Posted October 06, 2009
"If you MUST make notes on what your passwords are, keep them stored well away from your computer/regular access point. (one suggestion is write oblique clues to passwords, and hide them inside dust-jackets of books...but that's just one. Use your imagination!!)"
Keep anything written down well away from computers.
Use clues to the password, preferably oblique references rather than the actual password : phrase(s) that would only mean something to you, personally.
If you're having to write down passwords or leave yourself clues then your passwords are too complicated, so much so that they're less secure than simpler passwords that can actually be remembered. Additionally, in the event that recording passwords somewhere is necessary (e.g. twenty various online accounts, each with a different passwords), the proper thing to be using is an encrypted password manage such as Password Safe.
This would be good advice if trying to defend against an offline brute force attack, although ultimately such an attack will break just about any password as programs such as can try passwords anywhere from 300-500,000+ a second, depending on the program being attacked, and moreover can pick up passwords by scanning the hard drive (passwords end up being stored all over the drive due to paging, caches, etc). An article on such offline attacks can be read [url=http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458]here.
However, this is all with regards to offline attacks; online attacks is an entirely different matter. Simply the speed limitation (even with a script running 24/7) on trying to brute-force online passwords makes trying to guess any password that takes over 1000 guesses simply not a realistic scenario. There are over 500,000 words in the English dictionary. Going with two words increases that keyspace to 250 billion. Throw in capitalization, spaces, prefixes or suffixes, etc, and your dealing with such a large keyspace that an online brute-force attack is simply laughable. Add good security practices on the part of the company running the service (such as locking out attempts for an hour after 5 wrong guesses) and the password isn't going to be brute-forced either of our lifetimes. And remember that this is still only using a weak password consisting of a root of 1-2 dictionary words plus a prefix or suffix. Expanding the keyspace further isn't going to provide any additional meaningful security, but rather is only likely to decrease security by causing people to do stupid things as they try to remember and easily use passwords that are increasingly difficult to remember.
Fully agree with this.
The human memory is actually very good at remembering stuff like this. If you use it properly ;)
Your ability to remember random passwords well is the exception, not the rule, when it comes to computer users. A very large section of of the computer-using public will have a hard time even remembering the url for Hotmail; tell them to use random alphanumeric passwords (and to change them often on top of that) and you'll have sticky-notes containing those passwords on monitors in no time at all. As for never having any of your passwords compromised, let me just say this- my mother has been using the same easy-to-guess password for the past decade, and I'm pretty sure there have been long periods where it's also been on a sticky-note on her monitor; despite these horrendous security practices she's never had any of her accounts compromised either. All your experience and hers says is that generally all of our online accounts, taken individually, are very low-value targets; it says little about the merits of the security being used.
To finish up, let me emphasize that all security measures are a trade-off between security and usability. There will come a point with any security measure where increasing security further will see drastic diminishing returns while usability drops sharply. These points most commonly occur where the security measure you're trying to improve is no longer the weakest link in the security system, and thus improving it further does little to improve overall security, while only hurting usability. Once you go past the basic password guidelines I outlined in my previous post the password is no longer going to be the weakest link in the security system; having your password recorded in plain-text, keyloggers, phishing attacks, MITM or passive listening attacks on unencrypted login connections, or the company running the service having shitty security practices (such as storing passwords lists in plain-text or those moronic "secret questions") are all going to be far greater security threats than someone brute-forcing your password. So trying to make your password even more unguessable is simply not going to increase your account security by any meaningful amount.
