Passwords On Post-its? You Bet!

Posted Friday, 12 January 2007, 3:36 pm

A not-uncommon IT-to-user conversation: 

IT Dude:  "The password to log in to your new PC is r4eo1ss89"
User: "Um. Okay. But how will I remember that?"
IT Dude: "Not my problem."
User: "Okay, but there’s no way I can remember that. I’ll have to write it down"
IT Dude: "If you write it down, it’s no longer secure – if someone finds it, they’ll have access to your machine. Do not write it down!"
User: "But…but if I can’t write it down, and I can’t remember it, what can I do?"
IT Dude:  "Not my problem."

At this point, IT walks away, and the user will likely change the password for their PC to "letmein". Or "abc123". And tell security ‘Goodbye’.

But there is a way to keep that impossible to remember password always at the ready, in plain view even—and yet foil anyone who tries to use it. I came up with this idea about a year ago, and to my knowledge, nobody has ever suggested the idea. So I claim inventor status!

So, IT stuck you with r4eo1ss89 as your password. You’re a smart cookie, but you know that if you try to memorize it, you’ll forever be transposing the ‘eo’ to ‘oe’ or running out of memorized characters after the ‘1’. So, the reality of that secure password is, you have to write it down.

Well, don’t hesitate, write it down! Use a bold Sharpie® on a Post-it® , write it in big letters—if you’re feeling particularly cheeky, write "Password for my computer" right above it.

The secret—and there’s a pun in there, I promise—is to ‘password protect your password’. How? It’s absurdely easy, mind-numbingly simple, and you’ll wonder why you didn’t think of it yourself first!

Drum-roll, please: Choose a letter or number that will be your "personal" password. One single character. Add that character to whatever password you have, anywhere in the password. The only caveat is that you must ensure that any password you use does not already contain that letter or number.

Here’s an example. I decide that—for every password I will ever write down—my ‘personal password’ character—my ‘secret key’ so to speak—is a lowercase ‘w’. IT gave me the password r4eo1ss89 . so I write down my password like this:

Good Luck, HaX0R!

This is, for all practical purposes, completely uncrackable. The only way someone could ever get in with that is if they already know that you are using a bogus character in the password, and already know what the character is. You’re presenting them with a password that cannot work unless they know your secret—and it’s a secret that’s exceedingly easy for you to remember and keep secret—just a solitary character! Obviously, it’s a good idea to not use one of the initials of your name. But again, for someone to even put it to use, they have to know that you’re doing this to the password in the first place. If you want to get even more clever, pick a position and designate that your ‘personal position’ along with your ‘personal character’. With that, you can then have passwords that do contain your secret character – just so long as it’s not in your chosen position. So if I chose the letter ‘w’, and always in the fifth position, I could have a password of

a9are4wp2w1 and simply modify it to


Arguably, this positional technique could be slightly less secure—if for example you were to print out your passwords in a cheatsheet, and have them all aligned to the left—then the pattern of a ‘w’ in the fifth position might become apparent. For the serious IT person who has to maintain his/her own list of many complex passwords, it’s probably best to not use a position parameter.

With this exceedingly simple technique, you can hide your passwords in plain sight. People will wonder why it is that you can get in with your password all the time, but when they try to take a sneak-peek into your computer after you’ve gone home for the day, they can never get in.

Share and enjoy!

Followup: It just occurred to me that there’s another variation on this that can work well: Secret character removal. This one does work best with positional parameters: select a character that you will always have in your password, in a particular position, then remove that character from what you write down. So, for example, your secret character is ‘f’, and your secret position is two. You create and use a password of:


But you write it down as


Since you know there will always be an ‘f’ in that second position, it’s just as easy to remember as the ‘extra’ character method. And since you are not writing down the character, it’s potentially even more secure than the already very secure ‘add a character’ method!

Update: Please read my followup article, which addresses some of the concerns that have been expressed regarding these methods.

But what I really meant to write was…



Modren Lfie, Unix Tech Digits Puters


longdead said:

if someone tried it and saw it failed, the biggest risk would be that they would use those nine characters to randomly generate all password combinations using, say 9 characters, which would take a very short amount of time when compared to say 36 or 62 characters of any number or letter in any position

you’d probably be better off writing it in morse code or rot13

Saturday, 13 January 2007, 8:01 am | Permalink

I reckon if someone broke into your bank account using the written down password and you’d somehow let on to the bank that you’d written down and used this or a similar method the bank would still hold you liable for any losses. (They wouldn’t “get” the argument that you’d created a visually incrackable password.

Saturday, 13 January 2007, 8:33 am | Permalink

Hank said:

Or, *gasp*, just remember your passwords. Practice them until you remember. I have 2 passwords with greater than 16 characters (letters, numbers, symbols). I make a new one every 6 months. Maybe I just have a really strong memory. If you can’t remember a password, change it to something like this:


yes, it looks like ‘manatee-grass’. It’s supposed to. Practice it about 20 times and you’ll remember it and not have to write it down.

Saturday, 13 January 2007, 8:42 am | Permalink

Chris said:

I’ve got a better way.

