back to article 'Bill Gates swallowing bike on a beach' is ideal password say boffins

A quartet of researchers from Carnegie Mellon University's Computer Science Department have explained a method they feel makes it possible to memorise several complex passwords. As their ArXiv paper, Spaced Repetition and Mnemonics Enable Recall of Multiple Strong Passwords explains, passwords are important but most people …

  1. Scott Earle

    Correct horse battery staple.

    That is all.

    1. Sampler

      http://xkcd.com/936/

    2. Version 1.0 Silver badge

      Invalid

      The password that you entered exceeds the maximum length allowed and contains illegal characters.

      1. Danny 14

        Re: Invalid

        f*cking boss is a c^ck muncher has non alpha numeric characters so might help against dictionary attacks.

      2. illiad

        Re: Invalid

        you are missing the point..

        the long phrase can be displayed in plain sight, as a poem or quote..

        to get the password, you just take the first letter of each word, add a number, and get a a suitable unguessable password..

        eg BGsboab23 :)

    3. Wize

      The trouble with "Correct horse battery staple" is if they know you are a fan of XKCD and using a four word password, they can still get you with a dictionary cracking tool.

      http://www.reddit.com/r/techsnap/comments/18ezb6/correct_horse_battery_staple_really_a_strong/

    4. BinkyTheHorse
      Thumb Up

      Standing on the shoulders of Munroe

      Reference #38 in the paper.

    5. Michael Wojcik Silver badge

      At this point everyone1 knows that 1) Randal Munroe recommends passphrases over cryptic passwords, because they have greater information entropy and are easier for users to remember; 2) lots of other security researchers have been making the same recommendation for years; 3) the people who create and administer password-based authentication systems don't pay any fucking attention2; 4) "correct horse battery staple" is now used as a passphrase by an embarrassing number of xkcd readers who think they're being clever; and thus 5) "correct horse battery staple" is now in password dictionaries.

      Thus we have Schneier claiming that Munroe's construction isn't a safe technique. A number of people (including myself) have pointed out why his argument, as presented, doesn't hold water; but it does mean you can't use "correct horse battery staple" itself as a passphrase under many reasonable threat models, and you have to be a bit more thoughtful about using the Munroe technique.

      1(who pays attention to these things)

      2Because that would require they actually do some work, rather than simply relying on guidelines that were outdated 30 years ago. And, of course, because they're afraid they might get blamed if they deviate from "standard practice" and anything unfortunate happens.

  2. MacroRodent

    Not compatible

    I think using a long phrase is a good idea, Unfortunately, most places that expect passwords severely limit the length, and even if they don't may require numbers and special characters which may be hard to include naturally in a phrase, and may reject spaces. The example would have to be something like "Bill@Gates2swallowing#bike/on!a!beach" to be accepted in them.

    1. as2003

      Re: Not compatible

      Sad but true.

      It always sets alarm bells ringing when there are arbitrary limits on password length. It implies that passwords aren't being hashed behind the scenes.

      1. PassiveSmoking

        Re: Not compatible

        Adobe had an especially hilarious one which I discovered after their massive password leak. I used LastPass to reset my leaked password to a random 16 character string, and the website accepted this. Later, I had to reinstall CS4, the installer for which requires you to log onto your Adobe account. Only I couldn't, because the installer's password field would only accept a 12 character string.

        Another quality Adobe product!

    2. Chris 3

      Re: Not compatible

      See also Virgin Media, where their passwords have to be something like more than 6 and less than 10 and don't allow spaces etc. Sigh.

      1. Michael Wojcik Silver badge

        Re: Not compatible

        Virgin Media, where their passwords have to be something like more than 6 and less than 10 and don't allow spaces

        Try Schwab's site, which limits passwords to 8 characters, from a restrictive alphabet. And that's for a brokerage and bank. I'd like to see them sued for breach of fiduciary responsibility.

    3. Carbon life unit 5,232,556

      Re: Not compatible

      Often they also give hints about how the password should be made up!

      Talk about giving the hacker a head start!

