.
In a work place setting, give the keys to supervisors that are mutually responsible for the systems in question. In a personal setting, give the keys to family members that are trusted. Be sure to provide step-by-step instructions as to how to decrypt your data. If you are so unfortunate to not have trusted family or friends, pay a law firm to administrate this service and act as your executor. For a fee, the law firm can be instructed to only unseal the data in the event that certain standards are met (such as a declaration of incompetence by N medical professionals).
Re: (Score:3)
I would probably give a master password and a copy of my password safe to my lawyer, along with my will and other legal paperwork that she should have just in case something should happen to me.
KeePass + will (Score:3)
I would probably give a master password and a copy of my password safe to my lawyer, along with my will and other legal paperwork that she should have just in case something should happen to me.
I was in the midst of posting something similar. I hadn't thought of encryption, but that would be a good idea.
Re: (Score:2, Informative)
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
This is the way to go.
The first question you should ask yourself is, if someone have physical access to my computer, do I care if they also have my passwords. If not then a post-it on the monitor will work just fine.
Otherwise you should ask yourself, do I have any physical place where someone finding out my passwords would be the least of my concerns? If you have a place like that, store your passwords there.
As long as you don't store what the passwords are for together with the passwords some random strang
Re:A piece of paper in a drawer (Score:5, Funny)
do I have any physical place where someone finding out my passwords would be the least of my concerns? If you have a place like that, store your passwords there.
You just gave me the best idea ever: tattoo your passwords on your penis. The chance of losing it is small when compared to the chances of losing a notebook or piece of paper, it's a private location and chances are social engineering industrial espionage attempts will have to get pretty interesting. I can see only two minor problems with my plan: first, you might not be able to fit strong passwords in there. If you end up only being able to fit easy to brute force passwords, I suggest you use the old piece of paper method, and maybe a pump. Second, your work may be one of those that use five or six different systems, all with different passwords, and rotate them on a monthly basis. You can still stick with the idea, but oh, boy, you're going to be sore.
Re:A piece of paper in a drawer (Score:5, Funny)
Re: (Score:3)
Re: (Score:3)
Re:A piece of paper in a drawer (Score:5, Interesting)
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate...
Your boss does not have "every right" to know your password at work any more than any other employee has a "right" to know it. You are an IT Security person's worst nightmare with that bullshit argument, especially if you have even a fucking hint of how Windows security works, and know damn well that in any emergency, most any member of your IT staff can reset any password upon following proper HR and IT policy, which is your audit trail as well for CYA.
Work passwords pretty much for the most part do NOT need to be stored offline in any way for this very obvious reason, and by relying upon the security guards, you've basically destroyed any point in having any sort of strong password policy.
Like I said, you're an IT Security person's worst nightmare. Knock it off with that shit already, and use common sense.
Re:A piece of paper in a drawer (Score:5, Insightful)
I know that it might seem obtuse, but there are in fact companies out there that don't even have an IT department and chances are the "IT system" is just a bunch of random machines doing random things and password resetting isn't a practical option.
Re: (Score:3)
Umm... what about server passwords? What about core router and switch passwords? What if you work at a telecommunications company and are in charge of the a large part of the network?
Do we want another Terry Childs incident here?
OF COURSE your Boss has every right to know your passwords. Maybe not your personal windows login password, but that is NOT what we're talking about here. Passwords to core and critical systems in a business SHOULD be accessible to senior management in case something should happen t
Re:A piece of paper in a drawer (Score:5, Informative)
For work-related passwords, my boss has every right to know my passwords if I get sick
Hmm, no, he has every right to access your professional data for sure, but this does not necessarily require him to know your passwords. Back when I was doing IT for a 25-odd people company, I'd briefed people that their password was like their signature: personal, and if some manager asked them their password, they should redirect the manager to me (happened a few times, each time the request was baseless and rejected, and when there was an actual problem, it was solved without anyone having to let anyone else know their password). Heck, I'd briefed everybody never to tell me their password.
Re: (Score:2)
Heck, I'd briefed everybody never to tell me their password.
I've never abused a password but I even don't want to know my SOs' passwords. If I don't know them, I can never be tempted to use them. I'm root anyway.
