Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Write Down Your Passwords

Zonk posted more than 9 years ago | from the social-hacking-paradise dept.

Security 633

joeykiller writes "Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Sorry! There are no comments related to the filter you selected.

Pseudo-Written Password (5, Insightful)

fembots (753724) | more than 9 years ago | (#12628013)

Seriously though, instead of writing down the password, why not using what's already written on the hardware?

For example, I'm only reading Slashdot from this particular computer, and I'm using a IBM E94 monitor, and there is this Sellotape dispenser on my desk with 1531 written on it. So my Slashdot password can be easily remembered as IBM!1531@E94#, or simply ibm1531e94 for those systems that cannot accept special characters.

See? it's so easy to remember a long and good password, and nobody's going to find out how many items you use and how you combine them to make up your password.

The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days.

There a joke about the increasing frequency that a user is required to change his password nowdays, eventually crackers just need to keep on trying the same password and the system will change to match it.

Re:Pseudo-Written Password (1, Interesting)

Anonymous Coward | more than 9 years ago | (#12628051)

I've guessed numerous passwords with your technique. I hope you were kidding.

Re:Pseudo-Written Password (0)

Anonymous Coward | more than 9 years ago | (#12628066)

Everyone I know at work with a lot of passwords uses (password protected) software (like pins [mirekw.com] ) to store all of their passwords...

Re:Pseudo-Written Password (1)

Gilk180 (513755) | more than 9 years ago | (#12628129)

The good password requiremnt is not helped by the fact that users are also required to change it every xx days, so not only you need to remember a strange password, you have to remember a different one every couple of days

Yeah, plus having to buy all that new hardware gets expensive!

Username: Frankenvader (-1, Offtopic)

TripMaster_Monky (885678) | more than 9 years ago | (#12628018)

Password: NOOOOOOOooooooo!

So Pen&Paper's the new replacement for Passpor (4, Funny)

team99parody (880782) | more than 9 years ago | (#12628021)

Now we know what's replacing Microsoft Passport [google.com] in Longhorn - pen&paper!

Re:So Pen&Paper's the new replacement for Pass (2, Funny)

coop0030 (263345) | more than 9 years ago | (#12628167)

Maybe it's the new trend.

Maybe pen&paper AD&D will be cool again!

Re:So Pen&Paper's the new replacement for Pass (2, Funny)

DaltonRS (825261) | more than 9 years ago | (#12628179)

And of course, they(M$) will introduce the following security initiative when pen and paper security protocols show evidence of security lapses. White-Out.

Bruce Schneier agrees (5, Interesting)

alanw (1822) | more than 9 years ago | (#12628023)

From Bruce Schneier's Crypto-Gram, May 15 2001 [schneier.com] , and then updated in a news.com article, December 9, 2004 [com.com] .

You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc. Never reuse a password for something you care about. (It's fine to have a single password for low-security sites, such as for newspaper archive access.) Assume that all PINs can be easily broken and plan accordingly. Never type a password you care about, such as for a bank account, into a non-SSL encrypted page. If your bank makes it possible to do that, complain to them. When they tell you that it is OK, don't believe them; they're wrong.

Re:Bruce Schneier agrees (4, Insightful)

team99parody (880782) | more than 9 years ago | (#12628046)

Seems better to keep the long-hard passwords stored in an encrypted file protected by one good password that you remember.

Re:Bruce Schneier agrees (0, Informative)

Anonymous Coward | more than 9 years ago | (#12628111)

That's what I do. I use a tool that stores passwords encrypted, and I have one very good passphrase I use to decrypt the passwords. Any time I need a password for a Web site, I generate one (32 random letters/numbers) and use that. I don't even know any important passwords, except for the one master passphrase.

Re:Bruce Schneier agrees (2, Informative)

loqi (754476) | more than 9 years ago | (#12628151)

KDE's wallet manager handles this rather nicely.

Re:Bruce Schneier agrees (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12628210)

I store my long-hard password in my pants.

Re:Bruce Schneier agrees (3, Insightful)

l3prador (700532) | more than 9 years ago | (#12628148)

The "guard them as you would your cash" idea sounds good and is good to a certain extent, however, when someone has stolen your cash, you can generally tell it's gone. A password can be stolen without anything being missing.

