Source:Information Week (http://www.informationweek.com/story/showArticle.jhtml?articleID=166400770)

Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.


Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.

Such advice flies in the face of long-running counsel to not put passwords on paper. But security guru Bruce Schneier -- who is also the founder and chief technology officer of Counterpane Internet Security -- told users to forget the old advice.

"People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier wrote in his online security newsletter.

"We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper -- in their wallet."

To account for a lost wallet, Schneier urged users to finesse the paper record by writing "bank" rather than the bank's URL, or by omitting a username.

"Writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he said.

Now here's what kills me about this: a month or so ago one of Microsoft's VP said the same thing but said to keep it in a secure location, like a vault or locked desk. This makes sense since this is a practise already done with many admin passwords. Writing it down and keeping it in the wallet seems more insecure and problematic. It's very likely that the user name will be used over again or will be written down so as to match the password, particularly if the user has many accounts and passwords to begin with.

I was rather shocked that Schneier is the one suggesting this but..

Write down my passwords and keep it with me.... :eek:

what???? is wheel coming to full circle? or what we say history is about to get repeated???
gosh i can't even find a proper reply :rolleyes:

Let's take this to the next possible conclusion :D write them on a piece of paper and tape it to your computer :D

Sounds like something Bill gates would suggest as a security measure at Microsoft ;)

My only response to that article and that concept (two actually): "Whodathunkit?" and "DUH!". Okay, sorry.. I'm done now. :D

Agreed it isnt the most secure way to remember your passwords..but lets give it a thought shall we?A lot of people..including me,think of their wallet as sacred and off limits to other people...hence..the wallet to me would be the equivalent of a vault or safe?well,not exactly..but you get my drift....it'd definitely lead to greater security than taping it to the keyboard..which is pretty much the norm:P

Hi therenegade,

Sorry...but obviously you've been involved with the wrong women :D ....errr....right women....take your pick :D...every woman I've ever known loves to go through wallets...it's the last place I'd put something that's supposed to be a secret.

Eg ;)

it'd definitely lead to greater security than taping it to the keyboard..

Not by much. Especially given the way people are in public. I went for sushi today and listened to a group yapping about work. One guy was on his Blackberry and leaving it in public view. I've seen people leave their wallets open after taking out their credit cards. Any sticky notes, which often lose their "stickiness" in a hot wallet, tumble out, unbeknownst to the wallet owner. Personally, IMO, it leads to slack security views and a false sense of security.

Either do it all or not at all. Half-assed security doesn't help.

Eg,
Next time they say or try to do that...tell 'em that you'll go through their purse/handbag...works like a charm ;)
MsMittens...agreed,but as you said..the comment was dumb to make lol,just trying to see whether he might've meant it in some other way,I like to think things from both points..dumb as I am:D

Maybe his point is more that no matter what you tell them to not write it down they are going to anyway. So, by telling them to write it and put it in their wallet at least they are not writting it down and putting it on their monitor or under their keyboard as they normally would.

I'm just wondering now. What happens when the user has to change their password monthly as they do in my organization? We all know how things like to build up in our wallets. Seems like more of a hassle than a solution.

The_Captain: most people alternate between a small set of passwords anyway. I know a large majority of friends I (think I) have told me they just switch between 2 passwords (unless there is a time restriction on repeating passwords.. then they use a larger cache of passwords). So most people would either write them on the same paper or have a small amount of papers.

I have the ultimate idea: get a tattoo of your password(s). That is safe and secure, especially if it's in a "private" area. I can just picture it now..

"Hey Frank, I forget my password. What's my left cheek say?" or a guy forgets his password and looks to his crotch for help.

hi
my captain and teacher of morse code in army use to tell us:
write the spasswords on the piece of paper.learn them by heart.eat the paper.

Hi unvi$ible,

Well...I hope it was that cheap/thin recycled stuff and not 40lb glossy/cover-stock white bond :D

Eg ;)

Frankly, I tend to agree with Bruce...in a limited way.

I don't think you should keep all passwords this way, but its a good idea for the typical lay person to keep a 'master password' in this manner. Seriously...if I want to crack your data that badly, this will only slow me down to a point. I'll have someone pick your pocket. Or hit you wiht a car, and steal the doc from your wallet while "trying to identify you while on the phone with 911", or any one of a number of things. But this would be good only for long, terribly complex passwords that can't be easily brute forced.