Re:A piece of paper in a drawer (Score:5, Insightful)
I agree with you on policy, but technically the boss has the right to have whatever policy he wants. It's his company, after all. Now if your "boss" is just the manager directly above you, they may very well be violating some company policy...
Re:Don't need even that (Score:2, Informative)
Everyone forgets passwords once in a while.
Personal Passwords? Most of them can be reset. That is, if that email address still exists. Otherwise it probably wasn't important enough anyway.
Job passwords? Can be reset
Government related passwords (like DigiD in the Netherlands)? Reset it online and they'll send you a reset code via ye olde mail
My girlfriend suffered from a cerebral hemorrhage a couple of years ago.
Trying to get a new bank pass (she also forgot her PIN) was way more difficult than online stuff
Re:A piece of paper in a drawer (Score:5, Insightful)
Absolutely not. Your employer has every right to reset your work-related passwords to gain access to your machine - An easily detected, even auditable, event that proves "you" didn't try to bribe a Central American dictator to use your company's brand of widgets (or bullets, as appropriate).
Now, for truly shared company passwords like a corporate Twitter account, you should already have a key escrow plan set up - That might mean a formal third-party service, or something as simple as the old trick of writing it on a note-card, sealing the note-card in an envelope, and signing across the flap. Store envelope in a secure area.
Don't confuse those two situations.
Re:A piece of paper in a drawer (Score:4, Insightful)
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate.
Disagree.
Your boss has every right to possess credentials himself capable of resetting or changing your password to something he knows; should a need arise. He should not however have your password. This is a audit and separations of powers issue. Being able to reset your password is fine, that should result in a log, of what account was reset and what account did the resting. If it was root, who sudo'ed to root, etc. Can someone with administrative access still taper with logs? Yes; but it raises the bar and makes it harder to cover their tracks from forensic examination if something happens.
Account credentials should not be shared for accountability reasons, even with the boss.
Re: (Score:2)
For work-related passwords, my boss has every right to know my passwords if I get sick.
Access to the work related accounts should not depend cooperation from the employee. Trust employees to be gruntled but have contingency plans for the !gruntled too. And incapacitated, and the inaccessible as well.
My boss can simply as the sys admin to change the password of accounts on servers controlled by my employer. I don't ask my staff to reveal their passwords to me, and when they leave or get fired, it is standard ops to reset their passwords, archive the $home and give me access to those files.
Re: (Score:3)
Once I smirked at people who wrote down their passwords, but now with every second site and service needed at least once email address and passwords, the smirk has been wiped off my face.
I now have upwards of 100 passwords and logins across computers, websites, mailing lists, services, databases, devices and an increasing number of newly online ultilities. I would point to this hassle as the number one example of computers decreasing productivity.
I've remembered the most important logins, doubled up others,
Re:A piece of paper in a drawer (Score:4, Informative)
At work, when one password expires, I update all of my system passwords to match whichever new password I pick.
I used to come up with clever, difficult to guess passwords. Now that I have to change my password every three months, I just +1 my previous password. Farscape20 is what I was at before I switched shows.
If my job really expects a challenging password, then it should stop forcing me to update it so frequently. I am simply not imaginative enough (nor do I have the desire) to come up with something unique each time.
My passwords do not... (Score:2, Funny)
...suffer from amnesia. Passwords generally don't, so I would not worry about that particular problem.
And now excuse me, I need to water my keyboard.
Do what Jason Bourne did (Score:5, Informative)
Tattoo your safe deposit bank number (the bank of which required your biometric identity to get into the vault) on your arm. Maybe you should also tattoo the name of the bank (and address?) there, I seem to remember that he had problems remembering he had a safe deposit box there.
Re: (Score:2)
Tattoo your safe deposit bank number (the bank of which required your biometric identity to get into the vault) on your arm. Maybe you should also tattoo the name of the bank (and address?) there,
...and then never wear short sleeves in public or go swimming for the rest of your life.
Re: (Score:3)
Tattoo your safe deposit bank number (the bank of which required your biometric identity to get into the vault) on your arm. Maybe you should also tattoo the name of the bank (and address?) there, I seem to remember that he had problems remembering he had a safe deposit box there.