Re:Bruce Schneier agrees (1)

conteXXt (249905) | more than 9 years ago | (#12628202)

Tape it to your cash.

You'll notice it then amigo.

I have a better idea (0)

Anonymous Coward | more than 9 years ago | (#12628024)

It is safer to post it on here, and be sure to write the username down and what it is used for.

Microsoft hard at work for security (4, Insightful)

yagu (721525) | more than 9 years ago | (#12628025)

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

That would lead me to believe you'd have an environment where any discovered piece of paper on which there is some non-indigenous word written would be a candidate for plugging in as password attempts. This is just plain silly.... passwords written down would be one of the first things a social-engineering hack may try to leverage. I'm not a fan of draconian policies wrapped around impossible rules to manage security, but this "recommendation" flies in the face of reason.

Re:Microsoft hard at work for security (1)

CommieOverlord (234015) | more than 9 years ago | (#12628157)

The solution is encrypt your password list. Say have string that is added to the added to end of every password on list. So, say your list is:

  1. $tret43f
  2. GFH#$V
  3. DSgb45

then you passwords would be $tret43fHELLO, GFH#$VHELLO, and DSgb45HELLO. You get 3 secure passwords but only have to remember one.

Re:Microsoft hard at work for security (0)

Anonymous Coward | more than 9 years ago | (#12628188)

really -- isn't that how they broken into the school's computer and changed their grades in WarGames? The school's secretary had the password on a post-it under the keyboard.

fp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12628027)

first post

Re:fp (0)

Anonymous Coward | more than 9 years ago | (#12628092)

Anonymous Coward writes: first post

Gee, is that your Slashdot password?

I'll buy that piece of paper with some chocolate (1)

me at werk (836328) | more than 9 years ago | (#12628028)

But really, I don't have a problem with this. Why not use one of those password vault type programs which allow users to have a master password to access their other passwords?

My password vault happens to be Firefox, though.

Re:I'll buy that piece of paper with some chocolat (2, Funny)

Fulcrum of Evil (560260) | more than 9 years ago | (#12628075)

My password vault happens to be Firefox, though.

How do you get your passwords out?

Re:I'll buy that piece of paper with some chocolat (1)

thegamerformelyknown (868463) | more than 9 years ago | (#12628109)

My friend has something like this, but a little more secure. For about $80 CAD, you can get one just like his. What is it? A fingerprint scanner.

When he has a login anywhere, instead of Firefox typign it on pageload, he just pushes his finger onto the pad. Chances of someone faking his hand?
Let's just say low.

Re:I'll buy that piece of paper with some chocolat (4, Interesting)

nacturation (646836) | more than 9 years ago | (#12628211)

Of course, there's Scheier's Password Safe, which is now a SourceForge project. See: http://www.schneier.com/passsafe.html [schneier.com] . Works for me... I carry the encrypted file around on USB flash and who cares if I lose it... barring quantum computers, nobody's going to be breaking it within my lifetime.

And I'll keep it under my keyboard... (2, Funny)

beorach (682576) | more than 9 years ago | (#12628029)

with my bank name and account number next to it..

Re:And I'll keep it under my keyboard... (3, Insightful)

nukem996 (624036) | more than 9 years ago | (#12628076)

You'd be surpised about how many people do that.

Re:And I'll keep it under my keyboard... (5, Funny)

dodald (195775) | more than 9 years ago | (#12628084)

I have a single post it note under my keyboard that reads "9uL1i613".

Ok. (4, Funny)

cmburns69 (169686) | more than 9 years ago | (#12628030)

Ok, here they are:

Slashdot password: 12345
Personal site password: 12345
Bank account password: 12345

Now my password is even more secure! Yay!

Wow... (5, Funny)

MrByte420 (554317) | more than 9 years ago | (#12628056)

I've got the same combonation on my luggage!
(sorry sorry sorry!)

Re:Ok. (2, Funny)

fembots (753724) | more than 9 years ago | (#12628074)

Now my password is even more secure!

