[Geeks are Sexy] technology news

Tuesday, October 24, 2006

Security Heresy: Write Down Your Password

I keep telling to my users to choose strong, easy to remember passwords, and to never, ever write them down. Why am I saying this? Because today, while reading Watchguard Wire, I stumbled on an article pointing to a guy that has a different point of view on all that "keep your password secure business". And I hate to admit it, but he does score some points with his arguments. Only a few though.

You've got thousands of dollars worth of stuff in your pockets, or your purse. Seriously. You're carrying keys to your eight-year-old Honda, which is worth about $5,000. Your credit cards could bring in thousands of dollars for a crook.You're carrying the keys to the house where your family sleeps. It's hard to put a price on that.Do any of your passwords really need more security than your pocket provides? (Source: The Security Mentor)

The points that Frederick expresses in his post are mostly right. Writing a strong password on a piece of paper and sticking it in your wallet is a good way of keeping it secure, but I only see one problem with this: Human Nature. Some people will never forget to put their little piece of paper back in their wallet, but a good proportion of them will constantly leave it on their desk for a few days. For all to see. After a while, the 'reminder' will simply return to under-the-keyboard, where the user used to keep it before having the brilliant idea of putting it inside his wallet.

To my mind, there's really only one way to truly secure a system: implement a two-factor authentication scheme.

A "factor" of authentication is considered one of these three fundamental "things":

  • Something you have (e.g. a smart card, or a secure ID token)
  • Something you know (e.g., a user ID and a password)
  • Something you are (e.g., a fingerprint, or the tone of a voice)
So there you are. By combining 2 or more of these 'factors', you create an authentication scheme that negates most of the security risks associated with the use of simple, conventional passwords. So even if someone writes his password down on a piece of paper and this paper falls in the hands of a evil black-hat hacker, the password itself would be of little use to the attacker if he doesn't possess one or more of the other authentication factors.

So, what is YOUR position on this? To write down or not to write down your password, that is the question.

Related [GAS] technology articles:


  • He's right in a way, but wouldn't you agree that your admin password is worth more than 5000 USD.

    Assuming that you don't backup! all your work will go down the drain ...

    By Anonymous Feras, at 4:20 AM  

  • The password to a bank account is worth a lot of money to small businesses.

    By Blogger Chui Tey, at 8:58 AM  

  • Why not write down a hint to your password, and use passwords it's easy to hint to?

    For example, your password could be cytmh2g255, which is clearly "can you tell me how to get to Sesame Street", and your hint could be Big Bird or Sunny Day. Having conventions about when you use other characters instead of lowercase letters can help.

    By Anonymous Anonymous, at 9:31 AM  

  • Let's think about the attack vectors here. In order of likeliness, they are:

    - People randomly guessing your password
    - People trying to guess the password based on facts about you (pet name, birthday)
    - People stealing your wallet to get your passwords

    People stealing your wallet in order to get your passwords is extremely unlikely. If people can't write down passwords, they'll choose weak passwords that can be guessed. Hence, telling people not to write down their passwords actually makes them *less* secure.

    Tell them to create hard passwords (or even better, create hard passwords *for* them). Then, tell them to write them down and keep them someplace save (which does not include stickies on the screen).

    By Anonymous LKM, at 10:06 AM  

  • I vote for write down a hint which only you know what it refers to. It's simple and secure.

    By Anonymous Anonymous, at 10:32 AM  

  • The best method is still to get them to choose a passphrase that they'll remember!!

    Heck, if you want supersecure passwords -- don't choose an arbitrary word.. use passphrase.. Passwords can be up to 256 characters in length... one of the things we used to do is to get people to use sentences... a quote that they'll always remember...

    When doing that - we never had password/passphrase issues...

    Use a lyric in a song.
    Favorite quote in a movies.
    Best comedic line from your favorite comedian --

    people are more apt to remember that than a word they had to come up with on the spot.

    Going with a password or passphrase that people will remember without to whacky of restrictions are the best way ... so that people DON'T have the write it down...

    By Blogger AlRo, at 10:37 AM  

  • I encourage my users to 'invent' a hard password of seemingly random characters - but write down a way to remember them.
    For example the password: 7913$qpzm
    Written on the paper: 4 numerical corners, dollars, 4 alphabetical corners

    By Anonymous Doug Jones, at 11:34 AM  

  • I believe writing down is NECESSARY - consider that i have at least 15 different online accounts that I log into and can't easily remember the UN/PW combos...

    i like the following SOLUTIONs to writing down passwords
    - use hints
    - often my passwords are one of 4 forms (i rotate them across sites) so when i write them down, i only write the first character - and i know the rest by heart
    - on top of this i "encrypt" the passwords, e.g. by writing some things in a foreign language that the average person would not understand.

    example. suppose one of my passwords if Laur5en

    to remind myself, i'll write
    or "Laure hamesh .." where "hamesh" is 5 in Hebrew. and i'll know the "..." means there's more to come and i know what it is

    By Anonymous Anonymous, at 12:23 PM  

  • Of course, one simple way to deal with this is to write your password on a chit on your keychain. And NOT label it as a password.