Make sure the biometrics isn't fingerprins from the same arm, otherwise someone may chop your arm off and get both the bank name and the fingerprints in one go. People will do anything to get to your funny kitty pics on instagram.
Nice try (Score:5, Insightful)
Nice try, NSA!
Sealed Envelope (Score:2, Informative)
IIRC, Nemeth, Hein, Snyder, and Whaley suggest a sealed envelope in a safe (or locked away in a safe place). As soon as the seal's broken, you know that the person(s) who know(s) the combination/has the key indeed needed access to the password (in an emergency), so you may want to change the password in the future.
Re: (Score:2)
Put it in a box with a one-time lock (can only be locked once, yes, they exist...).
That way you can tell if anybody else has ever opened it.
Lock it in an ordinary safe then drill a hole through the key and get a jeweller to fit an engraved metal ring through the hole. The only way to use the key is to break the ring. Or lock it in the safe then cover the key with sealing wax and sign it (no, they're not 100% foolproof but they're probably good enough).
Re: (Score:2)
If you have amnesia:
1) How would you remember where you put it?
2) How would you know if it's been taken?
3) How would you remember that you used a sealed envelope (or one-time lock, or similar trick)?
Keep it on a piece of paper (Score:2)
Re: (Score:3)
Your brain is the limit!
Sure, unless you wake up with memory loss (it can happen, it seems you forgot the words of the summary while you were writing that!!)
Re: (Score:2)
Re: (Score:2)
keep passwords inside the head rather than on a file - encrypted or otherwise. But if you can't do that, keep it on a piece of paper, and if you're worried about others seeing your paper, well, lock it up somewhere safe
Let's see: in a safe with a combination lock perhaps?
Re: (Score:2)
keep passwords inside the head rather than on a file - encrypted or otherwise. But if you can't do that, keep it on a piece of paper, and if you're worried about others seeing your paper, well, lock it up somewhere safe
Let's see: in a safe with a combination lock perhaps?
I just use a key.
Re: (Score:2)
Isn't the whole point of the OP's question that you don't know you shifted the numbers and characters?
Same applies if you need others to access the password in the event of your death. They need to be in on the secret too.
Use mooltipass (Score:5, Interesting)
Re: (Score:2)
Therefore, you'd only need to share your PIN code with your husband/wife (5 to 6 numbers)
Husband/wife? This is slashdot you know...
Re: (Score:3)
I think he meant THE husband / wife, I.E., dad and mom. You could just ask her when she brings down your sandwich.
It's not a bug, it's a feature! (Score:2)
Re: (Score:2)
Suppose you did indeed have an amnesia-proof password store. And then you get into a situation where you are scared to death (jackbooted thugs breaking into your house in the middle of the night, drag you off to some scary Cuban shore, ...) and you are so frightened by the ordeal that you forget your valuable passwords. So fine so good. But then there's you're amnesia-proof solution, which brings your memories back. oops.
They're going to drag you off to Cuba to get your Facebook password?
Why is "forgetting" such a problem apparently? (Score:3)
It's very easy to create unique passwords that are hard to guess, and completely trivial to remember. My method is this:
- I have a 4 "stems" that are the first letters of 4 lines of poetry I remember from school. one stem is used for "very personal" things (ssh private key passwords for instance), another for login on "trusted" machines (my servers), and a third to use on various websites I trust moderately, and a fourth is a "junk" stem to use on shite websites (hotmail and the likes).
- To each stems, I append 2 digits (always the same)
- I prefix each stem with the first 3 letters of my username, and I append the 3 first letters of the machine's name, or website name I'm logging onto, after the digits.
- Finally, I append the number of letters in the machine name or website name (sans www. or .com).
The passwords that I create that way are reasonably secure, usually unique, and all I have to remember is a poem, my username for a particular machine/website (those I can store somewhere in plain text just in case) and the method to derive the corresponding password.
I have kajillions of passwords, and zero trouble remembering them. How hard can it be? I've never felt the need for a password storage solution of any kind.
Re: (Score:2)
It's very easy to create unique passwords that are hard to guess, and completely trivial to remember. My method is this:
- I have a 4 "stems" that are the first letters of 4 lines of poetry I remember from school. one stem is used for "very personal" things (ssh private key passwords for instance), another for login on "trusted" machines (my servers), and a third to use on various websites I trust moderately, and a fourth is a "junk" stem to use on shite websites (hotmail and the likes).
