Derek Jones - 02 December 2008 01:11 AM

Kevin McGehee - 01 December 2008 09:40 PM

Wait. You mean “password” isn’t a good password?

Nay, good security practices demand that you use password1 instead!

Darn, did you have to give out my password in the plain like that Derek? Couldn’t you have at least encrypted it first?

All jokes aside from a gumbie point of view there is a reason why people tend to go for simplistic passwords even though we know we know we shouldn’t.

For starters I have, well several just for work and they are changed on a regular basis, which is enforced.  I’m not supposed to write them down or record them.  Just remember them.  Saying that when I was first given the ‘lesson’ on password security and followed said advice on a file on my personal computer well I promptly forgot the password and was locked out of said file for a good 12 months until I found a program to crack said password.  I’ll also say that took quite a few programs since most failed.  Of course that might be because I really do not know anything about those types of programs.

Add to all the work passwords the private ones and how the heck is one expected to remember them all if you truly create a password that no one will guess?  Particularly if one is not supposed to record them either.  If no one else can guess it I’ll lay odds I’m not going to!  That tends to be the major problem with creating passwords.

Unless you have a photographic memory I guess.

cmw1 - 02 December 2008 04:07 AM

Add to all the work passwords the private ones and how the heck is one expected to remember them all if you truly create a password that no one will guess?  Particularly if one is not supposed to record them either.

This is a well-researched issue, in fact. Bottom line seems to be writing it down might not be such a bad thing after all, if you actually put a little care in it. As a rule, passwords are not meant to be safer than regular keys and there possession is sufficient, too. I actually store all of my passwords in a little purpose-built electronic device I keep on my key ring.

I remember when I was a kid (going back quite a few years now) having a Griffin Savers (now HSBC) account. The way they taught children to remember their pin numbers was to have the letters from A to Z printed on a small card and then you would choose an easy to remember word but not one that meant anything to you and you would place your pin number into those letters in order. After that you just filled up the rest of the card with any letters you liked.

I suppose it could possibly work for longer passwords if you are careful. Was quite simple really but obviously relies on you not choosing a word anyone would guess. I went for something daft like band or something like that but it was a quite clever way to get kids into thinking about password safety.

I loved working at corporations that made mr change my password every 30 days.  All I did was append a incremented number at the end.  ‘password1’ eventually turned into ‘password32’ although I think I left before I made it to ‘password48’. 

‘password23’ was cool because I got a raise.

Ingmar nice idea but work would have a spastic attack.

Kevin you hit the nail on the head and that is what I was getting at.

Personally I think by enforcing a change in password that regularly it in turn means that a great many people create simplistic passwords which counteracts what the organisation was trying to achieve in the first place.

The little device I linked to is actually made for corporate environments: an administrator can set and enforce all sorts of policies (minimal length, lower/uppercase/numbers/special chars, expiration, etc.), and it requires a 5-digit pin to turn it on. Again, IT staff can configure what happens after a configurable number of false entries (nothing, lockout or erasing its content). For really high security applications I use it as a sort of mnemonic aid, mentally changing or adding or reversing a character or two.

Together with the aspect of physical security (you keep it on your person at all times, much like your keys) I think it’s actually much safer than re-using the same passwords again and again, or using “easily remembered” ones—or, of course, writing them on Post-It notes and putting on your monitor or the underside of your keyboard.

Anyway, how could I possibly disagree with Bruce Schneier

Ingmar, just wondering something.

I read the description on that device (although I could have misread it as it was late last night when I did read it) but was wondering, are you able to put in your own passwords or does it create them all for you. Storage is all well and good but to me if passwords aren’t something I can remember if I lose an item like that then I would be up the creek without a paddle with the amount I have to remember!

Can you input your own passwords or are they all auto-created for you?

Best wishes,

Mark

Can you input your own passwords or are they all auto-created for you?

Either way, Mark. It comes with its own cradle and management software so you can input your own passwords, whether or not the user is allowed to change them, whether they expire (and if so, when) etc. It can create secure passwords for you (and, again, the administrator can set a pattern: must start with a number, followed by mixed case letters etc.), but it can also use the ones you feed it from the computer. One thing it cannot do, for security reasons, is transfer passwords generated on the device back to the computer.

if I lose an item like that then I would be up the creek without a paddle with the amount I have to remember!

Yes, obviously you should keep an encrypted backup somewhere, or simply have a secure way of resetting your passwords

Thanks for the information on that. Just a couple more questions if I may on what you just said above though.

The device says it is only PC compatible so for me on a Mac that wouldn’t be too good. You say that you can input your own passwords but I am guessing you meant just with the supplied software and not with the device itself?

If so do you know if it would work with Windows under emulation, as much as I hate doing that to my computer

The second thing is you said that I should keep an encrypted backup somewhere which I do at the moment but if I were to use the device and it creates the passwords for me but there’s no way of my easily downloading the passwords then that might get to be more of a pain as I would have to keep on viewing them on the device and copying them across by hand.

Not too much of a problem there but just wondering if there is an easier way if I can’t get it to work with a Mac? Also are there any other devices like this one on the market that would work with a Mac as it seems like a nice neat idea.

Thanks Ingmar.

Best wishes,

Mark

This is really getting highly specific here, so if you’ve got further questions, perhaps we should discuss them via mail? That said: yes, the software only works with Windows, but you really only need it once or twice, so booting up Parallels for that should be just about doable The password input is rather clumsy (for input, it’s got five buttons total) but it works, and without a computer.

If so do you know if it would work with Windows under emulation, as much as I hate doing that to my computer

No I don’t, but it is a rather simply program, so I think it would.

The second thing is you said that I should keep an encrypted backup somewhere which I do at the moment but if I were to use the device and it creates the passwords for me but there’s no way of my easily downloading the passwords then that might get to be more of a pain as I would have to keep on viewing them on the device and copying them across by hand.

That’s right. I was talking about passwords that do not change, and I keep an encrypted list of them in a safe place. For those passwords that do change, I have ways to reset them should I ever loose the password manager.

Also are there any other devices like this one on the market that would work with a Mac as it seems like a nice neat idea.

There are any number of software solutions, but none in hardware that I am aware of.

Thanks Ingmar. No need for e-mail as your last post has hit the nail on the head I think. As long as you can input your own passwords using the buttons then this looks really handy, thanks!

Also sorry Kurt for detracting a little from your original post.

Best wishes,

Mark