Final Word on the Password Problem

Tue Jul 13 05:18:54 PDT 2004

When asked his whereabouts on Mon, Jul 12 21:18 , Jay R. Ashworth took the 
fifth, drank it, and then slurred: 

> On Mon, Jul 12, 2004 at 09:11:34PM -0400, Fairlight wrote:
> > > | On Mon, Jul 12, 2004 at 03:49:38PM -0400, Nancy Palmquist wrote:

> > > | | I have posted this comment many times over the years,
> > > | | but you should assign a site password right now. ALWAYS
> > > | | do it.

> > > | | Write it down, put it in the safe and let it attach to
> > > | | your programs as you work. It will never bother you
> > > | | again.

> > No, no, no, and furthermore, no. One does -not- write down
> > passwords; one commits them to memory. Doing otherwise is
> > a violation of a basic tenet of security. There -is- no
> > safe place. A "safe place" for written passwords is as much
> > a misnomer as the ficticious, fabled, and oft-mis-cited
> > "trusted system". As with the phoenix and unicorn, such
> > creatures simply do not exist.

> > I refrain from comment on passwords as applies to processing
> > tables or fP in general. My only quibble is with the very
> > concept of writing down passwords or passphrases.

> I agree with Bob, JP, and Mark, though I'll note that these
> days, it's reasonably secure to write down all your passwords
> into an encrypting password safe on your {PDA,cellphone,PC}, as
> long as that password safe is itself of a reasonable level of
> security (good enough encryption, scrubs ram and swap, etc).

> Memorize the passphrase (yes, you'd better be able to use a
> pass*phrase*) that you key that to...

And if that device is lost//stolen, who much work would it be for
someone to decipher them.  I still don't think items like that
should be stored anywhere except on securable paper.

> and write it on a piece of paper, fold it 3 times, seal it in
> an opaque envelope, and put it in a desk drawer where you will
> see it every day (sign across the flap).

> Tell your wife, or office assistant.

At the place were I was an outside-consultant and being there 2
days per week - had about a dozen machines that two of us were
responsible for.  The on-site employee and myself actually picked
the passwords.  They were written down, sealed in an envelope, and
then placed in the master safe in the IT department.  

Though it was never opened, the procedure was that if anyone had to
open it to get the password for any machine, a new set of passwords
was to be installed on ALL machine and a new list made and sealed.

> The goal, of course, is that if you have the poor grace to get
> hit by a bus, people may need to get into some of your stuff
> -- you just need to *know* if it happens, should you still be
> alive, so that you can Take Measures.

And that is why I save all my FP work in ABE=ASCII and FULLY
commented.

And picking a password that is secure and yet easily remembered
is a challenge.

I found one that is hard for J.Randon Hacker to penetrate.

You pick an easily remembered number that is non-intuitive.
Then you use that in an alpha form.  As an example - as
zip code of someone you correspond with - 47312

That becomes  "fourseventhreeonetwo" or
"fortyseventhreehundredtwelve"  - or ...  you get the idea.
One and two could also become  won and too

Now that many systems no longer limit you to short passwords
you can have easily remember and hard to break passwords.
If you are on a system that used the old 8-character limits it's

Bill
-- 
Bill Vermillion - bv @ wjv . com