So true, by open-sourcing your password, you don't need to worry about security anymore.

Lift Keyboard (0)

Anonymous Coward | more than 9 years ago | (#12628036)

Thats where I find most cubicle passwords written down.

Hey a good pass phrase from this (1)

FerretFrottage (714136) | more than 9 years ago | (#12628037)

M$SWDYPW

Maybe they have something here.
Now nobody else use it or and promise to forget it after to read this post. Thanks.

Now EVERYONE knows my password! (1)

WillAffleckUW (858324) | more than 9 years ago | (#12628039)

Dang, why did that MSFT guy have to spill the beans!

It's 1337 44xx0A ...

finally someone giving me the green light... (1)

edrugtrader (442064) | more than 9 years ago | (#12628043)

my password for slashdot is "lasertag123"...

Passwords suck: simple solution: (0, Troll)

t_allardyce (48447) | more than 9 years ago | (#12628049)

This is why we need to drop the outdated idea of passwords as soon as possible and start using fingerprint scans, the only way someone can steal your finger print is by lifting it from something you've touched or putting a gun to your head, or cutting your finger off, and that's all in the realm of science fiction and left wing propaganda...

Re:Passwords suck: simple solution: (1)

MankyD (567984) | more than 9 years ago | (#12628099)

Left Wing Propaganda ahoy [www.ccc.de] ! Honestly, while I like your idea, I'm not convinced fingerprints are the best solution.

Re:Passwords suck: simple solution: (1)

axonal (732578) | more than 9 years ago | (#12628122)

Or the realm of Wendy's Chili Bowls.

Re:Passwords suck: simple solution: (1)

iCEBaLM (34905) | more than 9 years ago | (#12628143)

Or find it in a bowl of chili.

Re:Passwords suck: simple solution: (2, Informative)

bmongar (230600) | more than 9 years ago | (#12628174)

Though they can't steal your fingerprint they can steal your fingerprint metric. It all becomes bits at some point and if they have those bits they can buypass having your finger.

Re:Passwords suck: simple solution: (5, Interesting)

cmburns69 (169686) | more than 9 years ago | (#12628183)

The problem with this suggestion is that if your fingerprint (or some other bio-metric info) is stolen or duplicated, you can't change it. How would you like a genius hacker to have permanent access to all of your data for life?

With a password, at least you can change it if it is compromised.

Authentication methods can all be broken down into the following categories:
1) Something you know (such as a password).
2) Something you have (such as a keycard).
3) Something you are (such as a fingerprint).

High security requires 2 or 3 of these things. However, most things are good enough with only 1 of the three..

Re:Passwords suck: simple solution: (1)

xv4n (639231) | more than 9 years ago | (#12628193)

...we need to drop the outdated idea of passwords as soon as possible and start using fingerprint scans, the only way someone can steal your finger print is by lifting it from something you've touched or putting a gun to your head, or cutting your finger off...

You've just stated the very reason why passwords will stay with us for decades. The main advantage of passwords is they are stored where nobody else can read them -- our minds.

Re:Passwords suck: simple solution: (2, Funny)

xAXISx (855579) | more than 9 years ago | (#12628221)

You misspelled right wing scare tactic.

One Word: (5, Funny)

DrunkenTerror (561616) | more than 9 years ago | (#12628054)

Tattoos.

Re:One Word: (5, Funny)

Durinthal (791855) | more than 9 years ago | (#12628215)

Particularly in a private region. That way no geek would ever have to worry about someone else seeing it!

Riddle Me This (3, Insightful)

the0ther (720331) | more than 9 years ago | (#12628059)

We use physical keys to start our cars and to unlock our homes. Why don't we handle this stuff by using a similar strategy. Say a USB dongle that you need to start your computer? I've seen a few implementations of this theme, and I even believe MS threatened to do just this. Is this because the regular (l)users out there want their computer to work like their toaster does?

not the ... (0)

Anonymous Coward | more than 9 years ago | (#12628062)

while its not the best idea. It is what I do. I pick ungodly long and hash-like passwords write them down and guard it with my life. After a while I do end up remembering them. The paper is a safe guard against forgetting them and being locked out of my accounts.

Passwords are useless. (1)

Beardo the Bearded (321478) | more than 9 years ago | (#12628063)

When you've got a brute-force computer that can guess every possible password you can type in (or will type in), there's not much point to having them, is there?

I have one password for all my low-level stuff (web logins, email, etc.) and one for my banking.

I have never changed them.

Re:Passwords are useless. (1)

14erCleaner (745600) | more than 9 years ago | (#12628197)

I have one password for all my low-level stuff (web logins, email, etc.) and one for my banking.

Have you written it down anywhere? If not, post it here and we'll remember it for you.

Really? (2, Interesting)

aftk2 (556992) | more than 9 years ago | (#12628064)

What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

Maybe it's because people really just don't think they're that important. It'll probably take serious problems to change people's minds (like a theft of identity, or fraudulent charges, etc...)

And while we're on the subject of passwords, can we please get rid of those "change your passwords EVERY THIRTY DAYS!" systems? God...those have probably done more to propagate the phenomenon of writing passwords down than anything else.

The Downside of One Really Strong Password (TM) (1, Insightful)

Anonymous Coward | more than 9 years ago | (#12628128)

One Really Bad Mistake (TM) will hurt you a lot more than it would with multiple passwords. I'm careful, I'm sure a lot of slashdotters are careful, but every once in a while someone is going to make a mistake. If it's one password for one place, it's possible to fix that. If it's the same password everywhere that becomes more difficult.

Re:Really? (1)

pLnCrZy (583109) | more than 9 years ago | (#12628192)

>What would be the problem with using one really strong password everywhere?

You are kidding, right?

Re:Really? (2, Insightful)

vidarlo (134906) | more than 9 years ago | (#12628195)

What would be the problem with using one really strong password everywhere? Rather than many strong (or semi-strong) passwords that have to be written down, or one really weak password? Why wouldn't a person choose one good password, and only one, and keep it?

Because ONE security breach would compromise all services? Yes, that sounds right. Also a single malicious administrator could emtpy your bank accounts, take your ID, book a few flights and so?

Do you trust the admins of slashdot enough? There has been breaches in past, there will be in future.

Re:Really? (3, Interesting)

Nugget (7382) | more than 9 years ago | (#12628196)

If you use the same password everywhere then CmdrTaco can log in to your bank account.

Login credentials are often stored unencrypted on the server side, leaving your password open for compromise by any legitimate admin of that site or anyone who manages to hack into it.

Do you want to trust your single password that you use to all sites to the least secure of all the crappy web boards you've got an account on?

he's not the first (1)

wintermute1000 (731750) | more than 9 years ago | (#12628065)

Bruce Schneier also advocates this method on his website. I don't remember where the article is exactly (read it a little while ago) but he said basically to write them down and keep them where you keep your cash - and protect them as vigilantly. I don't think that was quite complete, myself; if I have $5 cash, I'm not going to try to prevent people from seeing it the way I'd be sure to guard a sheet of passwords from an errant camera.

My suggestion? Pretend that the passwords are a $500 bill and you're in a bad neighborhood.

I keep meaning to do this, but changing passwords is such a hassle...

Anyone with 5 digits in their UID has a solution (0)

Anonymous Coward | more than 9 years ago | (#12628071)

Just use your slashdot UID!

Re:Anyone with 5 digits in their UID has a solutio (1)

zCyl (14362) | more than 9 years ago | (#12628164)

And so begin the "my UID is smaller than your UID" posts...

Makes perfect sense (2, Interesting)

Audent (35893) | more than 9 years ago | (#12628072)

If someone's hacking in from outside you want as good a password as possible... That's my fear, not someone sitting at my desk and logging on as me.

Peter Gutmann said the same thing: you fear the hacker, not the guy stealing your PC.

http://computerworld.co.nz/news.nsf/nl/3F25D67E479 80786CC256E6C007EE7D2 [computerworld.co.nz]

Re:Makes perfect sense (1, Informative)

Anonymous Coward | more than 9 years ago | (#12628142)

In my last workplace someone (probably a janitor) stole checks from people's desks.