    You won't leave your keychain behind, and if you did, as long as there are other strings on the page, would anyone think twice? Especially if it was on a chit that looks exactly like a normal keyfob tag?

    I do this, and the password is written in backwards fragments. I've since learned it, but... for a while this was a great help.

    By Anonymous Anonymous, at 12:57 PM  

  • I have used two different systems that work pretty well—flawlessly, for me, in fact.

    Initially, I emailed myself a complete list of all accounts, logins and passwords. The great thing about this is I have live links to all accounts. Think about paying bills. I log in, keep this one email up, and then roll through everything I need to pay. The only arguable downside is that I do need to remember the email and password.

    The other system I've used is one of those online organizational tools that lets you make lists, keep files, take notes, have a calendar, etc. I have simply made one of the pages a list as described above—links, logins, passwords—and once again everything is one place. Again, the only arguable downside is that I need to remember the site and the login and password, but this isn't likely to be a problem.

    I imagine these systems might not be advisable for some—perhaps if you have really serious security concerns or something—but they're pretty much flawless for my purposes.

    Another good thing, because I'm by far the most technologically savvy person I know (and that really is not saying much!), I could literally explain in detail what my security system is to the people I know, and they would have no idea what I'm talking about—not that I would ever do that.

    By Anonymous Anonymous, at 1:09 PM  

  • Surely it depends on what the password is protecting. In most offices I've been in, a person with access to the building can easily find a terminal where someone is logged in but has left their computer unattended. Is keeping your password under the keyboard really such a problem then? If your company's main concern is someone hacking into their system over the internet, it seems mroe important to have strong passwords that are written down than weak ones that are easily remembered.

    On the other hand, keeping your Internet banking password on a piece of paper in your wallet means that anyone who steals your wallet than also gets access to your savings account. Not such a great idea there.

    By Anonymous Anonymous, at 2:12 PM  

  • I submit that the fingerprint or voice is something you have, not something you are. They're just harder to steal than a card or key.

    By Anonymous Anonymous, at 4:15 PM  

  • If you are in an environment where you have 8 passwords to change every 30 days for which they must be lower/cap/alphanumeric/non-alpha with at lest 2 different characters every fosaken time...writting down passwords will save alot of calls to in Helpdesk to reset passwords on a daily basis.

    The real question is: How stupid and unrealistic can a security policy be? Sky is the limit since all security policies I have seem forget one major thing: human memory and creativity has it's limits.

    By Anonymous Anonymous, at 4:19 PM  

  • One of the easiest ways - store a password in your mobile phone (cell phone).. what Gen Y-er is ever going to be more than arms length away from the mobile?

    By Anonymous Anonymous, at 6:41 PM  

  • A mnemonic is so much better. For example: st2ds9 (star trek 2 , deep space 9) is not too hard. That was the root password where I worked 12 years ago. Hopefully they changed it ;)

    My wife relied on "finger memory", but at one point it suddenly failed. No record of her password! It is also hard to do on a different keyboard -- e.g. a laptop.

    By Anonymous Johny Mnemonic, at 8:11 PM  

  • Right, but how many mnemonics can you hold in your head at the same time? That works great for my desktop login, but I have multiple database passwords that aren't up to me, and website passwords that have different security requirements.

    This is why I choose to tattoo my passwords on my testicles. I already trust anyone that sees the passwords, and if I lose them I will not care what happens at work.

    By Anonymous Anonymous, at 11:03 PM  

  • I cycle through two different acronyms that are meaningful to me with a number sequence tacked onto the end. When I am required to change my password I use acronym A with sequence 1 followed by acronym B with by sequence 1 followed by acronym A with sequence 2, etc...

    This keeps the passwords different enough that they pass our extremely stringent password requirements but I still have a snowball's chance in hell of remembering it.

    I keep a post-it stuck to the side of my computer at work where the entire world can see it but all that is written on it is A1, B1, A2, B2, B3, etc...

    Nobody but me knows what that means but it helps me remember where I am in the sequence. I don't have to worry about losing my crib sheet because it is stuck to my machine.

    By Anonymous Anonymous, at 1:38 PM  

  • The relative security of a single Userid or password is even more relevant when considering that most people these days have logon IDs to numerous sites.

    It is much easier to remember one password than many, so how many people use a single password (or pin number) for all of their online identities? If someone discovers a piece of paper with your password on it, they probably have the password to all your identities as well.

    By Anonymous Anonymous, at 3:29 AM  

  • I have to admit, I've written down all my password and usernames and hid the paper away. I tried remembering them all, but usually ended up locking up the system and then had to humbly ask one of my collegues to unlock me.

    With about 20 "strong" passwords associated to varying userids for work alone, the task of remembering them all is way too hard. Especially since I don't use each and every system on a daily basis. Even rotating through a couple of common ones doesn't work because the schedule to change them is out of synch on purpose and cannot be changed.

    Unforunatly there's still one system out there no-one can get into because I forgot the admin password before I wrote it down - doh!

    By Anonymous Anonymous, at 10:36 AM  

Post a Comment

Links to this post:

Create a Link

<< Home