Write down your passwords

A few years back I caused quite a stir when I mentioned in passing during a presentation that writing down your password is a really good idea. A journalist in the room decided that saying so qualified me as insane, and my employer sending an insane person all the way to Australia to give a presentation was newsworthy, so he drummed it up far bigger than it really was.

I still maintain that writing your password down is the only sane thing to do. At last count, I have 114 different passwords, for different systems, and those are only the ones I actually care about and need written down. The reason I am able to have 114 different passwords is because I do write them down. Personally, I tend to use Password Safe. It is convenient, relatively secure, and the few bugs it has are mostly annoyances.

Then, a few weeks back, I received an unsolicited e-mail asking if I wanted to review a new password organizer. I, of course, said yes. Then, a few days later, this arrived:

OK, that was not what I expected. Innovention Lab had actually taken me very literally when I quipped that the Chinese invented a cure for poor memory thousands of years ago.

My first thought when I saw this was "OK, I know what I would steal first." And that is definitely the big shortcoming of the Password Organizer. It is quite clear what it is, and no password is required to read the passwords store in it.

For some, however, this may be a good way to solve the problem of password overload. I once helped a mortgage broker get started with Password Safe, and after having gone back and forth via e-mail for about a week, I was ready to give up. Password Safe has a discussion forum, with thousands of posts, most of which deal with problems using it. It is simply too complicated. The password managers that are not are not secure enough. By contrast, no user manual is required to use the book. That, I think, may be what is needed to fill a very large but unique niche. For a home user, or even a small business owner who can ensure that the book stays protected, something like the Password Organizer may be just the ticket. If the bad guy can get to the book, a lot of other security has already been breached, and you have very big problems.

Personally, I do not plan on using it. I move around too much and I do not want to have to carry the book with me. I also like to use unique randomly generated passwords. For example, the password for my bank is over 20 characters long. That may be the second very large shortcoming of the Password Organizer: it does not help me generate random passwords. After all, what that journalist failed to listen to several years ago was my claim that, as long as your password is written down, you don't have to know what it is.

Published Mon, Feb 4 2008 5:09 PM by jesper

Filed under: Security Pontification

Comments

# Kevin I said on 04 February, 2008 09:17 PM

KeePass is a great tool for that as well. It is MUCH more functional. My favorite part, I can put in alternate names and passwords, and I can actually send them over TS session to log me in. So I can set it up to 'auto-type' just the password (not the username/password -- it's configurable) and have multiple logins and get into any of them with a push of a button. Fantastic.

I highly suggest you check it out, very cool - and a lot of even nicer security features for those that are truly paranoid, although I tend to turn them off (you have to check it out to understand)

http://keepass.info/index.html

# Patrick Ogenstad said on 05 February, 2008 08:27 AM

I'm a happy user of Passwordsafe, the only issues I've had is that sometimes the passwords doesn't get sent to the clipboard when I click on an entry.

Did you get any instructions for how to create a backup for that book? :)

# wisher said on 05 February, 2008 03:02 PM

I use keepass and I find it good.

Do you think that PasswordSafe is better?

# HiltonT said on 06 February, 2008 04:28 PM

I've been using Roboform for quite some time now and find it extremely useful. To the point that I purchased the "PDA" version of it so that I can lug my passwords around on my PDA as well - this works better than a secured SharePoint (or other similar) site when you're onsite and a client has no Internet connection, which is why you'd be onsite!

# Chris said on 06 February, 2008 04:32 PM

I never really understood the logic of trying to remember more that one password. Even writing down the password seems silly. Just the act of trying to come up with enough unique complex passwords is crazy.

Of course I went through these steps until I ran across a mechanism to generate a unique password for each site I visit, without having to remember or write down the unique password.

Have a look at www.dscoduc.com/pwmaker.aspx for an example of what I am talking about...

# Anonymous Coward said on 08 February, 2008 08:37 AM

I find the Microsoft Fingerprint Reader works great for me and all my website logins. Granted it only works on my machine and not out and about but that suits me down to the ground. Nothing like my username and long password like F!ngErPr|n7-Re@der to be written & logged-in less than a second even works with TrueCrypt! And I can create multiple profiles using my other hand or finger. And all my login details can be backed up and placed in my TrueCrypt vault. As you can tell I think it's cool!

# Jeff Centimano said on 15 February, 2008 10:42 AM

Jesper - I agree that keeping a printed copy of your passwords is a good idea. One reason is the dreaded 'hit by a truck' scenario. Do you really want to force your next of kin to learn/use your password manager in order to access important e-mails, bank records, etc.? Nope - life will be stressful enough.

I print my password list a few times per year and keep it in the fire-proof safe w/ my will and other important papers. Of course this safe is locked up and kept in a secure place within the house. The list includes URLs in addition to credentials. Again - the goal is to make accessing my info as easy as possible.

Finally - my choice for password mgmt. tools is Acerose. Conforms to the KISS principle and works great on XP and Vista. Check it out at www.dexadine.com/acerose.html

Cheers --Jeff

# Anthony Bouch said on 19 February, 2008 06:15 PM

Hi Jesper - interesting post. Bruce Schneier also describes writing down password as another 'factor' for authentication - "something you have".

On a separate, but related topic - can you recommend a good password generator? Ideally with a pronounceable password option as well.

Jesper's Blog

Write down your passwords

Comments

Search

This Blog

Tags

Community

Archives

Links

Syndication

News