Should You Write Down Your Passwords?
-
I agree, passwords should be written down. This is especially true for IT staff for DR purposes and in the event that you're not around when the password is needed, like when you're on holidays
Another case is the infrequently used password. We have a Telnet application that provides the ability to auto-login. So you don't enter the username and password each time you use the application. The security is pretty good in that it requires very strong passwords and they expire pretty regularly. The only catch is that once the password expires you need to enter the old password before you can create a new one and it's amazing how easily you forget something when you don't actually use it.
--------------------
Colt 45 - the original point and click interface
-
Actually, I've been using pass-phrases lately.
They usually meet the complexity requirements (of, say, Windows 2003 Server's default policy), can be quite long and are easy to remember.
It is becoming a major problem these days. On top of passwords, we have PINs for ATM, your mobile phone account, your CityLink account (for us Melburnians), secret questions and a plethora of other codes.
Is the answer to this somthing along the lines of biometrics? Don't know, but I'm running out of storage for all my codes, pins and passwords!
-
I think here's where knowing foreign languages helps - I know smatterings of several - enough to coin a "pass phrase" in a mixture of a couple of languages that would make any sense only to me....
Throw in some special characters to this mix and you're good to go....I also have a method (in my own madness)....where everytime I have to change my network password at work, I just keep stripping the outermost right, then the outermost left and then recycle it back to the beginning when the 2 year cycle (or whatever it's set to) is over....
**ASCII stupid question, get a stupid ANSI !!!** -
The language idea is great. Never thought of that, but my smattering of a couple languages might make me safer.
-
Si!
**ASCII stupid question, get a stupid ANSI !!!** -
My solution for keeping a large number of passwords is to keep them on my Palm PDA in a passworded, encrypted database. I didn't find an existing password keeper that I liked, so I wrote my own.
If the PDA is lost or stolen, the passwords are still secure (encryption is the *only* security on a Palm). There's also a PC reader for the database, which uses the same password as the PDA version.
John
-
When coming up with complex passwords, I think of a set of related songs or tunes that seems appropriate to the setting. (For instance, last job I used "old Saturday Morning TV shows".) Then I take a phrase, turn it into acronyms, toss in punctuation and funky characters (and foreign translations if they jump right out), and end up with something no one's going to guess.
Example A: The Banana Splits Show. A key line from the them song: "Fleegle, Bingo, Drooper and Snork". Password:
F,B,D&S.
Example B: Line from the Sesame Street intro song: "Sunny day, keepin' the clouds away" becomes
S2d,kt-ca#
[where "S" from "Sun", 2 from "ni", which is Japanese for 2; "-" because there's a pause there in the song, and "a#" comes from away (weigh)]. Spelling this out makes it seem awkward, but when I hummed along I never mis-typed it.
Added bonus: when you cycle the password out, you can challenge your friends to figure out what the old password was based on. "Lt,aefh!", anyone?
-
Personally I do not think it's a good idea to write passwords down (also notes get lost...).
At work we are forced to use strong passwords. I can not remember these difficult passwords, so I choose a combination of keys on the keyboard that is easy to perform. Apparently my fingers have a better memory than I do, because this system never failed me yet (it's also handy for remembering phonenumbers, actually any type of information that needs input via keys).
Only thing to beware of is to change the password in case of a different keyboard (either via software or hardware).
Hans
-
Sushila, how did you know my sa password was set to 'si'.
I'm kidding of course, but I've seen system admin passwords nearly as ridiculous as that one. My favorite was an SQL installation where the password had been set to blank. Not a blank password mind you, but literally the word 'blank'. I lectured my parents at length when they finally got online last year about the importance of using secure passwords and not writing them down anywhere. And just when I finally thought my message had gotten across, you won't believe what I got for Christmas - it was a little book to write down all my user names and passwords.
My hovercraft is full of eels.
-
I think password set to "blank" is a stroke of genius - who'd ever think it could be that?!?!
Are you sure the "little book" wasn't to write down names & phone #s - you mean there're actually books for unames and pwds ???? Wonder who thought of marketing that one! (must be the kind of parent who tells his pilot son to watch out and not "fly too high!")<;-)
My favourite is when I had to deal with variable names in Spanish...that was a quick immersion course all right!
