Wednesday, May 02, 2007

I used to tell people to not write down their passwords.

Then I started helping out at a website that only stores hashes of user's passwords, and no password-resetting mechanism. If someone loses their password, I can reset it manually, given proof that they're the actual owner, but I hate doing that, in part because my idea of proof is that you have the password to the account. A site where 0.469980026% of all accounts have the password 'password' and 0.403889085% have the password '1'. A site where there are 34179 passwords among 68088 accounts. Okay, really, these statistics are better than I expected. In fact, I cannot believe I got those queries right. Must be all those people who register and then never log on. They have strong, distinct passwords. The active users don't.

Anyway, they use weak passwords and still they forget their passwords a lot. So now I tell them to write their password down. There are betters ways of doing it. Personally, I want a secure hash I can calculate in my head--and there are some good ideas on how to do something along those lines--but most of these people are youngish kids.

Anyway, this person presented a good argument that struck me. In my pocket, I have 43.19 USD (often over 100USD) and 0.11 Euroes, 47.11 USD on a Barnes and Noble gift card, three credit cards with a total credit line of over 10 000 USD, and keys to my house, van, and truck. Most people probably have much more than that.

If my pocket is secure enough for all that, it's secure enough for my password. Not my GPG passphrase, perhaps, but most passwords aren't worth more than the rest of my wallet. You don't even need to write it down in plaintext. A shift cypher will stop casual thieves. Or a different font (I sometimes take notes in Tolkien's Elvish Tengwar script. I also know most of the Greek alphabet. Studied Russian? Arabic? Mix a couple alphabets together. Use a shorthand of your own. (I have quite a few symbols I made up for taking notes. Surely you have some too?)

If you're really paranoid, encrypt your password with a one-time pad and store the password list somewhere secure and the one-time pad somewhere independently secure. (IE, finding a way to access one will not help me access the other.) Yeah, you still have to memorise your passwords to use them, but the cost of not remembering is now that you only temporarily lose access--just until you go to these two secure areas and combine them--freeing you to use a stronger password than if memorisation was your only recourse. But what I'm mostly concerned with here are the non-security-minded users. Most people don't consider how long it takes the bad guy to guessing their password using a computer. They just think about whether they can remember the password and whether typing it in each time takes too long. Security means keeping unauthorised users out and letting authorised users in. If the security-minded ignore the second half, we miss the priority of the average user, so they ignore our advice.

No comments: