HomeWeb Security
July 6, 2010, 2:49PM

Why You Should Write Down Your Passwords

By Gunter Ollmann

Common wisdom over the last couple of decades has been to never write down the passwords you use for accessing networked services. But is now the time to begin writing them down? Threats are constantly evolving and perhaps it’s time to revisit one of the longest standing idioms of security – “never write a password down”.

Back in the day, a password was a critical part of the corporate identity system. You supplied your user ID and password pair in order to get online and to access key corporate resources. Access controls then extended the authentication model to enable  greater control of what users could see, do and change. As new systems came online, and as business extended beyond the in-house corporate networks, additional (i.e. separate) authentication systems came in to play. Despite multiple attempts at developing and deploying single sign-on (SSO), most employees still need to juggle a dozen passwords in order to do their work. If they have external Internet accounts as well, then they’ll be juggling several dozen additional passwords. Once you thrown in their personal Internet accounts (webmail, Twitter, Facebook, LinkedIn, PayPal, Amazon, etc.) you’re quickly neck-deep in password soup.

Editor's Pick

Threatpost Newsletter Sign-up

What's traditionally been the problem with writing down password anyway? Well, since passwords are the critical ingredient for access control, corporate security teams have long “educated” employees in to never writing them down. To do so would potentially expose yourself to impersonation – and you’d ultimately be responsible for whatever (damage) the impersonator did in your name.

In the meantime, Internet guides, popular PC magazines, and practically every website that forces you to create a login account, all extol the virtues of never writing your passwords down. They also give you lots of additional advice – such as “use a strong password”, “use a unique password”, “never use the same password on a different site”, etc. All of which make it incredibly difficult for any practically minded human to keep track of which password belongs to which website. The net result being that the “password rules” are being repeatedly broken.

Now, to ease some of this burden, there have been a spurt of software tools that’ll help remember passwords on your behalf. For example, the popular web browsers all provide some capability in this area. The problem though is that the bad guys have better tools. Practically all of today’s malware(along with all those botnets you hear about each day) have the built-in capabilities of grabbing/stealing both the passwords you’ve remembered and type in each time you visit a favorite website, and the passwords being conveniently “remembered” by the software on your computer.

Why would writing down a password be good? Well, it’s not a question of being good – just better. Granted, anything you type on your computer can (and will) be grabbed by the malware it’s been compromised with- but the lowest hanging fruit for the bad guys lies with all the stuff you’ve already asked your computer to remember on your behalf. After 3 months of use, web browser “remember” functions may have captured 50+ sets of authentication details. Within a few seconds of computer compromise, all three months worth of stored credentials will have been copied and stolen (oh, and they’re neatly formatted and sorted) – so the malware doesn’t need to do any work, and it doesn’t matter if your anti-virus software gets an update tomorrow capable of detecting the malware and removing it. The damage is already done.

Staying hidden on a victims computer is not a trivial task for many malware – particularly wide-spread Internet malware (anything with a name you may have read about). There are lots of things that can go wrong. AV updates may detect the infection, dropper websites may be taken down, uploading sites may be sinkholed, CnC domains may be hijacked, etc. so it’s become important for modern malware to steal as much information as possible within the shortest possible time. Factors such as conveniently storing all your authentication details on your computer and recycling popular (i.e. memorable) passwords reduce the time the malware needs to be operating in order to steal critical data.

What about a few high-level odds?

  • 1:3 – home PC being infected with malware with password stealing capabilities in a given year.
  • 1:4 – home PC being infected with a botnet agent in a given year
  • 1:8 – corporate PC being infected with malware with password stealing capabilities in a given year
  • 1:12 – corporate PC being infected with a botnet agent in a given year
  • 1:160 – your car being stolen  in a given year
  • 1:700 – your home being burgled
  • 1:600,000 – being struck by lightning

I think it’s time to revisit the “never write a password down” idiom. Prioritizing best practices in password management, I’d be inclined to list them in the following order:

  1. Don’t use the same password on multiple websites
  2. Don’t let your computer “remember” your password!
  3. Use a “strong” password – preferably something with 12+ mixed characters
  4. Don’t use a predictable algorithm – e.g. abc<siteName>123
  5. Change your passwords regularly. For sites with lots of personal information and associated monies, change every 2-3 months. For other sites, try every 6-12 months.
  6. Don’t reuse past passwords – even if you think it’s a cool password.
  7. Don’t write your password down.

Yes, that’s right – writing down your passwords come in at a distant 7th place. In practical terms, even if you only manage the first 4 on the list, you’re probably going to be juggling at least a couple of dozen passwords (or more thank likely that’ll be 40+ on a regular basis for most people that spend any time online). The probability that your computer(s) will be compromised and that the information will be stolen by the bad guys malware is much, much greater than the probability that someone will manage to break in to your house and target all the post-it notes you’ve stuck around your screen with all your passwords on them. In corporate environments there’s a higher probability that the evening cleaning crew would gain visibility of he passwords (so post-it notes aren’t to be recommended), but that risk of an insider threat is still going to be lower than your work computer being compromised.

The first 6 password recommendations would trump the 7th in most cases – provided you take care in how and where you write your passwords down. Be smart about it… but don’t underestimate the risks posed by modern malware either.

Gunter Ollmann is the VP of research at Damballa.

Commenting on this Article is closed.

Comments

Submitted by Datamafia (not verified) on Tue, 07/06/2010 - 5:06pm.

A few ways to win from an IT professional with 1000's of PWs:

Understand where your priority PWs are - Bank, main email, godaddy account, server creds, etc. Isolate them and don't use your bank PW on a blog!

Write these PWs down, I use a rolodex - all my PWs are in there (w/encryption).  Far less likley to get the rolodex stolen in a robbery.

