Security → Can't Recall Passwords? Write Them Down

Couple of days old, but still...

quote:

---

Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.

Such advice flies in the face of long-running counsel to not put passwords on paper. But security guru Bruce Schneier -- who is also the founder and chief technology officer of Counterpane Internet Security -- told users to forget the old advice.

"People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier wrote in his online security newsletter.

"We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper -- in their wallet."

To account for a lost wallet, Schneier urged users to finesse the paper record by writing "bank" rather than the bank's URL, or by omitting a username.

"Writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he said.

---

»www.informationweek.com/ ··· 66400770

Finally! Some sensible advice.

What I'd like to see is more standardized online password formatting. Some sites allow upper case while others don't, some allow special characters while others don't. Then there are differences in length limits. It would be nice to be able to pick a few good passwords and use the same one's everywhere. That would make it easier to remember them.

What I would do if I was going to write down my password on paper is to come up with a simple code, that way if anyone should find the paper with your passwords, they won't be able to immediately crack them.

I would NEVER write down my passwords on a piece of paper with out first using some kind of code, that is if I was going to do this.

For expample if your password is 12345, then alternate each character with a false character in between the real one.

real password = 1 2 3 4 5

coded password = 1 d 2 x 3 t 4 y 5

You can make this as intricate as you like. Like putting two false characters in place of the real one and so on. Try going backwards etc...

real password = 1 2 3 4 5

Coded password = 1 t m 2 z k 3 w l 4 r a 5

The above ideas are obviously extremely basic, I'm sure you guys can figure out all kinds of ways to code your passwords to make them harder to crack if anyone should find them. Just make sure you remember the code!

I think those small address books are perfect for passwords as you can organize everything alpabetically. Very handy if you have many different passwords.

I've been doing this for years. Finally, though, I can do it without feeling like I'm some sort of Security Weiner.

Eventually, after using a password a number of times, I remember it. The slip of paper then goes into the same secure location in which I store likes like titles and deeds, just in case I happen to forget it someday.

But while it's written down in my wallet, it is simply a string of numbers and letters, with absolutely nothing to connect to it (I never write down anything relevant to anything else that's in my wallet).

I think the type of 'writing down' us security nerds have most to worry about is writing something down on a post-it note, and slapping it on the monitor/desk/bulletin board, etc. Having it in a secure location is a good idea.

Of course; passphrases might make all this talk obselete, anyway...

I guess it's safe for me to come out of the closet now.
I believe that if my wallet were to fall into the wrongs hands the least of my problems would be my slightly finessed online accts info in that wallet. I came to this conclusion after opening my first online acct & had to call customer support to retrieve my PW on my first login attempt. At that point I figured my acct was only as secure as the person I was talking to on the phone. I much prefer the anonymity of an unremarkable login than a human assisted one so I agree for me anyway that a slightly finessed cheat sheet is the safer option for me.

How about a fingerprint reading keyboard or mouse?

It is good advice. The motivation to avoid losing one's wallet becomes part of the security system.

Instead of the passwords, I write down something that reminds me of what each one is - a sort of private shorthand. Useless to anyone finding it, but all I need. That way physical security of the list is less important.

larryd517, I'm against anything that creates an incentive for theives to cut off people's fingers or gouge out their eyes. It has happened. »www.theregister.co.uk/20 ··· rc_chop/

I definitely agree with Schneier here. I use passwords mostly for protection from remote intrusions. I have other things protecting the local aspect, like me, and my guns. This in mind, I can happily write my passwords down on paper.

And don't you love it when your working on someones computer and you make some changes requiring them to use their password and they say "I don't remember it!" They like to let the computer remember their passwords so they never have to type it in, thus never using it and forgetting what it is.

Heres a better one
g59
Starting letter g +5 g =l next letter gets offset by 9 next by 5 next by 9 etc.
So for your gamil passowrd reminder on your paper youd have
gmail
g59
aol
h92
etc etc
Will use a simple one for a example of the wierdness that happens with these pass words
key a21-cce
useing that example cce=abc
you can easly add complexity to the pass word cypher
a21z12
or
a21z12m21 etc
what happenes in this is you start with a 2 letter offset a becomes c b becomes c etc once you finish a cycle at m21 you begin again.
If you forget your password you can always decypher your key in my simple example
example
a21-cce
all you need to rember is your key and what the key belongs to. Some one else finding your paper would think the pass word was a21-cce

Wait a sec here - Bruce Schneier isn't the first guy to suggest this. In fact, someone else suggested it a few months back, and it made news because the concept was seemingly a bit controversial. And yet, somehow, this is news again, because Bruce finally "gets it" and jumps on the bandwagon? Please. Original reference here: »news.com.com/Microsoft+s ··· 590.html

This is nothing new for me, For years I have kept my passwords(the ones I use most anyway) in my wallet, I also have a small card file box for all of them at home. Passwords in and of themselves are useless.

Bank of America >>> %$cF3@fj8$hF >> go for it.

Easy way to remember a password...pick a song or phrase
"Happy Birthday to you!"
then the password becomes
HBTY!
then add a special day
and it can become "bty!07041776"

Not hard to remember

This is exactly what my father does. He has a ton of user names, for various things. He puts the user name and then the password next to it.

It also makes it easier for me to help him with problems, either over the phone or in person.

I use the "secure" storage my cellphone offers to store the passwords I need when away from home

I have a really secure, simple system. Unfortunately, I can't tell you.

I find a post-it on my monitor works well. Always there for me - I don't have to keep pulling out my wallet.

I've always had them on paper for easy referance... Jeepers, how is a person supposed to remember them all? Just counted them up, 27 accounts with user name/password, all unique.

I have probably at least 50 passwords. I write them down in a folder and what a hassle to find the right one each time.

Tonight I almost bought the
APC Personal Biometric USB POD Fingerprint Reader. I would love it but I'm glad I hesitated. When I got home and researched it, it doesn't support Fx!. UGH.

PasswordSafe. Simply program, only need to remember one password to access all of them. Keep a copy on a thumb drive attached to your keys.