[Cryptography] Of writing down passwords

Jerry Leichter leichter at lrw.com
Mon Sep 22 09:16:41 EDT 2014


On Sep 21, 2014, at 7:33 PM, Bill Stewart <billstewart at pobox.com> wrote:
>> Or write it down...  Umm, OK, and this is Australia's national carrier?
>> Come to think of it, perhaps "write it down" was correct after all, in a
>> financial sort of way.
> 
> Unless your threat model for ADSL modems includes people coming
> inside your house, connecting a PC, and messing around,
> a yellow sticky note attached to the box is plenty secure.
> (Most such devices only allow administration from the ethernet side,
> not the wireless side, and probably the telco has their own for the DSL.)
It's worth noting that "only allows administration from the Ethernet side" isn't nearly as good a protection as you'd think.  There have been numerous examples over the years of attack code slipped into the network, where it can attack the Ethernet side.  For example, Javascript in a browser is perfectly capable of manipulating one of these devices.

So ... even if you believe your internal network is secure, you should *still* use a strong password on configurable devices.  And then it's quite reasonable to write it down, as long as you don't leave it in a place that is easily seen by people you might not trust.  (If you're going to tape it to the device, tape it to the back or bottom so the delivery guy can't spot it as he walks by.)

I've also been a fan of obfuscating written passwords.  If you're the only one who will have to read them, there are all kinds of simple tricks that, while certainly not secure against a determined attacker, make their job harder.  (I used to write an obfuscated version of the combination on the back of my old Master combination locks.  There's nothing more annoying than needing a lock, finding one in the bottom of a drawer - and not remembering the combination.  In practice, it would take more work for someone other than me to reverse the obfuscation than to open the lock by other well-known means.)
                                                        -- Jerry

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140922/f6dc79e9/attachment.bin>


More information about the cryptography mailing list