- To each stems, I append 2 digits (always the same)
- I prefix each stem with the first 3 letters of my username, and I append the 3 first letters of the machine's name, or website name I'm logging onto, after the digits.
- Finally, I append the number of letters in the machine name or website name (sans www. or .com).
The passwords that I create that way are reasonably secure, usually unique, and all I have to remember is a poem, my username for a particular machine/website (those I can store somewhere in plain text just in case) and the method to derive the corresponding password.
I have kajillions of passwords, and zero trouble remembering them. How hard can it be? I've never felt the need for a password storage solution of any kind.
Hey, that's great ... {scribble} ... what was that middle one again?
Re:Why is "forgetting" such a problem apparently? (Score:5, Insightful)
"All I have to remember is a poem".
This won't necessarily work if you have amnesia! Poem? What do I need a poem for? And all that stem/prefix/append process, if you have amnesia, what's that all about?
If your passwords, and your password generating method, are kept solely inside your head, then that is a single point of failure. Fall off a bike and it may be gone. For ever. The point is to be able to somehow reconstruct your passwords if you can't remember!
Re: (Score:2)
The point is, I've used that poem and that method for so many years, and it's such a simple system, that it might be the one thing I'll remember first if I have amnesia.
But you're right, at the end of the day, you have to choose between a single point of failure in your head or outside your head. I think the odds of compromising your passwords because your trusted relative, friend, attorney... wasn't so trustworthy or careful is far greater than having amnesia.
Re: (Score:3)
The point is, I've used that poem and that method for so many years, and it's such a simple system, that it might be the one thing I'll remember first if I have amnesia.
Perhaps, perhaps not. I have a relative who suffered some brain trauma, he had to relearn parts of his vocabulary and while he'd fairly quickly relearn that an apple is an apple, any passwords, codes or combinations that only he'd known was blasted into oblivion. If that happened to me I'd lose everything on my computer since I use full disk encryption and nobody else knows the key. And it's not so easy to solve, because even if I wrote it down I might not remember that I did, where I hid it or who I gave i
Re: (Score:2)
Even simpler is to use the physical address of where the machine you're using is located along with some special characters or other variety for good measure.
For example: 19Th&WashingtonAve@50224!
It's rather trivial to remember, and if you can come up with your own basic pattern, it becomes easy to manage a bunch of different passwords for different things in your life.
I did something really clever (Score:4, Funny)
Re:I did something really clever (Score:5, Funny)
I did something really clever with my password list .... I'm darned if I can remember what though.
You emailed the list to me for safekeeping. Just send $10,000 (plus shipping and handling) to my paypal account, and I'll send it right back to you!
Sure ... just tell me my paypal password first, I can't remember it!
Republican answer (Score:4, Funny)
What use with amnesia? (Score:2)
But with any security question, there are always events where you say "if X happens, then you have lost and there is no point in trying to mitigate". For example, if people break into your house willing to beat you up for your passwords and kill you if you don't give them out, then you have lost.
Write your private passwords on paper, hide them somewhere in your house, if you want deposit a copy at your work pl
I do not discuss matters of security (Score:2)
I have a solution for this scenario, and equally for my sudden death.
Can't tell you what it is, obviously, as that would compromise it. Not much help, I know. But that's how security works.
Re:I do not discuss matters of security (Score:4, Insightful)
Actually, that "security through obscurity" approach is exactly how security does NOT work :-)
Funny. Relying on a password that nobody else knows sounds like "security through obscurity" to me.
Re: (Score:2)
Relying on a password that nobody else knows sounds like "security through obscurity" to me.
You haven't seen my password.
Depends upon the situation ... (Score:2)
In the case of my employer, I got lucky: the administrative passwords were placed in a signed and sealed envelope in case anything critical happened. It worked because they knew how to handle confidential data and acknowledged that I was the only one who should have access to those passwords (unless something critical happened).
In the case of important personal passwords (e.g. financial institutions), you could write it down and place it in a safe. You're letting the bank handle the security in that case,
My Solution (Score:2)
I keep my pa55w0rd hidden in plain sight.