A Lot of hacking is internal. If you're in a company bigger than a dozen or people or so, you're at risk.

Problem is portability (2, Informative)

seanscottrogers (565312) | more than 9 years ago | (#12628081)

Writing down passwords and storing them in a secure location isn't the issue, it is portability. Most passwords these days need to go with you wherever you are, at home, the office, on travel. If your password is too complicated to remember, then it would have to be stored somewhere on your person. That's the security risk.

Reliance on Physical security has merit.. (1)

IanDanforth (753892) | more than 9 years ago | (#12628083)

If you have a card in your wallet/purse with no identifying information on it, but on which is written your complicated password, this is an effective tool for password protection which I have recommended to friends for years.

However, this only applies to non-home computer security. At home users will invariably store passwords for websites and bank accounts and leave their computers unlocked and easily compromised.

So... if you are trying to protect the use of a password in a public place, and deter remote access to your information through guess-hacking this is a good system.

-Ian

Physical security only has SOME use (1)

WillAffleckUW (858324) | more than 9 years ago | (#12628194)

However, this only applies to non-home computer security. At home users will invariably store passwords for websites and bank accounts and leave their computers unlocked and easily compromised.

Or use unsecured default password WiFi thus making it all a waste of time. 90 percent of all WiFi-capable laptops are insecure.

I give them chocolate, it makes the laptops feel better about themselves ... and more mentally secure.

Mordac (1)

neomiasma (639496) | more than 9 years ago | (#12628088)

Mordac [www.smat.us] isn't going to like this.

Inscribe it on your thumb (1)

WillAffleckUW (858324) | more than 9 years ago | (#12628089)

then they'll take it when they chop off your hand and pry out your eye to get thru the security station just like they've already done in Hong Kong.

Seriously, most passwords are fairly easy to guess. Making them too hard defeats the human engram, forcing people to write them down somewhere.

You can get 99 percent of the possible security with only 1 percent of the effort by choosing a system that's not easily hackable and not based on the typical password schemae anyway ...

The problem with users is... (1)

MrByte420 (554317) | more than 9 years ago | (#12628097)

they think that its hard to remember a alphanumeric password with upper/lower case, but the reality of the situation is that if you write it down, you'll use it for a few weeks but after a while just by rote repetition its in there and no longer an issue. When I get a new job, I create some weird ass password hide a sticky note for a few days around with the hint, and then when i've got it straight, to the shredder it goes...

Secure your passwords (5, Insightful)

kjfitz (256432) | more than 9 years ago | (#12628098)

I've never understood the whole "don't write down your password" warning. I carry a wallet full of credit card numbers that I probably care just as much to keep private. Those numbers are "written down."

What has to be done is make sure users are educated to PROTECT their passwords. The problem comes when the password is stored on a post-it note under the keyboard.

Common sense...

BTW, I always add a stray character at the beginning of my passwords when I write them down so even if someone gets the paper I wrote them down on they won't know my password.

So, I'm probably not typical, but... (3, Interesting)

IANAAC (692242) | more than 9 years ago | (#12628100)

I use a password app on my PDA (a Zaurus), but most people have cell phones. There must be a little java applet around that does the same thing. If not, there's a great opportunity there, I would think.

It's probably better... (1)

Sheetrock (152993) | more than 9 years ago | (#12628103)

To use some bit of knowledge you have rather than writing down something obscure on a piece of paper that you can lose.

For example, your password could be your birthdate, or favorite football team, or even the year you graduated from high school. Or all three if a longer password is necessary. It's fairly easy to learn to enter this information backwards as well, for further obfuscation, without making it harder to remember.

Gone are the days when you can leave the password blank or simply use your login name again and expect any level of security. Hackers eat that stuff up. But if you protect your account better than the rest it's more likely they'll move on to some other schmoe who isn't as hip to security as you are.

CFS storage of passwords (1)

zCyl (14362) | more than 9 years ago | (#12628106)

If you have a secure system somewhere, you can use CFS [crypto.com] , an encrypted filesystem, to store your passwords for various other systems. Then you can memorize a good password for the CFS system, and refer to it if you forget the password you're using for some other system.