It's really sad to hear that users can't remember a 8-12 number/letter/symbol password without writing it down. Maybe we should beat them over the head with the keyboard so they can learn it by osmosis (the movement of molecules from an area of high concentration (the keyboard) to an area of low concentration (their brain)).
:D

~cheers~

Hey Hey,

I like your comments Relyt.... but it's true.. most people can't... I know of a system where the users are assigned 6-digit numeric-only passwords and 75% right them down and 40% of that 75% will forget the password.

Actually I had my first day of training at my new job today... One of the pages we received was a username and password "creation" sheet...

username = first initial + first 7 letters of your last name (why are people so stuck on this 8 character limit.... I've seen their systems... They're running 2000/XP.. no need for the limit.

The password was 8 characters.... couldn't be 7.. couldn't be 9.. had to be 8.. and it had to be alphanumeric (that was the good part at least).... however you couldn't use upper case... lower case only... then you had to write your password on a piece of paper and pass it to the front of the room.. username and password for all the new employees on these sheets of paper.. to be taken to IT so accounts could be created. Then we were told to write our passwords down on the documentation we were given... then we were told to leave our documentation in the room. Do we see any security flaws?

People are smartening up.. but only a little... if a person is keeping the password on their person.. by all means, write it down... but if you're displaying it in the public... WTF are you thinking.

I've been told, at one of my jobs, on about 25-30 occasions to email the root password for our servers... and I'm sitting 20 feet away from the person that needs it.. but that person can't remember it and needs to have it in the email.

I vote for biometrics across the board...

Then again... we were talking about the doors at work (RFID opens them from the outside.. and from the inside there's a pushbutton to release the magnetic lock... Makes sense that's how most card swipes (RFID, Magnetic Stripe or otherwise) usually work.. You need a way to release it on the inside.... but someone asked why you did that... The response was "It's to confuse intruders and keep them trapped in the building".. I was like it's a big button that says push to exit.... how does that confuse them. A little further off topic, I also heard that in the future telephones won't operate over copper lines.. .they'll use our cable internet connections and the digital lines... (Last time I checked cable was still copper)..

Anyways.... Writing down your password and sticking it someplace safe is better than the person who uses KWallet to store their passwords and then puts the Kwallet password on their monitor and labels it..

Peace,
HT

I should really get around to writing the "Good password practice" tutorial some time, I think I may already have done something similar though...can't remember, if any one acctualy wants such a tut, pm me and I'll get on it....

- Noia

Frequency is the ' key '...exceptions always apply...

we remember those phone numbers and other numbers through frequency of use...the less frequent we need to use them the more likely we will forget them...if you want people to remember passwords make them have to use them...and the more frequent the better...then they won't need to write them down...eg. if you apply the rule that a person must log-off and log back in everytime they leave and return to their station...chances are it won't take too long before they have memorized it.


Exceptions always apply.

I found the easiest way to remember passwords was to create my own personalised password mask and then a key word

Example of a mask (not the one I use obviously)

$keY99$word

$ = symbol
letters = alpha
999s = numeric

The keywords should not be dictionary words e.g. use a home grown phonetic representation of a non alphabetic language (Chinese, Japanese, Iroquoi) or a passphrase

I think the point that is being missed (or overlooked...deliberately?) by InfoWeek is that Bruce Schneier is not an advocate of still using passwords, and thinks that the industry should have already moved on beyond them.

I absolutely agree with this (and No, I don't work for RSA or SmartWord). So I could turn that statement around on you...do it right, or don't do it at all...why do a half-assed job? Passwords are the most vulnerable 'accepted by industry' form of authentication that we use. I coul dmake the argument that if you're using a password to access important or sensitive information, your already failing to use proper security.

We spend a LOT of money on firewalls, IDS, AV, A-malware, RFID badges...and we can't spend the $20/user per year for a USB based token authentication system? Pathetic.

Now I can already hear the "but the <really important and completely unreplaceable software package> only supports PASSWORD authentication". Don't be crappy software. It's all I can say...I see it here regularly from a few folks...catch maybe? I forget who...but they repeat it like a litany or mantra. Don't buy software that sucks.

