
Microsoft security guru: Jot down your passwords (2005) - Tomte
http://www.cnet.com/news/microsoft-security-guru-jot-down-your-passwords/
======
korethr
I seem to recall Bruce Schneier advocating the same strategy:

> I write my passwords down. There’s this rampant myth that you shouldn’t
> write your passwords down. My advice is exactly the opposite. We already
> know how to secure small bits of paper. Write your passwords down on a small
> bit of paper, and put it with all of your other valuable small bits of
> paper: in your wallet. [1]

I think this is a viable strategy. And I don't think the fact that a wallet
can be lost or stolen should dissuade a person. If your wallet is stolen,
you're already facing a security compromise, with or without written passwords
inside. Your typical wallet is going to contain ID cards, bank and credit
cards, etc. You already need to cancel those cards and get new ones issued.
Fortunately, by being in the wallet, those passwords will be rather secure.
IME, people seem to understand losing one's wallet is Serious Business.

The common advice against writing passwords down is not the only bit of
perverse security policy I've encountered. On the AIX boxes at one my
employers, it wasn't so bad that password policy required a minimum length of
multiples of letters, numbers, and symbols and forbade reusing the past N
passwords. No, what was BS was that the policy also forbade X repeated
letters, and Y letters that were in any of the Z previously used passwords.
Now, while this might have been intended to prevent users from using passwords
like "aabbccdd1", "aabbccdd2", "aaaabbbb3", etc, it also in effect forbade
stronger passphrases. The longer a passphrase is, the more likely you are to
have multiple repeated letters, or letters that occurred in the last few
passphrases. There are only 5 vowels in the roman alphabet, and many words use
more than one. For example "correcthorsebatterystaple", has 6 repeated
letters, and its replacement of "wargnomefinaltreetruce" not only has 4
repeated letters, but 5 letters used in the previous passhrase, thus forcing a
much weaker password like "FuckA1X!". Oops.

1\. [http://freakonomics.com/2007/12/04/bruce-schneier-blazes-
thr...](http://freakonomics.com/2007/12/04/bruce-schneier-blazes-through-your-
questions/)

~~~
IncRnd
You are, of course, correct. The main issue isn't with writing them down but
with people finding them if they are written down.

This means not putting passwords on a post-it on the monitor and to guard them
like you guard your wallet or house "keys", wherever they are written down or
otherwise recorded.

Of course, with so many passwords in one place, it's best to do a little
planning in case a paper gets lost or wet. It's also a good idea to consider
what might happen if ALL passwords get disclosed at once.

~~~
midgetjones
If they just steal your computer, they'll most likely still be logged in to
many services already. If there's no password at login, they can already
request a password change and a confirmation email from any other site.

Not to mention autofill - my Dad is a terror for this. He sees it as a
convenience, but I'm pretty sure his autofill could file his tax return for
him by now.

~~~
IncRnd
This is what disk encryption targets.

------
VonGuard
Writing down your passwords is not about forgetting your passwords and needing
the written page at all times. It's about having a backup that is behind lock
and key (your front door). It's about "oh, shit, what's my login for this
meaningless site I use once a quarter?" And it's about your spouse being able
to get into those things if you die.

~~~
teach
This 100%. I keep a printed QR code in my wallet encoding my password
manager's master password. Just in case.

~~~
nathancahill
> behind lock and key

Uhhh..

~~~
teach
I'm not in a high risk group for wallet compromise. I'm over forty and have
never lost my wallet or keys even once my whole life. I have many flaws, but
misplacing small valuables isn't one of them.

~~~
Humdeee
I don't know... My house has never been broken into in my life, but it doesn't
mean I don't lock my door at night or when I go to work.

~~~
teach
Fair point, but I consider my house being broken into a couple of orders of
magnitude more likely than my wallet being compromised.

Plus, leaving my house unlocked has no utility, whereas having a scannable
copy of my master password with me at all times does.

Finally, the consequences of my house getting broken into are pretty bad. But
even if I _did_ lose my wallet it's virtually certain to be someone that knows
nothing about password managers, and changing my master password is pretty
easy.

------
w8rbt
Bruce Schneier has said this several times too:
[https://www.schneier.com/blog/archives/2005/06/write_down_yo...](https://www.schneier.com/blog/archives/2005/06/write_down_your.html)

------
mikegerwitz
Beware of other important considerations when writing down passwords. For
example, law enforcement can demand that you hand over a sheet of paper, but
they cannot force you to divulge a password from memory. But each password
carries its own weight, so while you may care about this for your disk
encryption, you may not for your social media account.

There's also the risk of creating weak passwords so that they're easier to
type. Ideally, your password would be generated randomly by a computer, or
using other methods, like dice (e.g.
[https://www.eff.org/dice](https://www.eff.org/dice)).