      1. Sir Runcible Spoon
        Joke

        Re: Not compatible

        I like to use movie quotes, that way all you need to do is remember which movie is associated with which site - which is the bit I always cock up.

        Badges?wedon'tneednostinkingbadges!

        That's the one for my KKK membership login page (expired)

  3. Anonymous Coward
    Facepalm

    really...Microsoft...

    For example. all of Microsoft's sites that I use have s 15char limit.

    1. Anonymous Coward
      Anonymous Coward

      Re: really...Microsoft...

      ... and irritatingly, they don't usually tell you in advance.

      1. John Tserkezis

        Re: really...Microsoft...

        ... and irritatingly, they don't usually tell you in advance.

        More irritatingly still, when you get password "set" routines that allow you to go past the character limit, with the password "test" routine that observes limits - so your new password will never pass again.

        Your only option is to factory reset and start again from scratch.

        F**k you TP-Link. F**k you, and the horse you rode on.

        1. Anonymous Coward
          Anonymous Coward

          Re: really...Microsoft...

          "F**k you TP-Link. F**k you, and the horse battery staple you didn't ride"

          FTFY

          1. Anonymous Coward
            Anonymous Coward

            Re: really...Microsoft...

            "F**k you TP-Link. F**k you, and the horse battery staple you didn't ride"

            ... at least not correctly.

    2. hekla

      Re: really...BANK

      yeah - CommBank has a limit of 12 characters

  4. frank ly

    Pope Francis patting a fanny

    It started off as ' ... fanning a patty' but it mutated very quickly in my mind so I'm confused now. How can this method be regarded as reliable?

    1. auburnman

      Re: Pope Francis patting a fanny

      You're meant to keep it in your head as a mental image of the scene rather than a collection of words. It's proven that imagery is much more memorable, especially if it's amusing. And if you can imagine the Pope waving a fan over a patty it's much less likely to mutate into an image of the Pope patting someone on the [body part appropriate to the nickname on your continent.]

      Although that image would be much more memorable...

      1. Sir Runcible Spoon
        Coat

        Re: Pope Francis patting a fanny

        Didn't they do that on spitting image?

        Gob-baa-chef became Mouth-sheep-tongue

        (the chef was sticking his tongue out in the picture)

        If that's the kind of trouble that Ray-gun had, I have no idea what an issue it was for Shrub.

  5. Karmashock

    Mnemonics are not new

    My grandmother's generation used them to study in college.

    I use them to memorize passwords.

    A really simple example would be:

    4MhalLwFwwaS4

    Very easy to remember that password and I just made it up. Why? Because the password is a combination of two things I can remember.

    1. A phrase or string of words that are very easy to remember.

    2. A system or set of rules that turns that phase into a password.

    In this case:

    Mary had a little lamb who's fleece was white as snow.

    With this rule set:

    A. Take the first letter of each word.

    B. Capitalize nouns.

    C. List the number of letters in the first word and last word at the beginning and end of the password.

    The password is very easy to remember though you might have to decode it a bit in your head sometimes.

    Take a string of song lyrics. A poem. A famous quotation. A children's nursery rhyme. Something you will remember. Come up with a set of rules you won't forget.

    Then associate that password with that text string.

    Using this method you can actually write down hints to your passwords in plain text right next to the password input and no one will be able to guess your passwords.

    1. Mike Bell

      Re: Mnemonics are not new

      Good idea, but you should keep this kind of thing to yourself. It would be dead easy to create a rainbow table from a range of (popular) nursery rhymes using this algorithm. Just imagine how many people would end up using The Owl and the Pussy Cat went to sea as a basis for their key. Easy pickings. Wouldn't add much to the length of existing rainbow tables.

    2. Anonymous Coward
      Anonymous Coward

      Re: Mnemonics are not new

      I hate to tell you, but your example is no longer considered a particularly strong password.

  6. dan1980

    Okay, remembering a password is one problem and one can develop and propose methods of selecting and remembering password. Great.

    But typing the f%$king things is another matter altogether.

    As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5.