</stirring-the-pot> Yes, some strong statements in there that I am sure to regret at a later date. :)

No. The point is valid. The usage of RSA token devices seems to have rocketed (at least from what I see of my CISSP students). It's relatively easy to implement and a two-factor or three-factor authentication has got to start becoming the norm. Reliance on simply what you know (remember) isn't sufficient, particularly with our aging baby-boomers.

As the saying goes... Memory is the 2nd thing to go as you get older.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851641) by MsMittens
As the saying goes... Memory is the 2nd thing to go as you get older.
Yeah, and I forget what the first was... ;)

But seriously...I can't believe everyone is still buying RSA tokens. And I'm not knocking RSA (yet...in this post...), I launched my foray into an infosec career on administrating and engineering ACE/Server. But they are SO DAMNED EXPENSIVE. I can't believe how much they charge, after seeing the alternatives. It's like Bose systems. I've been told that, nearly 50% of the money you spend on a Bose goes back into marketing and brand recognition.

But it is good to hear multi-factor authentication is becoming more prevelant. I've had to explain ad naseum to many MANY students that knowing a username, password, and PIN is *not* 3 factor authentication...it's still all just data you memorize.

Hi MsM,

Memory is the 2nd thing to go as you get older.

I thought Memory was ' Impossible to get rid of! ' :D

Eg ;)

Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW

Right ??

Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW


Yup. I tend to split the ARE into two: ARE (static biometric -- iris, retina, fingerprint, DNA) and DO (dynamic biometric -- voice, signature, typing style)

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851651) by the_JinX
Just to help my failing memmory.. the 3 factors..

1. ARE
2. HAVE
3. KNOW

Right ??


Correct.

Something you KNOW i.e. username and PIN

Something you HAVE i.e. passcard or OTP token

Something you ARE i.e. DNA, fingerprint, or handgeometry analysis, etc.

i could sound a little nerdy here and go into the whole schpill that we dont use our total brain capacity and therefore we should have absolutely no problem remembering our passwords, especially since we can recall our social, drivers lic number, credit card number, bank acct number, account numbers for different lenders, etc.


I could say all of that, but I'm not. Instead, I will simply say "Humans are unreliable, lets do RSA!"

You speak for your self, it has taken me 7 years to learn my mobile phone number, and I still don't know my landline. I can not recite my debit card pin, although I always type it correctly, I have to be at the ATM keyboard.

It realy is time passwords were replaced.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851655) by Kthln01
i could sound a little nerdy here and go into the whole schpill that we dont use our total brain capacity and therefore we should have absolutely no problem remembering our passwords...

The problem with that is one of execution. How would we go about remembering a 4096KB key (not bit, Byte... go read 0wnz0red (http://www.salon.com/tech/feature/2002/08/28/0wnz0red/) by Cory Doctorow (http://www.craphound.com/) if you don't get the reference. It's great.) then? What is you method for doing so?

To paraphrase Aesop, it's easy to suggest the impossible/impractical.

You speak for your self, it has taken me 7 years to learn my mobile phone number, and I still don't know my landline. I can not recite my debit card pin, although I always type it correctly, I have to be at the ATM keyboard.

funny, that happens to me too. but you remember it.

How would we go about remembering a 4096KB key

whoa, nellie!!
im just talkin about a alpha, numero,symbolic (9-digit) password, not pi. :fart:

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851664) by Kthln01
whoa, nellie!!
im just talkin about a alpha, numero,symbolic (9-digit) password, not pi.


OFF TOPIC - I think phi is so much cooler than pi. Pi is great for round stuff and all, but phi is just so much more...intriguing! How can you not like the name 'The Divine Proportion'?!? :)

So what? What is a REASONABLE LENGTH/COMPLEXITY PASSWORD, given todays computing power, when combined with methods like using rainbow tables and cluster processing? You can make some password that is so ridiculously hard to remember that Stephen Hawking would spit up at it, and it's still just a bunch of ascii (or whatever encoding you use) for my brute force script to hammer against.

I think (calling back to the original article that lit this storm) the point Bruce was making is "make it strong enough so casual skiddies won't crack it on their parents Presario with a 4 year old version of L0phtCrack" and write it down and keep it with your important personal documents...credit card, identification card, cash, etc. It's no more important than most of those, right?

