• On The Insider: Alyssa Milano Engaged to Non-Athlete
July 17, 2008 2:33 PM PDT

A real simple answer to password protection

Posted by Robert Vamosi
  • Font size
  • Print

It's a question I get asked a lot: what's a good way to remember passwords for a computer?

Here's how Christopher Horn over at Real Simple chose to answer it:

Writing down random log-in user names and passwords is unsafe and leaves them vulnerable to getting lost. Use a spreadsheet or a word-processing document to keep track of all the information safely. List the link for each website you have an account with and the specific user-name and password information that goes with that account. Click the Save As option under the File tab and name the document. The Save As window will have an Options or Security Options key, which you should select. Navigate through the menus, entering the necessary password--for both opening and modifying the document--until you have successfully secured and saved your list. To retrieve the information, open the file and enter one password to access all the others.

I disagree.

There are some problems with Horn's answer. What happens if you want to log in to an account using a different computer? And, shouldn't you encrypt the file as opposed to just using a password?

Even the security people at Microsoft have told me that using the passwords within Windows and Office aren't necessarily your strongest security option. I know that password protection within Word or Works can be defeated with a variety of password-cracking programs. John the Ripper is perhaps the best known program and uses lists of common dictionary words to brute force unknown passwords. Chances are, Real Simple readers will probably use "password" as the password for their password list. But, still, placing a password on a file (placing a lock on it) is not the same as encrypting the entire file (scrambling the contents so only you can read it).

Me? I go low-tech. I write down all my passwords with pen and paper and do so in such a way that it would take someone a long while to associate a password with a given account. I also change these passwords from time to time. And I don't store my low-tech, highly obfuscated password crib sheet anywhere near my computer.

For a more thorough discussion of the various issues around passwords and password management, check out Elinor Mills' latest CNET News feature.

As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
Topics:

Security

Tags:

security,

commentary,

passwords,

Christopher Horn,

Real Simple,

Elinor Mills,

John the Ripper

Share:
Digg
Del.icio.us
Reddit
Recent posts from Defense in Depth
Window Snyder to leave Mozilla
How to handle ID fraud's youngest victims
Is white listing going mainstream?
How Live OneCare changed the antivirus landscape
Express Scripts clients threatened with extortion
Study: DDoS attacks threaten ISP infrastructure
Security expert talks Russian gangs, botnets
Extortion used in Express Scripts database breach
Add a Comment (Log in or register) 11 comments
by Tergon July 17, 2008 2:56 PM PDT
"What happens if you want to log in to an account using a different computer? And, shouldn't you encrypt the file as opposed to just using a password?"
A Portable Pasword Manager, Such as KeePass solves both these problems (encrypted, Password Protected and able to move from on computer to the Next.
In fairness to not just mentioning one product, I also use programs on my smart phone to carry my passcodes (in my case I'm using the Palm based Treo 700p and the YAPs program, this program is password protected, I then have it hidden from the launcher (thus even if someone has my phone they wouldn't know the program is there)
Reply to this comment
by The_Decider July 19, 2008 8:55 PM PDT
It solves no problem, but it puts all your security eggs into one very fragile basket.
by abhishek_p July 17, 2008 3:18 PM PDT
Use Google doc or spreadsheet.. write down hints instead of actual account names and passwords.

I trust google and feel that can keep that document safer than I can do it on my PC :-)
Reply to this comment
by htterp July 17, 2008 3:41 PM PDT
"What happens if you want to log in to an account using a different computer?"

How does a crib sheet somewhere far away from the computer (presumably at home) solve this problem?
Reply to this comment
by rcrusoe July 17, 2008 6:11 PM PDT
I use 1Password. http://agilewebsolutions.com/products/1Password

Automatically enters my username and password, fill in credit card information, syncs my passwords to all my computers, and even works on my iPhone.
Reply to this comment
by trevorbsmith July 17, 2008 7:08 PM PDT
Ideally, we will all eventually move to something like OpenID: http://openid.net/

In the meantime I also use 1Password on my Mac and it's fantastic.
Reply to this comment
by ducttape36 July 18, 2008 5:53 AM PDT
i have a biometric scanner in my laptop that stores all my passwords for websites. its pretty handy. one swipe opens the website in a browser and logs you in automatically. i make the passwords by my overly complicated "keyboard mashing" technique and keep a hard copy of passwords in a filing cabinet, in case the scanner ever fails. but until that happens, i never have to worry about typing a password in.
Reply to this comment
by vocaro July 18, 2008 6:53 AM PDT
The Keychain system built-in to Mac OS X solves these problems. It does basically what Horn suggests but in an automatic way. Also, Keychains are encrypted, and they can be synced via MobileMe, so they don't suffer from the drawbacks you cited with Horn's approach.
Reply to this comment
by brightmind1235 July 19, 2008 9:13 AM PDT
I put all my passwords in an Excel file then add it to a TrueCrypt archive which is protected by a single long and secure password. Problem solved.
Reply to this comment
by emarkus July 23, 2008 7:07 AM PDT
Didnt we all use to remember phone numbers well why not our passwords. surely we arent getting that much dumber, no safer place than in your own head.

Just ask Terry Childs no one, but he knew the answer to the question being asked. Whats the password....
Reply to this comment
by f0r0ne July 23, 2008 7:12 AM PDT
Re access from any computer, I've activated MS SkyDrive and keep an AxCrypted file with password information (and other handy personal data) encrypted and available "in the cloud." Also, the better encryption applications permit use of virtually unbreakable "key" files instead of a password - the keyfile can be kept on an SD card / other removable device and separated from a notebook during travel, so the encrypted material is safeguarded beyond mere password protection.
Reply to this comment
advertisement

In the news now

Apple: DRM-free tunes, unibody MacBook Pro

roundup At Macworld, Phil Schiller touts 10 million songs sans DRM, plus 69-cent songs, a unibody 17-inch notebook, iLife updates, and more.


Countdown to CES

special coverage The tech community descends on Las Vegas as the Consumer Electronics Show gets ready to kick off in all its gadgety glory.


About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

advertisement

Inside CNET News

Scroll Left Scroll Right
News
Site map
Latest news
Business tech
Green tech
Wireless
Security
Popular topics
Apple iPhone
Apple iPod
CES
Cell phones
Dell
GPS
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
Corrections
Customer Help Center
RSS
CNET Widgets
About CNET