#Secure place to write password
I could enforce password complexity on a domain, but how many of my users will remember something more cryptic, e.g. Most of my users seem to use obvious passwords, like their firstname or their child’s name – they are simple and easy to remember, e.g. I was thinking about differing password policies and came up with this (which I tell my users to do). If discovered one could always argue the semantics of “to write down”. I told the users to use password safe and not tell anyone. The help desk was so inured to the requests they did it by rote. A side effect was the obvious potential for social engineering attacks by impersonating another user on the phone and getting the help desk to reset their password. On the other hand it kept the helpdesk in secure employment on the constant flow of password reset requests. Since the conventional wisdom was also that writing down passwords was insecure and so strictly forbidden, it left users with nowhere to turn.
This cut no ice with the auditors, who dictated as their textbooks had told them to. It reduced security because it forced people to remember even more passwords, and increased the probability that they would write passwords down on postit notes. The article reminds me of the futile arguments I had as a system administrator with academically trained auditors who insisted I had to enforce password aging – make people change their passwords every month. So your password is only as safe from this sort of prying eye as your algorithm for specificity. For that reason, you should use a better system than one shown above (say, pulling the first four letters of the domain name, keyboard shifting it one row up, then populating every other letter of your passphrase with the result, giving you “DqajJqlatgtLM” – a good password, recontructed in ten seconds from the passphrase and “”). Once you have the pass phrase in your memory, you will not lose it, short of brain damage.ĭisadvantages: An unscrupulous moderator with access to your clear text password at one website (some public bulletin board engines save passwords in the clear), could realize what you’re doing, figure out your specificity algorithm and apply it to other sites you are known to frequent. You only need to remember a single passphrase, and whatever algorithm you come up with to make the password different for each website. It’s just an example here.Īlso, this is not the actual sentence and web-site specifying protocol that I use.Īdvantages: fairly long passwords that incorporate both upper and lower case, and can also include digits. Notes: I wouldn’t necessarily consider Amazon a lower security needs site, as they can store your CC information for 1-click purchasing.
#Secure place to write full
Full password for your amazon sign in: “DaJltgtLMadm”.Tack onto the end of that the audible acronym of the website in question: “” becomes “adc”.Make the acronym for the phrase: “DaJltgtLM”.
using similar techniques.įor sites that require a lower level of personal security (i.e. Obviously, you can also encode your userid, the web site it belongs, to, etc. Of course, this doesn’t help for those few accounts that I may want to access when I have neither, and so a simple paper record that’s encoded using such techniques is quite good because a typical thief will have no way of knowing. For example, just add one or two extra letters at the front or end of the real password, use simple rotation, etc.įor example, could (just remove the first (just remove the last (just put the first char in the last (just switch the case of all letters)Īnyway, such simple coding is helpful for all sites that don’t allow dictionary attacks, such as those that lock out (temporary lock is best to avoid easy DoS) after a few missed attempts.īut I prefer to use PasswordSafe on my desktop and laptop. One simple trick people who do write down passords use is simple encoding. Also, depending on how many you record, it may not be obvious to anyone which site and username goes with the password, so they’d be useless unless the person stealing your wallet also knew you reasonably well.
Yes, someone could steal your wallet, but then your web site passwords may be the least of your concerns.
0 kommentar(er)