The root of the problem is we are still relying on a string of 0's and 1's all generated by keys being pressed on the keyboard. If I put an infinite number of monkeys at an infinite number of keyboards, trying to randomly enter characters that would eventually equate to your password, I would succeed...in creating the Internet, Mr. Gore. :grin:

Seriously...its always relying on ONLY the right sequence of characters being entered (be it password, username password PIN, or whatever). As technology increases in power, speed, and computational capabilties (reference: Implications of Moore's Law (http://en.wikipedia.org/wiki/Moore's_law)), guessing the right combinations of characters will only become easier.

I acknowledge that multi-factor will not be bullet proof either. But it will level the playing field some, because if I have an AES encrypted digital certificate with an un-f00king-believably long passphrase protecting the token it is stored on, and I have to provide this certificate when loggin in to a server, it'll be a SIGNIFICANTLY longer for the crackers among us in the world to positively login to that account with my credentials then if it were simply a password (4096KB in length or not!)

So my point is, it don't matter how much brain capacity you use. Things you remember are simply still things you remember, no matter how complex or simplistic.

ok... thats not fair... next time the world comes to an end... let me know first...

Lessee ... where was I ...

Memory ...

Yeah, that's the ticket!

Uh, where am I?

An interesting thing... as a user of a system (like the one at your work) do you care if it is compromised? It isn't your responsibility, your responsibility ends at the lowest point of either "reasonable" or the corporate policy.

If the policy requires an 8 char password and states you cannot write the password down. This would be deemed unreasonable. Time and time again research has shown that humans can only be expected to remember 7 char sequences.

How is this for some food for thought... you wallet is stolen and your password is inside. You company is breached and he attacker explains how. The 8 char password and no writing down is in effect. Who is responsible? Sr. Management. Why? Their policy was foolish, it puts undue stress on employees and efectively negates the whole password policy requirements as they are mutually exclusive under the rules of "reasonable." Now you have a system with no password protections, consequently since Sr. Management has failed to provide other safe guards, they have not upheld due diligence in securing the system.

Not only can they be sued/arrested depending on the nature of the losses, the employee who's password was stolen can also sue for being made the scapegate of Sr.Management's laziness.

So, write down your passwords, either they are too short (7 chars) to be considered adequent by the industry, or they are too long to be considered resonable to memorize. Either way, no reason to stress yourself out because someone else isn't doing their job.

cheers,

catch

you know what would be really interesting? A graph of how fast a password could be cracked agains the length and formating of the password, forexample, a time/length curve for each standard permutation of passwords, like word, words, number, Word+number, number+word, etc etc etc....this would be useful to show people roughtly how easily the standard 6 character password can be broken (and I know alot of sorry souls who use only 6 characters.)

it depends what the password is for.

For instance my AO password is not critical to my life. (Dont get me wrong, I dont want anyone to have it, but there's no grave danger that can come about from it being hacked).

What I dont understand is people who insist on using the same password (weak or strong) for every account they create. Thats just askin for it!!

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851786) by Noia
you know what would be really interesting? A graph of how fast a password could be cracked agains the length and formating of the password, forexample, a time/length curve for each standard permutation of passwords, like word, words, number, Word+number, number+word, etc etc etc....this would be useful to show people roughtly how easily the standard 6 character password can be broken (and I know alot of sorry souls who use only 6 characters.)

There are too many variables. What speed/processing capacity is the CPU? How much RAM is available to the cracking processes? What other system process are running, which are priviledged (and could interupt your cracking process), and what else is being done on the system that could slow down the cracking attempt?

It's like saying "wow, I wonder how long it takes to go from my house to Bum-****-iztan?" without qualifying if you're going to fly, drive, walk, travel in winter, tracel in summer, with luggage, etc.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851769) by catch
An interesting thing... as a user of a system (like the one at your work) do you care if it is compromised? It isn't your responsibility, your responsibility ends at the lowest point of either "reasonable" or the corporate policy.

That is a great point... and all the more reason that as professionals, we should advocate stronger authentication methods than passwords. If multifactor authetication is compulsory, many of these problems go away.