------
devy
In 2005, password managers weren't very popular if there were any. Certainly
the good ones didn't even exist[1].

I personally think that jotting down passwords physically is worse than saving
passwords in a good password manager. Now, there are a few good ones, like
1Password[2].

So no, I disagree with this security guru's advice with the exception of 2FA
recovery codes.

[1]
[https://en.wikipedia.org/wiki/List_of_password_managers](https://en.wikipedia.org/wiki/List_of_password_managers)
[2]
[https://en.wikipedia.org/wiki/1Password](https://en.wikipedia.org/wiki/1Password)

~~~
mikestew
My wife still needs to get in in the event of my demise. That's why the
1Password master password and the creds to my main machine are taped to the
inside of the gun safe. If someone gets into _that_ , we've got bigger
security issues.

~~~
devy
I took Edward Snowden's advice of using long phrase/sentences as the super
security password, no crazy signs / punctuation marks required ;)

~~~
binthere
The thing is: If you password is exposed once in one site, the rest of your
passwords could be guessed eventually. Unless if you take some additional
steps to make it really hard for anyone or any software to guess your
password. See other comments on this thread.

------
youdontknowtho
Bruce Schneier does the same thing.

Quote: I write my passwords down. There's this rampant myth that you shouldn't
write your passwords down. My advice is exactly the opposite. We already know
how to secure small bits of paper. Write your passwords down on a small bit of
paper, and put it with all of your other valuable small bits of paper: in your
wallet.

------
rkv
I'm surpised at how many programmers I meet who don't use a password manager.
In my work alone I have over 30 credentials to remember and they expire.

An aside, I use KeePass and strictly use it offline with a secret key and
passphrase. Browser integration and mobile and desktop KeePass apps are not
really polished and all have their own quirks. I've noticed a huge audience of
1Password and other password managers that store the passwords in the cloud.
The apps and integration look good but I can't justify trusting somone else to
handle my data. Am I being too paranoid?

------
binthere
The only reason why this is challenging for me is because I use passwords not
just when I'm home: I could use them at work, or on my phone (being anywhere -
something probably not considered back in 2005?).

So having this list of passwords on a piece of paper (or whatever) becomes
difficult since I'd need to consult it many times, leading to:

1\. Higher risk of someone stealing it from me.

2\. Higher risk of losing it.

So far, I've used some mental mneumonics to remember passwords (which is not
safe since it can be easily discovered by a machine learning algo for example)
+ 2 factor auth.

I wonder if there's a better option though.

~~~
midgetjones
There's always these:
[https://www.qwertycards.com/](https://www.qwertycards.com/)

It can take a while to encode/decode each time, but it does somewhat solve the
problems you mentioned.

~~~
lemmings19
If you take the process they outline and memorize it, you're rid of having to
carry around something physical. You can still store the formula somewhere
safe in case you forget it or something happens to you.

You might be surprised how little effort it takes to memorize. Half an hour a
day for a few days can do it for a lot of people, followed by putting it in to
practice.

The password creation process:

[~8 characters including lowercase, uppercase, and special characters]

+

[a secret word or set of characters ~8 characters long]

+

[a simple encryption method for the alphabet which you use to write the
service's name down]

eg. [qWeRtY4$] + [bananas] + [ibdlfsofxt]

Which comes out to: qWeRtY4$bananasibdlfsofxt

Decrypter for the last section ('ibdlfsofxt' is 'hackernews'):

a = b

b = c

c = d

d = e

e = f

f = h

h = i

i = j

j = k

k = l

l = m

m = n

n = o

o = p

p = q

q = r

r = s

s = t

t = u

u = v

v = w

w = x

x = y

y = z

z = a

Take those three steps and randomize them or make them something unique to you
and you're good to go.

Probably the most important part of your password is the length. The longer a
password is, the longer it will take for software to break it with brute
force. If the service you're using has a three character name, you'll be
relying on the first two parts of your passwords to reach a good length. It's
good to keep those two at a combined length of around 14+ characters.

eg. [1234567]+[1234567]+[aws] = 17 characters

Some problems with this method:

A: If your password requires changing.

\- To solve this, you could choose a character in the first sequence that you
can increment every time you have to change your password. You could also
choose a different word for the second section. Plan ahead for this scenario.

B: The service you are using doesn't allow a password with one of your special
characters.

\- You could try using special characters that are very commonly accepted when
you create your password, such as the exclamation mark. Though, this _does_
take away from the security.

\- You could also have a secondary password; one that is simplified and
doesn't rely on special characters. You can have this as a backup for services
that have limiting password requirements.

eg. [qwerty]+[bananas]+[ibdlfsofxt]

C: The service you're using doesn't allow a password of that length.

\- As with problem B, you could have a secondary password ready ahead of time,
. eg [tY4$] + [ibdlfsofxt]

~~~
binthere
I think that the problem for quick and easy memorizations is that it could
also be easy for an algorithm to crack it.

