hi
my captain and teacher of morse code in army use to tell us:
write the spasswords on the piece of paper.learn them by heart.eat the paper.
Printable View
hi
my captain and teacher of morse code in army use to tell us:
write the spasswords on the piece of paper.learn them by heart.eat the paper.
Hi unvi$ible,
Well...I hope it was that cheap/thin recycled stuff and not 40lb glossy/cover-stock white bond :D
Eg ;)
Frankly, I tend to agree with Bruce...in a limited way.
I don't think you should keep all passwords this way, but its a good idea for the typical lay person to keep a 'master password' in this manner. Seriously...if I want to crack your data that badly, this will only slow me down to a point. I'll have someone pick your pocket. Or hit you wiht a car, and steal the doc from your wallet while "trying to identify you while on the phone with 911", or any one of a number of things. But this would be good only for long, terribly complex passwords that can't be easily brute forced.
It's really sad to hear that users can't remember a 8-12 number/letter/symbol password without writing it down. Maybe we should beat them over the head with the keyboard so they can learn it by osmosis (the movement of molecules from an area of high concentration (the keyboard) to an area of low concentration (their brain)).
:D
~cheers~
Hey Hey,
I like your comments Relyt.... but it's true.. most people can't... I know of a system where the users are assigned 6-digit numeric-only passwords and 75% right them down and 40% of that 75% will forget the password.
Actually I had my first day of training at my new job today... One of the pages we received was a username and password "creation" sheet...
username = first initial + first 7 letters of your last name (why are people so stuck on this 8 character limit.... I've seen their systems... They're running 2000/XP.. no need for the limit.
The password was 8 characters.... couldn't be 7.. couldn't be 9.. had to be 8.. and it had to be alphanumeric (that was the good part at least).... however you couldn't use upper case... lower case only... then you had to write your password on a piece of paper and pass it to the front of the room.. username and password for all the new employees on these sheets of paper.. to be taken to IT so accounts could be created. Then we were told to write our passwords down on the documentation we were given... then we were told to leave our documentation in the room. Do we see any security flaws?
People are smartening up.. but only a little... if a person is keeping the password on their person.. by all means, write it down... but if you're displaying it in the public... WTF are you thinking.
I've been told, at one of my jobs, on about 25-30 occasions to email the root password for our servers... and I'm sitting 20 feet away from the person that needs it.. but that person can't remember it and needs to have it in the email.
I vote for biometrics across the board...
Then again... we were talking about the doors at work (RFID opens them from the outside.. and from the inside there's a pushbutton to release the magnetic lock... Makes sense that's how most card swipes (RFID, Magnetic Stripe or otherwise) usually work.. You need a way to release it on the inside.... but someone asked why you did that... The response was "It's to confuse intruders and keep them trapped in the building".. I was like it's a big button that says push to exit.... how does that confuse them. A little further off topic, I also heard that in the future telephones won't operate over copper lines.. .they'll use our cable internet connections and the digital lines... (Last time I checked cable was still copper)..
Anyways.... Writing down your password and sticking it someplace safe is better than the person who uses KWallet to store their passwords and then puts the Kwallet password on their monitor and labels it..
Peace,
HT
I should really get around to writing the "Good password practice" tutorial some time, I think I may already have done something similar though...can't remember, if any one acctualy wants such a tut, pm me and I'll get on it....
- Noia
Frequency is the ' key '...exceptions always apply...
we remember those phone numbers and other numbers through frequency of use...the less frequent we need to use them the more likely we will forget them...if you want people to remember passwords make them have to use them...and the more frequent the better...then they won't need to write them down...eg. if you apply the rule that a person must log-off and log back in everytime they leave and return to their station...chances are it won't take too long before they have memorized it.
Exceptions always apply.
I found the easiest way to remember passwords was to create my own personalised password mask and then a key word
Example of a mask (not the one I use obviously)
$keY99$word
$ = symbol
letters = alpha
999s = numeric
The keywords should not be dictionary words e.g. use a home grown phonetic representation of a non alphabetic language (Chinese, Japanese, Iroquoi) or a passphrase
I think the point that is being missed (or overlooked...deliberately?) by InfoWeek is that Bruce Schneier is not an advocate of still using passwords, and thinks that the industry should have already moved on beyond them.
I absolutely agree with this (and No, I don't work for RSA or SmartWord). So I could turn that statement around on you...do it right, or don't do it at all...why do a half-assed job? Passwords are the most vulnerable 'accepted by industry' form of authentication that we use. I coul dmake the argument that if you're using a password to access important or sensitive information, your already failing to use proper security.
We spend a LOT of money on firewalls, IDS, AV, A-malware, RFID badges...and we can't spend the $20/user per year for a USB based token authentication system? Pathetic.
Now I can already hear the "but the <really important and completely unreplaceable software package> only supports PASSWORD authentication". Don't be crappy software. It's all I can say...I see it here regularly from a few folks...catch maybe? I forget who...but they repeat it like a litany or mantra. Don't buy software that sucks.
</stirring-the-pot> Yes, some strong statements in there that I am sure to regret at a later date. :)
No. The point is valid. The usage of RSA token devices seems to have rocketed (at least from what I see of my CISSP students). It's relatively easy to implement and a two-factor or three-factor authentication has got to start becoming the norm. Reliance on simply what you know (remember) isn't sufficient, particularly with our aging baby-boomers.
As the saying goes... Memory is the 2nd thing to go as you get older.