As many people have already stated, we need to move beyond passwords - when I am auditing, it is one of the first hooks we look for. Who needs to exploit (I mean leverage the weakness of) a vulnerability, when I can check for blank or default passwords? Those are other issues I know, but I also believe our users are very busy just trying to do their job without having to remember 5-10 different passwords.

In looking to move beyond password some of the problems we have run into include: is there a technology we should use to move beyond passwords?; will that technology work globally?; is there a backup in case the system(s) governing that technology fail?; what is the TCO for doing it or not doing it (sticking with passwords)?; is there a industry standard to follow or a benchmark? And many more that I cannot recall just right now as I am trying to remember a password for something.

But... for now just use these to write down your passwords and stick them underneath your keyboard or under your mouse pad: http://www.3m.com/us/office/postit/index.jhtml

I have included a picture to show you how to do it as well.

I was asking my system admin yesterday about how she remembers all her passwords, and manages to make them difficult to guess.I only have a few to remember, so I just keep them in my head. She remembers very simple passwords such as summer or spring, but uses a system of changing certain letters into a number such as 1 for a etc. and moving other letters up the keyboard.That way she just has to remember the simple word, and her universal system.I thought it was interesting.

Passwords are accepted, they're in use, they aren't going anwyhere soon, if it was practical to use biometrics it would already be implemented

Thumb drives or USB devices were brought up....by the same person that said they could run a person over to get the info out of their wallet....erm....think about that...even if you gave employees lockers to store their 'drives' in....it's easier to 'crack' a padlock than you'd think, considering there's a maximum of only six digits to the password, as it were...or hell, since you were giving an 'extreme' scenario, just bash the bugger off.

I think it was the same person who brought up the car and thumbdrive thing that said repetition is the key...maybe it was eg, but I think that's the point people should focus on...

catch said that people can only remember 7 digits....according to studies....they were using random numbers in that test...not things like phone numbers(which would have to be extended to 10, considering the area code), or commonly used digits like a SS#, which had been brought up, repitition is key...we're all dumb sponges, make us absorb....the problem is training...and I'm coming at this from a corporate environment where training should be provided...passwords aren't going away....so training should be more intensive as far as password security is concerned...most corps nowandays have dipshits running the IT dept., and go in for a 5 minute talk about nothing that engages the employees on why they should maintain secure passwords....
...if an employee can not demonstrate that they understand why passwords are important, how to handle and maintain them in a safe way, and the basis for constructing one, they should not be employed. BTW, just for catch.... pneumonoultramicroscopicsiliconvolcanokoniosis....I think I learned that in 7th grade...not numbers, I know...still relates...I was MADE to remember that, and I still do...

Back to the original point, I think 'dude' is pretty much right...write it down, and keep it on your person....but then I would get more into the aspect of 'personal' security than he would....I live in MX. Sometimes a group of people will hassle a 'white' person coming home from their job early in the morning....being surrounding by 5 or 6 people gives one of them a good opp. to pick your pocket (not like they would know what to do with it, if they get it, had I a password in there). However, I think, and I've thought this since I was a kid growing up outside of Philly....only idiots carry wallets....maybe it makes you feel organized....or maybe I'm just weird....but you need to carry ID in your back pockets, I personally carry my passport with the DL and some papers, which would probably include my password slip, had I one, and anything monetary (CC's money) in a front pocket...but he's right, imo...write it down, put it on a pendrive, and then handle the material appropriatly....

...I personally think there is more of a chance of people quitting in a large corp. and leaving there binders laying around with passwords in it being more of a risk that a password in a wallet....but then, I'm dumb...and people like to tell me that.

bludgeon... kindly re-read my post, read a bit how memory works, and read about the definition of "due diligence" before you make such asinine responses.

First off... people as a rule can only be expected to remember 7 char sequences. In order to remember sequences longer than this, a process known as chunking is used.

Observe:

1776197619452005

can be easily remembered as:

1776, year of american independence
1976, 200th birthday of the US
1945, end o WW2
2005, the current year

Each of these blocks is treated as a single value rather than as 4 separate values. this however does not extend the average persons capabilities.