    1. Charles 9

      Plus, consider the NUMBER of passwords we have to go through each day. I'm pretty sure these phrases run into the point where you have to wonder which mnemonic you used for which site. "Now did I use Mary Had a Little Lamb or Little Jack Horner? Or was it actually Simple Simon?" I'd like to see an effective mnemonic for remembering the credentials for hundreds of arbitrary websites.

      1. Version 1.0 Silver badge

        change your passwords regularly

        Great ideas but then you have sites - notably when dealing with the US government - that require that you change your password every 60 days and require that your new password is not the same as any of the "n" passwords used previously.

        So naturally everyone writes the passwords down on a sheet of paper under the keyboard.

        1. John Brown (no body) Silver badge

          Re: change your passwords regularly

          "So naturally everyone writes the passwords down on a sheet of paper under the keyboard."

          ...or re-use the same password with MMYY tacked on the end. Users will always find the easy way, even if that decreases security.

          1. dan1980

            Re: change your passwords regularly

            @John Brown (no body)

            "Users will always find the easy way, even if that decreases security."

            This ABSOLUTELY should be a key factor in designing a password policy, The key is to make it strict enough enough that people aren't using 'password' but not so strict and unmanageable that people find a way around it.

            The problem is that it's next to impossible to prevent people gaming the system by using a password that fulfills the requirements but is not very secure at all - Password123 for example, and it's just as hard to prevent people from writing them down.

            The best thing, I have found, is to have a password policy that enforces basic good sense, 8+ chars, complexity (not really necessary) and 90 day expiry (to taste). Then you have to EDUCATE the users on how to choose strong passwords and why these are necessary - especially where remote access (like webmail) is concerned.

            In some workplaces there is a lot of bickering and stealing credit and you need to tell people plainly that if they choose a weak password, one of their colleagues could just log onto their e-mail and steal their sales leads or whatever.

            The trick is to get the users to be part of the process - to understand why it's necessary.

            1. Sir Runcible Spoon

              Re: change your passwords regularly

              My fingers remember passwords better than my brain does sometimes.

              I often find myself 'typing' a password out before I can remember what it is to put into the mobile device.

    2. Anonymous Coward
      Anonymous Coward

      "As a systems administrator, I type complex passwords many times a day to the point of muscle memory but I STILL mistype them 2 times out of 5."

      Sounds more like a typing problem than a password problem? Observation suggests something of the order of 1-2% of IT professionals and users are properly trained to a competent standard in touch typing (I'm not, I should add). Think what that does for accuracy and speed across a large business, yet I know of no business that regards touch typing as an essential part of basic training. The companies happily train their staff in manual handling for jobs that don't involve any manual handling, they insist everybody does DSE training, yet with the most basic input operations of a computer companies don't train staff to use the tools properly (and buying the cheapest, nastiest keyboards and mice probably doesn't help either).

      1. Michael Wojcik Silver badge

        Sounds more like a typing problem than a password problem?

        I'll argue it isn't. I'm a trained touch-typist - I was taught to touch-type on manual typewriters in the early '80s, and between programming and my academic work I've touch-typed the equivalent of thousands of pages of text. I still mistype my passphrases (which are now generally around 40 characters) on a regular basis.

        Passphrases often aren't especially amenable to touch-typing. The typical passphrase system has zero tolerance for error and doesn't provide useful feedback. With Windows, for example, the standard password dialogs show bullet symbols for each character and are only 26 characters wide; after that, you don't even get feedback to show that you've successfully entered a character, because the identical bullet symbols just scroll horizontally.

        And passphrases generally aren't typical natural-language phrases, because those would be weak against dictionary attacks. And since many passphrase systems are actually just password systems that allow long "passwords", they are often configured to require a large alphabet, so your passphrase has to include numerals and punctuation. Those elements make it easier to mistype the passphrase.

        Back in the days of non-correcting typewriters, it's true that touch-typists typically had a much lower error rate than they do today, when correcting typographical errors is trivial. But a vanishingly small number of people use such typewriters now, so very few users have the training to eliminate typographical errors. And expecting users to do so once again puts the security burden on the wrong part of the system.