Re: (Score:2)
My passwords are the domain name backwards.
gro.todhsals
Re: (Score:2)
Vacation. (Score:2)
The real story:
You have a good password, that changes every 2 months. It is complex, and the previous password does not look like the current password.
Then you come back from a 2 week vacation and you have only 3 tries to remember your password.
happens way too often.
Re: (Score:2)
Easy - password manager with local access only.
More cumbersome but simple - text file in a truecrypt container with the master password kept in your wallet. Bonus points: you use a combination of your drivers licence number and the type and number of your most used credit card as the master password (that way if you lose your wallet you can still recover your password, but its going to have letters, numbers, and be about 30 characters long).
For the paranoid, a text file stored in a truecrypt container store
Sigh (Score:3)
Write them down. In a notebook. Label what they are the password for.
Store book in safe place and update once a year.
That's how I do it for my employers (large fireproof safe, book sealed so you can't open it without me noticing, etc.) and for myself.
If you get to my safe, get into my safe, get into the book, then it's also game over for every PC in the house anyway, not to mention my Facebook password will be the least of my worries (banking token generators, etc.).
Seriously people, stop repeating the advice to "never write down passwords". Write them all down in one huge book and PUT IT SOMEWHERE VERY VERY VERY SAFE. Then if you die, if you're on holiday and someone needs to log in for whatever reason, if your other half is at home and desperately needs to do something important as you, then you can talk them through getting access or they will know.
If you don't trust them? Lock it in a cheap safe of your own. Worst that happens is that you have to get out the cutting discs to get back into the thing and get your passwords back if you have a case of total amnesia.
Timer / Countdown (Score:2)
I imagine some kind of safe with a time lock on it, set to automatically open if a button "Add One Day/Week/Month/Year" is not pressed for the time interval. Of course, it can also be opened by inputting the pass code at any time. If you forget the pass code, and need access to the contents, all you have to do is wait for it to automatically unlock when the time runs out.
If there is a chance you need the contents at short notice, you lower the time, if you can afford to wait a month, then do so.
Do what I did (Score:5, Funny)
Use a PO Box (Score:5, Interesting)
Go get a small PO Box
Print a master list of passwords each week and mail it to yourself at that PO box
Every 3-6 months go clean out your box except for the most recent and shred them
Keep the key with you at all times.
Why use this over a safety deposit box?
(1) It's a federal felony for someone else to remove or open the letters
(2) You have a list no more than a week old (prior to your death or amnesia) available
(3) If you should die or become incapacitated, your home/mailing address will get a reminder once a year that you HAVE a box, and where it is, by producing ID or appears certifying your death or incapacitation, your attorney or next of kin will get a notification that such a box exists and when they (or you) check to see what mail you've gotten they'll discover your passwords.
Reverse Locker (Score:2)
I'd like to see Google, or Facebook or some other social media style site implement (what I'm calling) a 'Reverse Locker'
The idea is simple. It keeps stuff secret, but *only* if you log in periodically.
As well as solving the problem asked, the uses are more than you might think. For example I'd like to keep some documents safe until my death, at which point I'm happy for them to be made 'public' (such as a Last Will and Testament, or whatever)
Use people you trust (Score:2)
Since your assumption is that you're forgetting things you must assume you'll forget everything, including the fact that you have something to access with a password or the means with which to recover the password. Therefore someone has to come to you with the information without any action from your side, judge that you're enough "yourself" to give you access to your own passwords, and then give the information.
If you do not trust a single person with this information the question becomes:
How can you give
Over-thinking it much? (Score:2)
If your password is all that stands between the forces of chaos and evil and some military-grade secrets or billions of untraceable dollars then I'm sure there are well-documented, probably contractual or even statutory, procedures for ensuring continuity of access should the password-holder be stabbed by a Bulgarian umbrella.
Otherwise, just write the bloody thing down and keep it wherever you put other important documents - if the bad guys get physical access to your computer and paper records, especiall
Envelope and safe deposit box (Score:2)
BioMetrics (Score:2)
Why not just buy a fingerprint reader and use that to secure your password vault?
Sure someone can hack off your hand and get your passwords, but if they're that valuable you shouldn't have a vault to begin with.