**ASCII stupid question, get a stupid ANSI !!!** -
I a previous job, passwords used to be written sown, put in a sealed envelope, signed across the flap and stored in the fireproof safe in the personnel department, along with a set of backup tapes and other items they needed secure.
In times of need these rarely used passwords could be extracted and used (only by specific people and under HR supervision) and then updated and re-stored for next time.
- It actually was the equivalent of a name and address book, but it had been printed sold for the purpose of recording user names and passwords. My e-mail, my office account, etc. If I can find it, I'll see if I can post a jpeg somewhere.
After reading this thread, I'm actually of a mixed mind when it comes to documenting passwords (among other things
). If they're completely secured somewhere as the previous post suggested, I can see the use in that as long as this access is strictly controlled.Single sign on is another thing though, and for the most part this is something that I am against. Yet I do see it as an attempt to address the issue of trying the keep track of so many user names and complex passwords particularly in an environment where HIPPA policies (which in turn affect password policy enforcement) are in full force.
Our previous SSO application had a serious flaw where if you logged onto an application from an end-user's PC the authentication was cached. Then the next time that user logged in to the same system, he/she would get in with your credentials.
Not a good thing. My hovercraft is full of eels.
-
The safe storing is a good idea and one I've used in smaller companies. Give a sealed envelope to the CFO/Accountant to store. That way if I disappear, he can get the domain admin accounts.
-
That's why there is movement towards biometrics and one time pads like the secure tokens from RSA Security. There isn't a password to remember, per se, although there is usually something like a PIN. However, the fact that there is a some aspect of that "password" changing every few seconds makes it nigh impossible to crack yet still permitting someone a reasonable amount of info to remember. Security experts are now starting to go down the path of recommending this not only for remote users coming in through VPN but for any privileged accounts. It solves a lot of these types of issues that you get with increasingly more complex passwords.
K. Brian Kelley
@kbriankelley -
The password quandary, it's one dynamic subject. Well, I'd just like to address the complexity and cracking portions. Complexity ... well we require
3 of the 4 following criteria upper case/lower case/number(s)/special
character(s) and minimum length of 8 are the site standard here for normal users. Now for those in systems administrative positions (Windows Admins & SQL Admins like myself) the same requirements apply but the length is 12.
Our password policy for changes is every 90 days for users, every 45 days for administrators with a password memory of the last 10 or 12. I personally have a domain user, domain admin and enterprise admin accounts to remember.
All of them are
16 characters long and they are not written down nor do I have them memorized ! How do I do it, well they are just shifting patterns of from
2 to 4 keys on both the right and left hands that get randomly performed.
Here is a simple example:
left hand does 12er
right hand does .,LK
left hand does zxcv
right hand does -0po
Nonsensical and simple, but it works. One could even skip keys, go across rows diagonally or even type a box or a rectangle (just imagine your keyboard is a primitive dot matrix). After 2 or 3 times it's almost like an automatic reflex. Then again you could go with pass phrases, but the old Unix geek in me hates to type !
Now on to 'cracking' ... we just performed an audit using LoftCrack with all the dictionaries and hash tables that were available. Within les than 1 day it had figured out 95% of our organizations 1500 Windows accounts. The remaining accounts took another 2 days. However there were
4 accounts that could not be deciphered (2 of them were mine). My manager killed the 'crack' process after it had run for 1 week (the server it ran on was a DL580 with quad 3.0 Gh Xeons and 4 Gb of RAM, not a wimpy box). What we found out was that the secret for most Windows 'crack' was the password had to be less than 14 characters (remember LanMan ?). It seems that 2 versions of your encrypted password are stored - one LanMan (if it's 14 or less characters) and the Windows encrypted one (up to 128 characters). All of the passwords that were 'cracked' were via LanMan, a handful using brute force dictionary attacks of Windows were also found. So the biggest thing one could do would just to lengthen the password requirement to 15 or more characters. Now I'm thinking pass phrases again but the smart part of me is thinking like a 'primitive oblong dot matrix with 48 to 102 pins' ...
Rudy Komacsar * Senior System Engineer/Database Administrator * Porter
Office: 219.531.7904 * Email: rudy.komacsar@porterhealth.org
RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."
Viewing 15 posts - 1 through 15 (of 18 total)
You must be logged in to reply to this topic. Login to reply