    3. Paul Shirley

      Also a right pia to enter on touch services, the combination of inaccurate input, non availability of fast swipe input in any password box I've seen and being unable to see the result for error correction mean this makes no sense for the fastest growing password protected sector (mobile)

    4. kventin

      """But typing the f%$king things is another matter altogether."""

      german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"

      of course, who in their right mind would set anything different than plain US as default keyboard layout?

      well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!

      1. NumptyScrub

        quote: "german keyboard layout (and derived c-e european) has 'y' and 'z' swapped. imagine the joy "i'm positive i typed the %@!$ thing right! oh, blimey, wrong keyboard layout again!"

        of course, who in their right mind would set anything different than plain US as default keyboard layout?

        well... apparently it's our new domain default. which cannot be changed. enforced by domain policies. updated on every reboot. they can even reboot your computer for you. arghhh!"

        Standardised keyboard layout for servers in EU subsidiaries, I completely agree with. My place does this as we only have the one 3rd line support department for the whole of the EU, and it's based in the UK so we're familiar with (and use) UK layouts. It's not difficult to fit a physical UK keyboard in to the racks for any local support techs to use either.

        Standardised keyboard layout for users though? Utter insanity. If there is one thing guaranteed to cause a fistfight between users and support, it's not having the fucking keys in the correct place. Yes, it means I have to be mindful when typing passwords on a remote system and the layout is QWERTZ or AZERTY, but that is minimal fuss compared to asking several hundred people to use a different layout than the rest of their country uses.

        Maybe I'm being far too sympathetic though ^^;

  7. kdh0009

    Websites are the problem

    As has been mentioned, most authentication is limited to a maximum number of characters which prevent using a really strong password.

    Or worse

    I tried "heroes in a half shell turtle power" on one site, and got a dialogue pop-up telling me my password required strengthening. Sack off

  8. Anonymous Coward
    Anonymous Coward

    Bill gates smelling waffle

    I'm now changing my 2 most used passwords.. "Angelina Jolie kissing bush" and "Mark Zuckerberg sucking wiener"

    1. Anonymous Coward
      Anonymous Coward

      Re: Bill gates smelling waffle

      But you need a "special character" these days. How about "Kissing Angelina Jolie's bush"

      I'd get my coat, but I think it's AC time in preference to an icon.

      1. Anonymous Coward
        Coat

        Re: Bill gates smelling waffle

        Why settle for one when you can have both?

        1. This post has been deleted by its author

  9. Richard Parkin

    Just use 1Password

    Just use 1Password.

    1. razorfishsl

      Re: Just use 1Password

      And the password you are going to secure all your other passwords with?

      Perhaps you could keep it in another copy of 1password?

  10. Novex
    Coat

    'Barack Obama oiling his owl'

    Coat please...

  11. Robert Ramsay

    "Where now for Mark Zuckerberg raised by badgers?"

    1. breakfast Silver badge

      "Old Woman killed by little glass planet."

  12. Richard Parkin

    How do they recommend that you remember which long passphrase belongs to which site?

  13. Big_Boomer Silver badge

    Oh goody

    So now we need to remember 200 bloody passphrases instead of 200 passwords. Personally I am old and can't remember sh!t these days so I use KeePass to manage my passwords for me.

    One other problem with passphrases is that it takes way longer to enter them. If it's once per day, no problem, but I enter between 100 and 300 passwords every day!

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh goody

      Between 100 and 300 a day?

      Really?

  14. ukgnome
    FAIL

    People Are Sometimes Sexy When Occasionally Robot Dancing

    1. b166er

      Please Allow Secret Session Without Obtuse Recall Difficulty

  15. Graham Marsden
    Coat

    Well I think...

    ... it was Colonel Mustard in the Conservatory with the Lead Piping!

  16. Frankee Llonnygog

    On the other hand

    "Steve Balmer throwing a chair in an office" is easily guessed

  17. Shady

    At last, all my services are secure

    "Me typing password into google"

    "Me typing password at work"

    "Me typing password into online banking"

    "Me typing password into amazon"

    There, that ought to do it

  18. Nuno trancoso

    Interresting but...