For example you have:

[qWeRtY4$] + [bananas] + [ibdlfsofxt]

If your password is exposed:

[qWeRtY4$] = remains the same for all passwords

[bananas] = remains the same for all passwords

[ibdlfsofxt] = changes for all passwords

Cracking the part that "changes" is probably not going to be difficult for a
machine since you are associating the place name (hackernews or aws) with the
part that changes (same number of characters). Then it won't take long for a
machine to guess that you are replacing with the next alphabet letter or
something else that is easy for a human to remember.

In that sense, I believe QWERTY cards are a bit more secure in this sense
since it's just random characters assigned to each key, and each card is
unique. It takes away the "easy to remember" part since you will have to look
at the card, but it will be some orders of magnitude harder for a machine to
guess it.

After multiple breaches, however, your encryption table might be exposed too.
At this point you will have to change your passwords and get a new card.
Probably do it every 3 months?

I don't know, sounds like a lot of work and maybe too paranoid, but I'm
hopeless when thinking about password creation and making it easy to remember.

------
ocdtrekkie
It's worth noting that the likelihood of someone hacking your preferred
password manager is drastically higher than the likelihood of someone breaking
into my house and rifling through my drawers. (My passwords aren't there
either, because my memory is REALLY good at passwords, but I'd rather put them
in my desk drawer than a password manager.)

~~~
ralmeida
What happens if you're incapacitated somehow (say - car accident and coma for
a few days, or worse)?

~~~
ocdtrekkie
That'd suck, and I'd imagine whether or not I remembered all my passwords
would no longer be my top concern in my life. Everything eventually filters
down to an account tied to my real identity that has customer service (I don't
rely on Google anymore), so presumably I could prove my identity outside of
the Internet.

~~~
taeric
I think the point was more if you have family that would need the password
then.

~~~
ocdtrekkie
The same is applicable. Even if I were to die, a death certificate and a
family member can get into an account. In most cases though, it's unlikely
they'd need to. Close out my credit card, and everything else is going to, by
very nature, shut off (eventually).

~~~
taeric
I mean to expand. Yes, that works and is honestly what I rely on.

I will add that it is more cumbersome than it needs to be for family. I highly
encourage everyone to make sure immediately family is joint owner of critical
things. Makes transitions much easier. (Though, yes, there are valid reasons
not to do that.)

------
the_duke
For many years, I've been using a simple scheme: a prefix/suffix that's the
same for all passwords, and identifiers for the service and username.

For example, something like this

[$#__1077__#$]---!SERVICE!USERNAME!

So, for Hackernews, I would use h for hackernews and t for theduke -->
[$#__1077__#$]---!h!t!

Now all I have to remember is the template and my username.

For accounts that need regular password changes I'll add an additional part
that identifies the year and the quarter.

Of course, if someone where to get a hold the cleartext password for one site,
they might be able to figure out the scheme and get into all my accounts.

But that's a risk I'm willing to take (except for very important
accounts/passwords, which get randomly created).

~~~
WaxProlix
I do something very similar, but sometimes you run into passwords that
disallow certain special characters and it's awful.

------
matco11
Not writing down passwords made sense >20 years ago when the main threats you
wanted to defend from were "local" because internet connectivity was not
ubiquitous, and you would have only one password or two to manage...

In today's world with widespread internet connectivity and dozens of passwords
to manage, password managers and/or writing down and (certain) dual factor
identification approaches make more sense...

------
stretchwithme
What I do is record clues to what the actual password is. Clues that only I
know the meaning of.

I was given a random password for an account years ago and came up with a
sentence that I associate with the original random password.

Whenever I use that random string in a password and I want to write down the
password, I record that sentence instead of the original random string.

That way anybody that finds what I've written can't really use it.

------
marcrosoft
There is a third option:

Write down or save most of your password in a password manager. Add a secret
prefix or suffix string to this password from memory when logging in.

This effectively gives you MFA. Something you have, something you know.

Every login gets a different password (that you don't have to remember) yet
nobody knows the real password even if the password manager or piece of paper
is compromised.

------
barking
I forgot my password last year for a government taxation site. I called them
and the person I was speaking to gave me a couple of clues and I was able to
remember it. Clearly she was looking at it. My main feeling at the time was
relief that I hadn't used an embarrassing one.

------
0xdeadbeefbabe
I've noticed music theory is especially good for coming up with good password
schemes that also encourage rotation. I've wondered if chemistry students have
a similar edge.

------
jszymborski
What about the fact that you can't be compelled by courts to reveal a password
that you have memorised, but you can be compelled to hand over physical keys.

------
0xdeadbeefbabe
I remember things I jot down; I forget things that I type. I'm done ignoring
that insight, but most people do ignore it.