Another way to remember large sequences like:

abcdefghijklmnopqrstuvwxyz
or
12345678901234567890

Is through logical value assignments, in this case c goes between b and d, n goes between m and o, or 6 goes between 5 and 7. Hence no memorization is required, these sequences can merely be calculated. the same cane be said for "pneumonoultramicroscopicsiliconvolcanokoniosis" (which you misspelled by the way, "silicovolcano" not "siliconvolcano" perhaps just a typo, another weakness of long passwords. Though the inclusion of an extra, seemingly sane letter would indicate mismemorization and not a typo, yet another weakness of long passwords. the rules you use may change for whatever reason as they are not tied to the password but the other way around) then you don't remember this as a sequence, you remember it as a collection of phonetics and spelling rules. Again, this is a calculated result, not a memorized one.

So back to the original point, 7 chars... yes people can use chunking and calculation to remember much longer passwords and nowhere did I say otherwise. I said it is unreasonable to expect this, so much so that if a user is required to have an 8 char password and they write it down, in violation of the security policy and the system is compromised via disclosure of the written password. The guilty user cannot legally be held accountable, even though they violated the security policy. Consequently such a security policy is flawed.

Passwords are accepted, and so is multi-factor authentication... as more organizations adopt multi-factor authentication we will see a correction of password requirements to a sane level.

cheers,

catch

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851930) by phr0zenf1sh
I was asking my system admin yesterday about how she remembers all her passwords, and manages to make them difficult to guess.I only have a few to remember, so I just keep them in my head. She remembers very simple passwords such as summer or spring, but uses a system of changing certain letters into a number such as 1 for a etc. and moving other letters up the keyboard.That way she just has to remember the simple word, and her universal system.I thought it was interesting.

If you find it interesting, you might want to read this (http://zencoder.net/archives/2005/06/13/white-paper-creating-safe-passwords/).

Passwords are on the way out with biometrics. I can see a very close future, within years, where your keyboard-mounted eye or fingerprint scaner (they have both of these today) would log you in, to sites such as AntiOnline. It does, however pose problems for all those fokes on DeviantArt and other websites who take photographs of their eyes :P.

Biometrics will not replace passwords, it will replace ATM cards. You'll still need something you know.

cheers,

catch

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post852049) by catch
bludgeon...

cheers,

catch

Those were the points I was making in my, 'asinine' way, I was agreeing with someone else (you showed two systems of memory organization and retention, so I'll take that as an 'agreed') so step off your high hat (*strikes a cymbal), ....apparently you already knew that...and I, apparently don't need to reread your post....silly, silly egoist.

Btw, biometrics will replace my ATM card, huh? So like, um...they're going to have to make retinal scans before they reissue my digits? Yeah, that sounds practical.

~edit, if you get into voice recognition implemented over the phone....eh...

heh heh heh heh, okay, I tried, I can't refrain...."Mother Mary, God and Son help me!!!?" Crap, it didn't work again...

"...I personally think there is more of a chance of people quitting in a large corp. and leaving there binders laying around with passwords in it being more of a risk that a password in a wallet....but then, I'm dumb...and people like to tell me that.

That was bait, laid for a, heh, 'catch'...*silently thanks his pysch profs in dealing with people who show signs of minimal meglomania...no skin off my flint, and you only bothered me enough to write this second post because you think you're sooooooo logically superior...

please disregard my missuse of 'there' for 'their', my typing isn't the best....

damn, I'm like a 'miss-type-tarded person'...please change 'that' to 'than' in reading the above quote. I'll give credit to the 'masses' that catch won't and assume that most people can see the flaw and replace the appropriate word while reading.

Gay jokes bludgeon? Grow up.

apparently don't need to reread your post....silly, silly egoist.
Clearly you do, because the point wasn't about how we can remember things beyond 7 chars, the point was the mutually exclusive obligation of remembering passwords longer than 7 chars while being forbidden from writing them down.

You can spend millions of dollars training your staff:(so training should be more intensive as far as password security is concerned)but it doesn't make a bit of difference. If your policy requires long passwords and prevents writing them down, it is not binding. In other words your policy is useless, sounds like a great idea!

When dealing with HR issues, you cannot only consider what people are capable of, you must consider what is reasonable to expect from the average person. Develop policy around that, not some post-training ideal, cause it'll never hold in court.

Btw, biometrics will replace my ATM card, huh?
Yes, eventually (a few organizations are already using them, Infonox and InnoVentry to name two) earlier this month in Japan, the Japanese Bankers Association convened to standardize biometrics for use in with ATMs.

