Please educate people about writing down their passwords
by Volker Weber
I often get asked to help with computer problems. And I always fail at exactly the same point. People have no record of their passwords. And not all services provide a way to reset the password without answering questions the user does not know the answers to. When my best friend died and I had to recover his iCloud account, I knew the answers to all security questions, but I did not know how he spelled them.
Some people write down the password but not the username. And often they cannot remember which service the password was for. If you can just tell them to write down the who what where, you are in much better shape. Who are you, what was the password, where did you use it?
Since these passwords tend to accumulate put them in an alphabetical register for easier reference. Once you have a well organized book it becomes easier to not reuse the password everywhere.
Comments
Volker, what are your thoughts on "password services" such as Lastpass and others?
One master password to hand over to one trusted person...convenient but...?
Interesting to get your (the others') feedback.
kind regards - Matthias
They need to be cloud-based if they have to survive a crash. And that makes them a high-value target.
I think as long as you have 2-FA on all your last mile services (at the very least) one should be OK using a cloud-based service such as Lastpass, etc.
As someone who has used a lot of online services, my account library has racked up to include ~400 online services (of which at least 150 are key to finance, information retrieval, various agencies, public services). There is no way I can practically maintain, update and securely disseminate that much vital information to relevant parties effectively in the event of my unplanned incapacitation in a user-friendly fashion. For e.g. it would be a lot quicker for my trusted family member to help my spouse get online and liquidate assets as needed rather than to go through courts with a myriad of paperwork/trails.
I would rather go with a usb stick based password manager. The masterpassword (and key file) is printed in a save where the other important documents are. Thats also the place to store a weekly backup of the key file
Alternative idea: Use Keepass which is available on basically all platforms.
Store Keyfile in a cloud service like Dropbox or OneDrive. Also Cloud based, but no single big target like the Lastpass or 1Password sites.
One could store all passwords except "first line" services like email and internet services (basic comms/connectivity which also allows PW resets).
Good or bad scenario?
Tobias, i‘m also interested if that setup is save... Because that is the way i sm actually storing my data.
It's a good discussion you are having so I am not going to discourage it.
What I am talking about is people who have no IT knowledge. Think about your mother, or if she still lives your grandmother. Their pincode is most likely their birthday. Or your birthday for that matter. If they are pressed to come up with a password they will reuse it as often as they can and forget about the username. These people need to learn to write down their account details. If that means they have to use yet another software, they will not do it.
Volker you are right and I agree, although not entirely.
I will probably not convince my mother to use a password safe application. For her a paper trail make a lot of sense. We do not have this so far and this is a very good prompt to het this done.
But I my be able to get my wife and father interested.
Of course, as with all office IT innovations, you will have to take the time to provide some basic training. I.e. explain why in simple words, give examples and two or three run throughs with their individual websites and applications. This allows them to use individual PWs per service.
The basic rule can also be simple:
1) DO NOT store bank, phone company, email, and OS login credentials (i.e. "the big four").
2) DO store all other credentials. Do so using the PW generator.
@Thorsten, Tobias: I am using a similar setup with a slight alternation to make it even safer:
- my password DB (*.kdbx) is stored on my NAS, replicated with Synology CloudStation to all clients
- I use an additional keyfile (.key) stored only on the clients, Backup is stored on USB
- my NAS is being backuped to a CloudService (my choice is a german provider, Strato)
In fact, this setup should prevent me from a loss in case of fire, theft etc.. I have not thought about death yet too often ... need to involve my daughter soon to make sure this case is covered as well.
I like the book idea better as it reduces complexity to a book which fits perfectly into my mother's life.
Es gibt da übrigens sehr nette vorformatierte Ideen. Etwa das hier: http://amzn.to/2CVMQ00
Im Grunde genommen muss man noch weiter vorne anfangen, etwa die Internetzugangsdaten abschreiben oder SIM-Nummer und PUK.
Speaking of 2FA: Always laughing on Apple's implementation where the two factors are magically connected within the "circle of devices".
Unter Router des Familien- und Freundeskreises klebe ich seit Jahrzehnten ein Post-It mit den PPOE/CHAP/PAP/whatsoever-Daten... Immer wenn der neue Router kommt oder der alte verreckt, findet keiner den lustigen Telekom-Zettel ("The quest for Mitbenutzerkennung").
Als erstes sollte man die Frage stellen, vor wem möchte ich die Daten Geheimhalten?
Die meisten Daten sind sowieso nicht mehr privat. Emails werden zu 99,9999% unverschlüsselt verschickt. Unseren Bankpin geben wir 100 mal im Jahr in der Öffentlichkeit direkt unter einer Kamera ein.
In der Regel helfen die Sicherungsmechanismen nur gegen Personen aus dem direkten Umfeld. Wer wirklich an deine Daten kommen will kann diese zum Grossteil für kleines Geld kaufen.
Was spricht also dagegen überall das gleiche Login/Passwort zu verwenden?
Kleines Beispiel wie es um die Sichheit in Firmen bestellt ist, die unsere Daten aufbewahren:
Um die Sicherheit beim Onlinebanking zu erhöhen hat mir meine Bank den Vorschlag gemacht die Foto-Tan-App direkt auf dem Smartphone zu installieren auf dem auch die Überweisungsapp läuft damit die Tan gleich automatisch übernommen wird. Quasi Tanlose Transaktion.
Unser Frauenarzt kann die Ultraschallbilder direkt aus dem Gerät per Email unverschlüsselt schicken und bietet das aktiv als Service an.
Max: Das ist noch einmal eine ganz andere Geschichte. Es ging um das verlässliche Aufbewahren von Credentials - unter besonderer Berücksichtigung von Silversurfers wie mir.
Max, ich benutze bei der Pin Eingabe immer beide Hände. Das schützt meines Erachtens recht gut vor Kameras und shoulder surfers.
Steht hier bei uns auch bei den meisten Geldautomaten dran.
Do you recommend people store passwords in, say, a physical notebook at home or a diary/planner?
