Ask Slashdot: How To Protect Your Passwords From Amnesia? 381
Phopojijo writes "You can encrypt your password library using a client-side manager or encrypted file container. You could practice your password every day, keep no written record, and do everything else right. You then go in for a serious operation or get in a terrible accident and, when you wake up, suffer severe memory loss. Slashdot readers, what do you consider an acceptable trade-off between proper security and preventing a data-loss catastrophe? I will leave some details and assumptions up to interpretation (budget, whether you have friends or co-workers to rely on, whether your solution will defend against the Government, chance of success, and so forth). For instance, would you split your master password in pieces and pay an attorney to contact you with a piece of it in case of emergency? Would you get a safe deposit box? Some biometric device? Leave the password with your husband, wife, or significant other? What can Slashdot come up with?"
Re:A piece of paper in a drawer (Score:4, Interesting)
A trusted executor is really the way to go here. Store the passwords in an encrypted format and then give the key to a trusted party that will only unseal the encrypted database in the event that you are incapacitated. For added security, split the key into multiple parts and give it to multiple parties. It would probably be best to transport the key in a physical format and make it clear that the importance of the document.
In a work place setting, give the keys to supervisors that are mutually responsible for the systems in question. In a personal setting, give the keys to family members that are trusted. Be sure to provide step-by-step instructions as to how to decrypt your data. If you are so unfortunate to not have trusted family or friends, pay a law firm to administrate this service and act as your executor. For a fee, the law firm can be instructed to only unseal the data in the event that certain standards are met (such as a declaration of incompetence by N medical professionals).
Use mooltipass (Score:5, Interesting)
Re:A piece of paper in a drawer (Score:5, Interesting)
For work-related passwords, my boss has every right to know my passwords if I get sick. So, it makes sense to store them offline (e.g. a piece of paper in a drawer at the secretary's office). The security my passwords then relies on the security guards at the gate...
Your boss does not have "every right" to know your password at work any more than any other employee has a "right" to know it. You are an IT Security person's worst nightmare with that bullshit argument, especially if you have even a fucking hint of how Windows security works, and know damn well that in any emergency, most any member of your IT staff can reset any password upon following proper HR and IT policy, which is your audit trail as well for CYA.
Work passwords pretty much for the most part do NOT need to be stored offline in any way for this very obvious reason, and by relying upon the security guards, you've basically destroyed any point in having any sort of strong password policy.
Like I said, you're an IT Security person's worst nightmare. Knock it off with that shit already, and use common sense.
Use a PO Box (Score:5, Interesting)
Go get a small PO Box
Print a master list of passwords each week and mail it to yourself at that PO box
Every 3-6 months go clean out your box except for the most recent and shred them
Keep the key with you at all times.
Why use this over a safety deposit box?
(1) It's a federal felony for someone else to remove or open the letters
(2) You have a list no more than a week old (prior to your death or amnesia) available
(3) If you should die or become incapacitated, your home/mailing address will get a reminder once a year that you HAVE a box, and where it is, by producing ID or appears certifying your death or incapacitation, your attorney or next of kin will get a notification that such a box exists and when they (or you) check to see what mail you've gotten they'll discover your passwords.
Dead Man's Switch (Score:4, Interesting)
Write a script with a "dead man's switch." Store passwords in an encrypted file on a secure system. If you don't log on and issue some sort of "wait" command every 30 days or so, then passwords get emailed to an account whose password is stored on a phone. At the time the passwords are issued, it's bloody insecure, but it should work well enough to get into the systems and change the passwords to something else. Not a perfect system, of course. What happens with a 60 day coma? Passwords are accessible for at least 25 of them, but not to you, etc. Existence of the script and encrypted file on an email ready system means there's a vulnerable spot there, too. It's better than nothing, though, and doesn't involve lawyer fees.
Re:Secure safe.(Shamir Secret Sharing) (Score:5, Interesting)