Swapping biometrics for the ATM makes more sense than for the PIN. In two factor authentication, it is best to avoid coupling something you are with something you have as both of these can be reproduced. Two factor authentication should always include something you know, even if it is just the particular phrase that is said for voice recognition.

This is why, when biometrics eventually come around in the large scale... if they continue to use two factor authentication... they will replace the ATM card and not the PIN. (though many of the early biometric installations have foolishly switched to single factor authentication, but I suspect this is more of a way to introduce people to new technology through simplification than signs of a long term trend)

The word is "megalomania" not "meglomania" again with the typos, for someone who types as poorly as you do, I'd think you'd want to get away from passwords as fast as possible. Seriously, you must get locked out of your accounts all the time. Either from typos or for all those calculatory rules failing you. While I can replace the erroneous word with the correct one, would it be a good idea for your authentication system to also feature this capability?

cheers,

catch

PS. To clarify, I don't think I'm logically superior to you and I'd like to say that I'm not overly megalomaniacal, but such is the nature of mental illness that I wouldn't know. (and such is the nature of diagnostic criteria that neither would you) I do, however know that I am just plain better than you. ;) Deal with it.

Catch and Bludgeon,



I think you both have very valid views. I think you both have very valid information. I happen to keep some passwords in my wallet anyways (for those rarely accessed systems), but that's all I have written down. I do not have the type of system, where it can be found, any of my personal information or username on there. I consider my system to be quite secure.


Have you two crossed paths at another post before? This seems to have blown up rather quickly. I don't think either of you are going to change the other's mind about this subject, so..... I would like to ask who thinks Catch is right and who thinks Bludgeon is right? (I would ask Catch and Bludgeon to kindly not vote since we all know where they strongly stand)


I have to say both of you have very compelling arguments, but in the interest of not being hippocritical I have to agree that it is ok to write my passwords down, but I do think we'll be moving away from them in the near future.

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post851527) by MsMittens
Not by much. Especially given the way people are in public. I went for sushi today and listened to a group yapping about work. One guy was on his Blackberry and leaving it in public view. I've seen people leave their wallets open after taking out their credit cards. Any sticky notes, which often lose their "stickiness" in a hot wallet, tumble out, unbeknownst to the wallet owner. Personally, IMO, it leads to slack security views and a false sense of security.

Either do it all or not at all. Half-assed security doesn't help.

I agree, writting down and keeping the note in your wallet is asking for problems... what if the wallet is lost / stolen?

IMHO a better concept is to combine things to make passwords.
For instance, make a sentence and take every x letter from that sentence and add the number of letters or something similar.
eg: apples are green and trees are brown
aagatab7


About the maximum of 7 chars to be remembered, indeed this is correct. Experimental psychology learned us that we are only able to remember 7 things. And as a 'coincidence a week exists of 7 days and in many countries phone numbers are in parts respecting the idea of 7 chars max; zone number + 6 digits so we can easily remember them. If they exist out of more it becomes difficult.

I do not agree about the training of staff and difficulties that would bring, a human mind can easily be trained to remember more than 7 numbers in short memory and even in long memory. For example the waiter in a restaurant can train himself to remember instead of writing down. A system admin using complex passwords daily is probably capable of entering them just out of habit and key sequence instead of recaling from his pure memory, so he / she gets motorical aid on typing the password. Some admins probably can't tell their passwords but can type them. This is also related to the post above where people remember a simple word or sentence to construct more difficult passwords. When you add logic you can remember a lot. Next thing is that many companies use fake words for their passwords, they use passwords that sound like words but they are not, just a wise use of consonants and vowels done by a password generator. Like for instance: retipogasefym

No right or wrong to this....really. Aside from me not using a spell checker, and being inebriated, wait I mean enebriated....heh heh...he's dealing with the future....I'm discussing the now as presented in the article. I'm attacking him by my comments b/c they were 'negative', but he can call me asinine....I think it's all pretty simple, you hit it on the head with hypocritical. I don't recall any 'debates', previously, Captain.