This is fairly secure as long as the system CFS is accessed from is not compromised with a key logger. It has the advantages of paper, but with the capability of accessing it from remote with ssh. It also has the bonus of being harder to lose and easier to back up than a bunch of paper, and the backups of CFS are unreadable without the password, unlike extra paper copies.

Who do you trust more? (1)

Ride Jib (879374) | more than 9 years ago | (#12628107)

Seriously, it just comes down to who you trust more.... people with access to your work area (where password would be written), or potential hackers. If you trust the people you work with (or your family members, for those at home) then what is the problem with writing down your pass? I know my dad has every one of his passwords written on the monitor itself on his home pc.

Uhhh Negative (1)

Albinofrenchy (844079) | more than 9 years ago | (#12628112)

One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.


I agree with writing it down, but storing passwords on your computer, even encrypted, is horrible.

Switch between passwords (1)

coop0030 (263345) | more than 9 years ago | (#12628116)

I typically like to use about 3-4 passwords that I rotate between sites, with different usernames. If I forget one of the passwords, I can usually guess it on the second try.

My passwords are at least 6 letters, and 6 digits. Hopefully, that is secure enough.

IF they protect the paper... (1)

slusich (684826) | more than 9 years ago | (#12628118)

which we all know they won't. Most of the time we find them on a post-it note stuck to the monitor. The really sharp ones tape it under the keyboard. The best one I've seen was a guy who kept his taped under his monitor. He'd actually lift this bulky CRT every time he needed to login.

This works for me (0)

Anonymous Coward | more than 9 years ago | (#12628130)

PEN15 as a password.

What? (1)

Macgyveric (879573) | more than 9 years ago | (#12628131)

Are you telling me we aren't supposed to use HHKJK-D4FWY-34B2D-RB7K2-C2QVJ for all of our passwords?

True story (3, Funny)

HaeMaker (221642) | more than 9 years ago | (#12628136)

I'm a SysAdmin and at one place I worked, I noticed someone had written 'aaaaa' on their monitor. They wern't at their desk at the time, so I sat down, hit ctrl-alt-del and typed 'aaaaa' into the password field...

MS Security Through Clarity? (1)

Eberlin (570874) | more than 9 years ago | (#12628138)

Let's get this straight -- writing down passwords is a bad thing. Remembering passwords isn't that difficult in the end if you use a proper scheme. A securityfocus article suggests creating an acronym from the first line of a song. Makes enough sense. Add a bit of 1337 to it by changing some letters to numbers and you can be a bit safer.

Now on the other hand, if you wrote down some sort of hash to a password that you mentally decode to create the REAL password, then it may not be so bad. Still gives someone a place to start, thoguh. In most cases, though, having a physical record of a password just screams "BAD IDEA!"

It actually makes some sense... (1)

sterno (16320) | more than 9 years ago | (#12628146)

Today, the greater threat to users is having their password stolen somewhere in the network. The number of passwords stolen by actually going up to somebody's desk and reading it is, much lower in comparison.

The advantage of this is that you can use relatively obscure and complex passwords because you don't actually have to burn brain cells to keep track of them.

This makes perfect sense. (1)

Daniel Baumgarten (645894) | more than 9 years ago | (#12628149)

I like how Slashdot is listening to Microsoft for security advice.

Re:This makes perfect sense. (1)

The Bungi (221687) | more than 9 years ago | (#12628216)

Very funny! I suppose it's better than listening to themselves though.

Or they could maybe listen to Bruce Scheider, who says essentially the same thing in a recent article I saw on news.com (IIRC).

Or they could buy an input device with a built-in fingerprint scanner [microsoft.com] .

In short, they could do many things. Instead of making snide remarks about topics they really don't understand, even though they think they do.

It's what master password is for (1)

microbee (682094) | more than 9 years ago | (#12628150)

I personally keep all my passwords in an Excel spreadsheet and protect it with a master password. As you say there is nothing wrong with that. Unfortunately, I end up still using the same set of passwords (about 5) anyway. :)

Exactly right. . . (5, Funny)

Sialagogue (246874) | more than 9 years ago | (#12628153)


This is the exact reason that I write all my passwords on post-it notes and stick them to my monitor.