    Wouldn't work for me.Not how i roll and would make my life a nightmare. At my "peak" i was keeping about fifty or so moderate to long alphanumeric usernames/passwords in my head. Occasionally i'd mix a user/pass, but i'd remember them all.

    All of them were generated by KeePass, but the decisive factor came after. I had to read and type them to see if they "felt right". If they didn't, i'd try to "fix" them because i could "feel" where the wrong part was. If they did, no more work needed. It is my honest belief that passwords can feel "right" or "wrong" to different people thus making them easier/harder to memorize.

    While this might seem a bit esoteric, i'm pretty sure there is an underlying explanation as to why certain random sequences "feel" different..

    Probably the same underlying mechanism that makes certain note/chords sequences "feel right" when listened to and others be just noise.

    1. Anonymous Coward
      Anonymous Coward

      Re: Interresting but...

      I use basically the same principal. Some of them do just flow better than others.

    2. non_hairy_biker

      Re: Interresting but...

      I am exactly the same, passwords (and phone numbers) just seem to stick when they feel right, I still remember passwords for now long defunct systems that will never again be needed, peoples names however I forget instantly....

  19. Amorous Cowherder

    So basically it's a variation of the very old and well tested "loci" memory technique. By making associations to very familar places you can remember very complex pieces of information by "walking a journey" through those places you know, picking up familar objects as you go. Instead with this technique they use famous faces with memorable actions used on everyday, easy to imagine objects.

    1. Charles 9

      I recall it once termed "memory theater". The problem is that it's meant to recall things in a particular order. That's why you "walk through" your loci mnemonic. Trouble is that, in modern life, things are much more random. You may be asked to recall the 57th password you memorized one day and the 124th one the next, with the 89th demanded after dinner for good measure. So having to walk through your mnemonic to recall something out of order can be time-consuming and prone to mistakes.

  20. Arthur the cat Silver badge
    Happy

    George W Bush sucking a chainsaw

    Not a passphrase, just a wish.

  21. Wize

    Cabbage soup anyone?

    Create a password.....

    cabbage

    Sorry, the password must be more than 8 characters....

    boiled cabbage

    Sorry, the password must contain 1 numerical character.

    1 boiled cabbage

    Sorry, the password cannot have blank spaces.

    50fuckingboiledcabbages

    Sorry, the password must contain at least one upper case character.

    50FUCKINGboiledcabbages

    Sorry, the password cannot use more than one upper case character consecutively.

    50FuckingBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessImmediatelyYouTwats

    Sorry, the password cannot contain punctuation.

    NowIAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourArseIfYou DontGiveMeAccessImmediatelyYouTwats

    Sorry, that password is already in use!

    1. Michael Thibault
      Thumb Up

      Re: Cabbage soup anyone?

      One upvote for that. Worth more than one, though, given that I had to log in...

      1. Sir Runcible Spoon

        Re: Cabbage soup anyone?

        Thanks for the laugh - I have actually been through this process myself, but the password wasn't taken when I did it..sorry.

        The funniest thing is that whenever you create a password like this, it sets off some kind of celestial motion that entails you having to provide the password to that particular site to a boss or something. It's a law that should have a name "The Fucking Boiled Cabbage Principle@{}" or something.

  22. Tom 7

    You have typo'ed the password too many times so you now have doubts that it is

    the correct one for this account after all.....

  23. Ugotta B. Kiddingme

    TheQuickBr0wnF0x

    jumpsOvertheLazydog,except_whenhedoesn'tBecausehe1s,@fterall,_atrulyL@zy fuckerWh0sitsaroundAlldaylickingh1sballs@ndyoujustKNOWyouw0uldtoo 1fyoucould!

  24. Risky

    All very well

    But to remote in to the office I have to type the same password three times in a row at differnet screens. The hell I'm going to type half a novel

  25. Matt Piechota

    password hashing

    I can't believe we're on the second page and no one has discussed password hashing. Is it terribly insecure or something? Example:

    https://www.pwdhash.com/

    Remember one (or a small set of passwords), and use the site/machine name to generate a repeatable hash for each place. Every system as a unique password, you only need to remember a few things. I guess the argument is once someone figures out what you're doing, they have a head start on breaking in, but realistically they're going to go after the "Password201410" jokers first.

