[Cryptography] Of writing down passwords

Jerry Leichter leichter at lrw.com
Tue Sep 23 08:33:01 EDT 2014


On Sep 22, 2014, at 7:35 PM, Abe Singer <abe at oyvay.nu> wrote:
> The dogma against writing down passwords is one of the worst things that
> security practitioners have continued to promulgate, and by "worst" I
> mean in terms of impact on effectiveness of security (second only to use
> of firewalls, but that's not a crypto discussion)....
There's one closely related one that I would put even higher than "don't write it down":  Frequent, forced password changes.  The troika of:

1.  You must choose a password that no human being can reasonably remember;
2.  You must not write that password down;
3.  Just about the time you can reliably remember you password, you must change it to something entirely new;

could only be made more user-hostile than by adding such measures as "you will receive increasing electric shocks for each incorrect password entry".

One financial institution (used for retirement accounts by an employer, so I had no choice but to use them) required quarterly password changes.  Since in practice I only logged in about one a quarter, I had to change the damn password on every login.  Manual OTP?

You have enough adversaries without making your users into yet more adversaries. They'll choose related passwords (at one large company I used to add a suffix like Q314 to deal with the forced quarterly changes) or they'll write the thing down, not on a piece of paper in their wallet, but on a sticky under the keyboard - and then you'll be left adding yet more user-hostile layers (like code that looks for patterns in passwords, and inevitably rejects perfectly good ones).

A prominent notification of where and when someone last logged in to your account - suppressed if it was at the usual time and place - will do more to stop on-going use of a stolen password than forced changes.  But no one seems to bother with that any more - or they implement it minimally (not prominent, no attempt to filter out obviously-good logins).

One side-effect of these policies is that users get locked out of their accounts and then need to contact the company call center.  (I suppose if your goal as a manager is "justify need for all the call center guys" then these policies make sense.)  Or maybe, these days, just follow the "reset password" script on line. Both of these use some of the worst security procedures ever.

I once was sick and working from home and found I couldn't log in:  My password had expired, and *all* the password reset mechanisms were disabled when you were on the VPN ("for security").  I ended up having to call the support center - which reset my password based on my name and badge number, both easily - and by policy - visible to one at all when I was at work.  "We have a super-secure safe with a 10-digit combination that's written on a piece of paper inside one of those diary books with a lock on it conveniently placed on a table next to the safe."
                                                        -- Jerry



More information about the cryptography mailing list