I have a 21-inch tube monitor and it weighs like 80 pounds, so nobody could even get it out the door much less steal it, so my passwords are going nowhere.

Write down part, memorize part (0)

Anonymous Coward | more than 9 years ago | (#12628156)

There's a useful security-through-obscurity technique here: use a small set of easily-remembered prefixes or suffixes on all your passwords, and write down the part that varies.

For example, always prefix your password with your dog's name, so one account uses "FidoBlargh" and another uses "FidoAnakin", but write down only the "Blargh" and "Anakin" parts.

That makes sense (1)

RayDude (798709) | more than 9 years ago | (#12628160)

Write them all down and keep them next to your Mastercard. Pretty much the same security mechanism.

The problem is: what if your wallet is stolen, its one call to cancel the Mastercard, but how are you going to change all those damn passwords? Especially if you don't remember any of them.

Maybe writing them down and locking them in a safe is better. Or maybe keep the master list in your wallet and a copy in a safe so that if its stolen you can log in and change them all before the thief realizes what he has.

Raydude

I just use Gnu Keyring on my Tungsten (1)

StressGuy (472374) | more than 9 years ago | (#12628161)

Remember one password to access the program, and encrypt my more critical ones as strong as I need to.

Fixing the wrong problem (1)

np_bernstein (453840) | more than 9 years ago | (#12628168)

That's the solution to the wrong problem. The problem is those systems allowing the users to use bad passwords. If a your authentication program expires passwords once every six months or so and requires non-dictionary based passwords and a combination of letters special chars. And hard passwords to crack aren't necessarally hard passwords to remember. Especially if you use some type of memory assistance, like a sentance:

"I have three dogs: elmo, burt and erney"
Password: "1h3dgs:E,B&E."

the point is that system administrators should be activly sending out emails and talking to users who might have a problem with this, not disregarding important aspects of their jobs, like educating users as to a very important piece of their security.

Keepass (1)

DarkHelmet (120004) | more than 9 years ago | (#12628169)

http://keepass.sourceforge.net/ [sourceforge.net]

I can't re-iterate this enough.

A program like this with the database stored on a keydrive is ideal: your passwords can be as long as you like, cryptographically secure, and be different for all sites.

Well, both are poor choices (1)

Jugalator (259273) | more than 9 years ago | (#12628175)

Neither writing down your password or picking a simple password is clever, so I don't see why he even discuss this?
Like saying you should really try start smoking sometime because it's worse to use heroin.

I think a good way to come up with non-dictionary passwords while keeping them reasonably easy to remember is to take the first letter in a sentence and somehow mix it up with numbers. Like "I Am A Geek And Like Slashdot" would become "iaagals". Then add some number from your social security number or something to make it truly alphanumeric and voila.

There are numerous other ways, and if I have to use a password somewhere, I really prefer to pick my own. If it's randomized and forced on me by some admin for "maximum security", I'll almost guaranteed write it down somewhere. Instead I'd prefer said admin to run my personally made password through an extensive dictionary to ensure it's not simply an easy victim for a dictionary attack, and maybe also check it's alphanumeric. I really dislike those enforced passwords like "3zq@q!02". Jee, thanks, let me get a pen and paper. :-p

Common passwords... (1)

creimer (824291) | more than 9 years ago | (#12628181)

The most common passwords I have seen at different companies was HOCKEY (unix/linux machines, why I don't know) and YOUSUCK (windows machines, surprising isn't it). And, we can't forget this one, it's everywhere (especially for email accounts): PASSWORD.

wrong attitude, wrong solution (1)

hherb (229558) | more than 9 years ago | (#12628184)

When we start writing down passwords, we compromise them. Obviously.
Instead, we should learn how to algorithmically generate good passwords ourselves, so that we don't need to memorize a complex character sequence, but just the way how to generate it.

Example: I take the second and fifth letter of the site name I want to log in, which I use as an index to a poem, movie or book name I know, of which I take in turn letters and numbers ...