On to the 'catcher boy''....there's only one thing I really want to type out....and that's this....I am qualified :D. Are you? Seems to me like I just made a statement about a long word in reference to your comment on memory and retention (I've read the studies) and think it should all be looked at from a different angle....self fulfilling prophecies and all that, you took that a little 'too' personally, imo, and was the first to resort to 'name calling'. Who needs to grow up? If this forum is supposed to encourage discussions, your end all, know it all approach of telling me I'm wrong for my opinion isn't encouraging....wait no, I mean my Oponion, damn...did I get it wrong again? I didn't misspell egoist did I? ah hah hah...

The length, compexity, written down, memorized. It realy is not that important. What is, is how fast you can realise and then react to compromisation. All passwords can be extracted, either by theft, cracking, guessing, socialengineering, coercian, etc.etc. Its not the password that is important, its the password holder and his attitude to security.

It matters not whether a password is memorised, if the holder gives it out for a free coffee or if written down, if left for all to see.

Human factor {Human vulnerablilty} is still the most dangerous and unbatchable vulnerability, everything acna be batched but human brain .... I agree with jinxy!

The post was asinine because it failed to address what it was addressing. You put on the blinders and went forward with your ideas regardless of what new information had been put out there.

The point isn't whether or not you can train users to remember long passwords, consider the following truths:

- Security policies typically call for longer than 7 char passwords.
- Security policies typically prohibit the writing down of passwords.
- Users may be trained to reliably recall longer passwords.
- 7 chars is the maximum amount considered reasonable when requiring recall.

Even if you train your users, you still have nothing to stand on if they violate the security policy because the courts will rule it was an unreasonable expectation.

This means you can't fire them (well you can, but they can sue, and will win) for violation of the policy and you can't press charges if the system is compromised via the mishandling of their password.

An unenforceable security policy is an utterly worthless security policy. Doesn't matter who can remember what, with what kind of training. Consequently any training in this regard is wasteful since its ROI is nothing.

cheers,

catch

I would say describing a post as "asinine" and making a statement intended to call into question the sexual preference of the subject are not on equal grounds. Neither are really 'name calling', but one of them is basically at about the same age level...it's more like flamebaiting.

I know catch can seem challenging...I occasionally find his attitude to feel antagonistic or condescending...but tone is very difficult to properly convey through the media of forums and chat rooms. What I have come to learn is he usually has a f$cking clue as to what he's talking about.

Sorry bludgeon, but I don't recall seeing much from you that has made the same impression on me. Your followup posts have been more relevant to the discussion, but that one was simply childish and petty.

AO has been pretty good, from my perspective, in minimizing flame wars and such. It would be unfortunate to see that sort of behavior take root now.

heh heh....

/me has already taken root...and I'm done on this one, I hope the discussion continues....funny how these things work.

While I'm addressing the non-addressed, allowed me to dress, perhaps in a dress, or some lacy nightgown that you may call a 'frock', could be in a... mock... tribute...while I ponder the points brought up in this thread that I've already read, but been accused of disrespect in response..... everyone here seems to love the Latin language for their sigs, which I don't get, but since it's used....'Credendo vives' and 'cave canem'....my views are different, different than most, but I seem to butt heads with people who don't follow the concept of 'Rem tene, verba sequentur'.

Heh, someone attack my latin spelling, I'd like to turn this into a Monty Pythonish thread....

WRITE DOWN THE PASSWORD IN A PEICE OF PAPER AND GIVE IT TO ME :-P

Originally posted here (http://www.AntiOnline.com/showthread.php?threadid=269538#post852364) by zencoder

Sorry bludgeon, but I don't recall seeing much from you that has made the same impression on me. Your followup posts have been more relevant to the discussion, but that one was simply childish and petty.



I have not made an assesment on your character here...if you'd like it, I think I could manage the time....

...I wasn't going to write this, but once again, I feel I was instigated....you can see my flames in the addicts forum....when I'm intentionally offensive, it's apparent. When I'm bringing up points of discussion, I hope this is also apparent....meh, once again, I'm really done now....but as far as 'TONE" goes, chief Zencoder, it's an easy thing to see once you move through a person's posts and see the 'attitude' they take in responding to people....I've been here for a while, 'big dog ap man', even a bit before my join date...if I don't feel the need to rehash old tuts or respond to things that other people can answer better than me, you can't 'flaw' me for that, it's actually funny, some people would call me a smarter person for not....doing what you would 'flaw' me for...