Create a baseline pattern for your majority passwords, an example is to prepend all your passwords with s0m3th!ng $tr4ng3 - makes cracking them harder.

Get an email forward - $10/year w/godaddy. Set up a domain as a "catch all" and forward somewhere secure.  Use whatever@[your-catch-all-address].com for most of your web email requirements. This way you can spin off an email address in real time that is dosposable and filterable (ahh, the glory of catch all).

Good article.

Submitted by ssnodgra (not verified) on Tue, 07/06/2010 - 8:17pm.

Interesting. Passwords are not really for security are they...they have always really been for accountability. It is something that only "that user" should know. If abuse of some sort happens with that users account...well they are accountably because they are the only one that knows that accounts passwords.

Submitted by old and fading (not verified) on Tue, 07/06/2010 - 10:12pm.

As a software developer for a software integrator, I had to remember system passwords on our clients boxes.  When I left that job, my password memory had about 212 passwords, some changed regularly.  I'm old, my memory does work that well.  It never worked that well when i was twenty.  The whole company counted on my pw database.

The stronger the password rules, the more often the required changes, the greater the odds that some among us have to write them down.  Usually on yellow stickies stuck to the edge of the monitor.

Submitted by Arthur Clune (not verified) on Wed, 07/07/2010 - 4:49am.

What's the source of those odds? It's a very interesting set of numbres

Submitted by Alex Burke (not verified) on Wed, 07/07/2010 - 1:38pm.

I have almost 200 passwords, which I keep in a pgp-encrypted word-doc, on a machine that is never used for web access, except bank passwords, which I keep on 3x5 cards.

For ones I can't remember, I consult the printout. You might call that a giant post-it note, but I never leave it lying around unattended.

A password stealing trojan will get them however you input them, but using a password safe (protected with a single pw), on the machine that is going to get hacked, seems like an invitation to get them stolen all at once.

Submitted by Emily (not verified) on Wed, 07/07/2010 - 2:47pm.

Look around you.  There are letters and numbers on machines, boxes, forms, etc. all around you.  You don't have to write them down.  They are there and they will stay there.  Use them.  Use them for your constant.  Split them and put some before, some after, or intersperse their characters with the password you make up.

Submitted by Ralph Dratman (not verified) on Wed, 07/07/2010 - 3:00pm.

I'm using a Firefox plugin called LastPass to store passwords. It works very well and is extremely convenient, generating a separate, strong password on demand for each new site I sign up with, and automatically filling in login details onscreen when a login screen appears. LastPass says encrypted usernames and passwords are stored at their site and that they don't have any way to decrypt them. Passwords can be accessed from any PC with the add-on installed. The passwords (they say) are encrypted and decrypted only at the local PC. Of course the user does have to use a (strong!!) master password to login to LastPass each time the browser is launched.

Does anyone here (especially the author of this article) have an opinion on the security of that arrangement?

Submitted by Rockfarmer (not verified) on Wed, 07/07/2010 - 3:10pm.

I am a home user and find that the odds of 1:3 and 1:4 above are somewhat astounding and perhaps scary. Surely those odds are mainly due to most people not excersising due diligence with regards to security. I use Kaspersky Internet Security Suite 2010 and also their Password Manager.

In a typcal year, I get one or two notifications that a trojan, etc. has been blocked when visiting a site. I realize that there is always new and unreported malware out there but don't think I have even been "infected" except for the one time I sent my computer to the shop for repairs and it came back with several peices of malware on it and all user data files erased.

Submitted by NutritionFacts (not verified) on Wed, 07/07/2010 - 4:11pm.
Oh come on. Write them Down? Are you kidding me? Go get KeePassX http://www.keepassx.org it's cross platform, so you can go from windows to linux, to mac. If you have a few hundred sites with passwords, it will probably take you 3 months to convert from all your slips of paper to a much more secure way. Now with that said, there is ONE RULE. You have to back up your password database somewhere. If you are like me, and give this any amount of though, your going to want to buy a USB stick which has a Write Protect switch. This way your USB stick never gets infected. Now get out there and clean up your VM passwords, your Server passwords, your domain passwords, your email passwords, your IRC passwords, your PGP passwords, your website passwords, your blog passwords, your banking passwords, your application support passwords, all into one application. Just remember, to back it up!
Submitted by John (not verified) on Wed, 07/07/2010 - 11:31pm.

Ralph Dratman wrote:

Does anyone here (especially the author of this article) have an opinion on the security of that arrangement?

Ralph, I've used so many password management apps over the years and LastPass is hands-down my favorite. I use it on all of my workstations - XP, Win 7, Fedora, and Ubuntu on Dell mini. (Also like xmarks for bookmark management. But it was the first bookmark management app I'd ever used so there may be other, much better apps for it.)

Good luck.

John

 

Submitted by Alexander Dupuy (not verified) on Fri, 07/09/2010 - 1:27am.
Writing the passwords down is a good idea if it allows you to choose better ones. Just don't write the passwords down in a place where the FBI can find it: http://www.computerworld.com/s/article/9178762/Russian_spy_ring_needed_some_serious_IT_help
Submitted by Anonymous (not verified) on Tue, 03/29/2011 - 2:35pm.

Blindly trusting 'LastPas' company.... with I assume closed source of plugin and I assume further lack of transparency

Submitted by Anonymous (not verified) on Tue, 03/29/2011 - 2:37pm.

I am sorry about my earlier post... didn't realize it would not place it under the relevant post to which I replied...

"Submitted by Ralph Dratman (not verified) on Wed, 07/07/2010 - 4:00pm."

 

Copyright © 2012 threatpost.com | Terms of Service | Privacy