While this process sounds complex, once you get used to "your" algorithm you don't even have to think much about it any more. That way, I am now using up to 48 quality passwords (long, mixed capitalization, including punctuation, interdispersed numbers) without having any troubles at all remembering.

Password Safe is the answer (5, Informative)

windowpain (211052) | more than 9 years ago | (#12628185)

It's by crypto genius Bruce Schneier, it uses Blowfish, it's open source and if you want that extra measure of security you can compile it yourself. It's for Windows but there are Unix/Linux versions too.

Password Safe [schneier.com]

Yep, like what's happening at Gmail (1)

Snaller (147050) | more than 9 years ago | (#12628186)

Since the jerks at google tell the browser not to remember the password (autocomplete="off" ) I've picked a really simple password.
(No, I don't want them to remember it a couple of days)

I've always written my passwords . . . (1)

ndansmith (582590) | more than 9 years ago | (#12628189)

. . . on a Post-It note on my monitor.

Hold on a second..... (1)

The Green Skeleton (724532) | more than 9 years ago | (#12628200)

Controversial ideas on security from a Microsoft employee?
That we're taking seriously?
Did I miss something?

Keychain Access on Mac (1)

SYFer (617415) | more than 9 years ago | (#12628203)

Mac users have a very powerful tool for password management in the Keychain Access [macworld.com] program (which many users pay little attention to). You can store many strong passwords then remember one strong password to unlock and use them all. Additionally, when Keychain Access is locked, you can store the various password files it creates on a server (or on a flash drive) with peace of mind because it's DES encrypted. Note also that you can now sync Keychain Access via .Mac.

I've taught some of my friends to memorize one strong password, then use it to unlock Keychain Access which will simplify the process of assigning separate strong passwords for each account, server, etc. (or at least as strong as each scenario will allow). Because I often also need to access passwords from a PC, I also keep a short spreadsheet of "vital" passwords on the flash drive as well and I encrypt that with Kremlin [kremlinencrypt.com] (which is cross platform).

Use hashes and/or passphrases (1)

MobyDisk (75490) | more than 9 years ago | (#12628205)

This has come up on many Slashdot comments and people seem to gloss over it. Both are simple ways to eliminate the problem. Why must all these pundits come out and announce how useless passwords are, or how dumb users are, while ignoring real solutions?

1) Passphrases I hate Joe Smith because he stole my ex-girlfriend, Soandso, then ran over my dog...
It is amazing the number of systems with dumb limitations like 6 or 8 characters, or no symbols. Fix those, then people can use pass phrases and security is good again.
2) Hashes SIl1alsuhvd3oEtlmo
That is the name of site you are logging into ("Slashdot") + a single passphrase used for all passwords (I used "I luv Elmo") hashed together. I just interleave the letters and replaced spaces with the number of characters in the preceeding word.

That is very secure and easy to remember. Years later I still can log in to places I've totally forgotten about. Show people these techniques and the problems go away.

acronym (1)

mohrt (72095) | more than 9 years ago | (#12628208)

Just use an acronym. example:

il1k2b1k!

"I like to bike."

Just use shortened words, make substitions like i=1, s=$, etc., and maybe an oddball character or two like the exclamation point.

It looks difficult, but once you make up a password in this fashion and use it a couple times, it becomes automatic to remember. It's much easier than having to memorize a whole random string of meaningless characters.

I write mine down (1)

i_should_be_working (720372) | more than 9 years ago | (#12628209)

At the bottom of my desk drawer. But I encrypt them with a method I'll never forget. As long as no one else figures it out I can write them down and change them frequently if needed.

When I have enough money to make it worth the effort to steal it, maybe I'll get a better system. But even as it is I don't see how someone could figure out my system.

Simple Fix (1)

Irish_Samurai (224931) | more than 9 years ago | (#12628213)

I happen to use really easy phrases and terms so that I can remember what my passwords are.

I then have a numeric category for all the sites and apps that I use Ex: Bank = 5, Email = 6, ect...

I then ROT# the term where # = the category the password is in. Viola!

It's worked for me.

My personal favourite password (0)

Anonymous Coward | more than 9 years ago | (#12628220)

wtfisit2u
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?