Clues printed for my family (Score:2)
I have a sheet of paper hidden in my office on which I've printed a list of clues that reveal portions of my encryption keys. They can only be solved using information only known by close and trustworthy family and friends. It is not entitled and appears fairly obscure without context, but I know they're smart to figure that out.
Alternately, you could go with Cory Doctorow's solution of giving one half of each encryption key to your lawyer and the other half to your significant other. If anything were to
Just call (Score:3)
Dead Man's Switch (Score:4, Interesting)
Write a script with a "dead man's switch." Store passwords in an encrypted file on a secure system. If you don't log on and issue some sort of "wait" command every 30 days or so, then passwords get emailed to an account whose password is stored on a phone. At the time the passwords are issued, it's bloody insecure, but it should work well enough to get into the systems and change the passwords to something else. Not a perfect system, of course. What happens with a 60 day coma? Passwords are accessible for at least 25 of them, but not to you, etc. Existence of the script and encrypted file on an email ready system means there's a vulnerable spot there, too. It's better than nothing, though, and doesn't involve lawyer fees.
PassGuardian, with N of M secret reconstruction. (Score:3)
http://passguardian.com/ [passguardian.com]
This uses Shamir's Secret Sharing [wikipedia.org] algorithm to take your password, and split it into a configurable number of pieces, and requires a subset of those shares to reconstruct the original. Take your master password, split it into 10 shares, and require 5 shares to reconstruct. Then distribute the 10 shares to secure locations and trusted people.
Example:
Password: 12345
Share 1: 801650d0edcbd0c3c949f
Share 2: 802c91a40a532182e3570
Share 3: 803ad177a79bc1420a1de
Any 2 shares can reconstruct the password.
And the site runs entirely in Javascript. You can save it to a USB stick and run it from an offline PC, so you don't have to worry about your password being stolen.
I Use a Password Safe (Score:3)
and have hard copy of the Password in a fireproof safe at home. This way if I'm hit by the bus, struck by Lighting or any other reason, so long as I'm able to function, I can recover all of my passwords.
Hell I've been using a password safe for a decade - started with a freebie from PC Mag called Passes (included the source code) but I've replaced it with Passkeeper due to cross platform support so I haven't written anything but a single PW down in a decade.
Not a new problem, so why the new question? (Score:3)
cognitive disfunction is a thing that's existed for centuries. Amnesia counts. So who's going to care for your children in the event that you don't remember how to make breakfast?
Oh right, you have a will. It can be executed in whole or in part.
Stop pretending that new problems need new solutions. We have old solutions that work damn fine.
Re: (Score:2)
Full disk encryption says hi.
Re: (Score:2)
Full disk encryption says hi.
Software deprecation says hi too: have you ever tried to read a cryptoloop-encrypted volume with a recent Linux kernel? Good luck with that.
Re:Hire a lawyer (Score:5, Insightful)
I'd rather give my password to a russian hacker than to a lawyer. The former is probably more trustworthy...
Re: (Score:3)
I have a master password which i then encode with a simple cypher of adding letters together. e.g. A + B = D.
I then get a sentence from a book/movie etc and essentially add these together:
myveryspecialpasswordisawesome
ALLYOURBASEAREBELONGTOUS
I then just stored the encoded version on a piece of paper around the house for example with a hint? ....?
adsfaudfjuasdfjadsufadsfjadsfdsaf, Air force
F.
The stated problem was: "Amnesia".
You appear to have answered a completely different problem.
Re: (Score:2)
3g Yellow Car - To you that means nothing
I thought it was Google moving into self-driving taxis.
Re: (Score:2)
How do you remember the master password? Let's skip amnesia (which may not be total, but would almost certainly include forgetting a password) and just assume you're dead.
Re: (Score:3)
You might not even remember that you have had a particular account. Or who you are
My mother in-law had a stroke a few years ago had her memory severely damaged. Luckily for my wife the old OCD woman had documented every account, web site, password, recovery word/phrase, and pin. My mother in-law instructed my wife to contact her attorney if anything debilitating occurred since he kept the document at his office and was instructed to give the envelope to my wife in that situation. We adopted the same idea as it seems to be the easiest way to do this and we don't expect our small children