    1. Charles 9

      Re: password hashing

      If you have to go that far, why not just use a password keeper and let it generate completely random passwords for each site, taking into account each site's eccentricities? That way you only have to recall one passphrase to open this keep (which you can store locally) which you can make as long and convoluted as you please.

  26. Jin

    Generating high-entropy passwords from hard-to-forget passwords

    Generally speaking, hard-to-break passwords are hard-to-remember. But it is not the fate. It would be easily possible to safely manage many of such high-entropy passwords with the Expanded Password System that handles images as well as characters. Each image/character is identified by the image identifier data which can be any long. Assume that your password is “ABC123” and that those characters are identified as X4s&, eI0w, and so on. When you input ABC123, the authentication data that the server receives is not the easy-to-break “ABC123”, but something like “X4s&eIwdoex7RVb%9Ub3mJvk”, which might be automatically altered periodically or at each access if required.

    When such high-entropy data are hashed, it would be next to impossible to quickly crack the hashed data back to the original password. Give different sets of identifier data to “ABC123” and the different servers will receive all different high-entropy authentication data. Brute-force attacking of “ABC123” and other similarly silly passwords would perhaps take less than a few seconds with dictionary and automatic attack programs but it could be an exhausting job when criminals have to manually touch/click on the display with their fingers.

    This function of managing strong passwords by weak text passwords is one of the secondary merits of the Expanded Password System.

    At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

  27. Anonymous Coward
    Anonymous Coward

    oh the horror....

    ... when the Boss shouts across the office "whats' the password on this document?" and you suddenly remember you auto-typed your standard one..... 0UR1WankBollokFuckSuckerUR

  28. cavenewt

    Didn't these researchers know about dictionary attacks? Sounds like more of a memory study than a computer security study.

    1. Charles 9

      How well do dictionary attacks do against passphrases containing more than 2 words? Each one multiplies the potential complexity by the size of the dictionary. Six words and a million-word dictionary, assuming no semantics, results in (10^9)^6, or 10^54 possible phrases, and if even one of those words is intentionally misspelled...

  29. Michael Wojcik Silver badge

    Password policies

    By forcing users to reset their password frequently an organization forces its users to remain within the most difficult rehearsal region

    Absolutely. That's one reason why reputable security researchers don't recommend short password / passphrase lifetimes. Doesn't stop know-nothing administrators from imposing such policies, though, because they like to rely on the "standard practice" excuse.

    Account lockout is another idiotic policy that's rarely justified by any sensible threat model. If your password / passphrase strength requirements are decent, it's vanishingly unlikely that anyone will correctly guess a user's password with three tries. What is likely is that users will mistype strong passwords or passphrases (per the discussion above) three times, get locked out, and have to request account unlocking or password reset - which means lost productivity and opportunities for social engineering. Three-strikes account lockout is a great example of a policy that does far more harm than good to password-based security.

    But here again, the people making these policy decisions generally seem to be actively hostile to sound security research, preferring instead to rely on a cargo-cult set of "standard" practices.

  30. Jin

    Interference of Memory

    That some people can do it does not automatically mean that all or many people can do it. That some can finish the marathon for less than 2.5 hours does not mean that many of us can do the same.

    At the root of the password problem is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    Most of the humans are thousands times better at dealing with image memories than text memories. The former dates back to hundreds of millions of years ago while the latter's history is less than a fraction of it. I wonder what merits we have in confining ourselves in the narrow corridor of text memories when CPUs are fast enough, bandwidth broad enough, memory storage cheap enough, and cameras built in mobile devices.

  31. ste-fu
    Pirate

    Passwords are for online security...

    I believe Bruce Schneier recommends writing your passwords down and keeping them in your wallet.

    Most people only ever lose their wallets once or twice in their life, and even if somebody does find it, you don't keep your user id / email written down in the same place.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like