Think of an insanely easy to remember word (say, “password”), and shift your hands either one row up, down, left, or right when you type it. “password” shifted one row to the right becomes “[sddeptf” shifted right, “0qww294e” shifted up, etc.

Always been amazingly useful for me.

Saturday, 13 January 2007, 9:14 am | Permalink

Well Hank, it slightly appears that you are missing the point. Memorizing your 16-digit password is great…but every six months? Do you work at a hotel in Uganda?

Most corporations rotate passwords every 2 weeks. And they don’t allow repeated elements from the previous ten passwords.

Great tip. I use a similar idea but call it “sticky spam”. You simply fill a post-it with nonsense words and adjectives. All are fake leads but your password is a combination of the elements. Your solution is a bit more elegant and less crackable…Thanks!

Saturday, 13 January 2007, 9:24 am | Permalink

Suzuki said:

I disagree with that morse code or rot13 would be better as if I were trying to guess someone’s and their written down password didn’t work, I would use rot13 first, and I don’t know how you would effectively write it down with morse code. I think any variation of this is a good idea, I mean if nobody uses the same pattern how would anyone guess which pattern to start with.

Saturday, 13 January 2007, 9:48 am | Permalink

Keith said:

Alternatively, just do it the hard way.

Saturday, 13 January 2007, 9:52 am | Permalink

jimmy joe said:

Why not JUST the position. Then randomly insert ANY character into that position when writing it down. All you have to remember is to exclude the 5th character, whatever it is.

Saturday, 13 January 2007, 9:53 am | Permalink

pianio1 said:

Personal Password Generating Algorithm FTW.
you just have to remember your algorithm. works perfect for me.

Saturday, 13 January 2007, 9:54 am | Permalink

Adam Brill said:

That is very, very insecure. If anyone knows your method they could guess your password (in your example) in no more than 9 guesses. Your last idea (removing a character) is better, but could be broken with brute force in not that many tries since you already have all but one of the correct characters… Why not choose one random 8 character alphanumeric password and use it for all your passwords? Yes, you’ll have to remember it, but at least it will be secure…

Saturday, 13 January 2007, 9:58 am | Permalink

Robert said:

If the machine is your own, then simply memorize the password. Most poeple have little trouble memorizing nearly any set of numbers if they use it to log on to their accounts on a daily basis.
However, for other accounts where you access maybe once every few months, I say this trick works. I have my own fail proof method that I use to encrypt my seriously long passwords for accounts I rarely access.

Here’s a fun way I developed years ago: Password: d@t2n3Adc
My bank account needs balancing.
dawn’s at termaninal 2 near 3. Again, dealing cards.

Or: d345da3so
Ask about stronghold database
Dad’s 34-35 today. 3 gifts should work.
My lotto picks: 3 1or2 2 3or4 1 5 1 2

The first line tells me what the account is for.
The second line is my password
The third line simply tells me what character is what in the password. The “or” simply tells me multiple characters from the same word and makes more sense as a lotto pick.

I have a better method now that is impossible to guess and remarkably simple. I best not mention it.

Saturday, 13 January 2007, 10:09 am | Permalink

ybplayer said:

One of the TWIT podcasts, Security Now, has two shows dedicated to “Personal Password Policy”. Just google “security now” and look at episodes #4 and #5.

Saturday, 13 January 2007, 10:17 am | Permalink

Aaron said:

I agree with Adam Brill. This is insanely insecure. If you have this “password protected” password on a post-it, right in front of me, you’ve done 99% of the work for me in terms of cracking it. If I know your method all I have to do is go through the permutations of character addition or removal and I’m in.

So let’s say the real password is 3ibhs947s but your post-it note reads 3ibhs9w47s. All I have to do is spend a little time with it because you’ve effectively given the password to me, I just have to go the extra mile, whereas if I didn’t have that clue, I’d be starting from square 1.

Saturday, 13 January 2007, 10:29 am | Permalink

Dudes, you’re missing the point, while making assumptions. “insanely insecure”? wrong. you’re assuming you already know in advance how long the password is supposed to be. you’re assuming you already know in advance that one of these methods is being used. you’re assuming the technique is being used in exactly the way i’ve described. you’re assuming the person is definitely going to put the post-it note right on their monitor. maybe they keep it in their wallet? that’s a lot harder to get to!

the spirit of the article is that, rather than making your password “cheese”, you can use a more complex password, and write it down for reference in case you can’t remember it – yet still have an extra measure of security added, because if someone finds the slip of paper, they are most assuredly not going to know your particular chosen method of obscuring the password – unless you’ve told them.

here, pretend you came across the following post-it note:

ssh port: 32
username: breakme
password: Phn9gEvr

i’ve dropped an ‘easter egg’ into the home dir of the user. you have the advantage of knowing the actual server address. you have the advantage of knowing that ssh is running on a non-standard port. you have the advantage of knowing the username, and you’ve been provided a password that may or may not work. you found that post-it in a wastebasket somewhere. you have no previous knowledge of any of this.

lemme know if you get in, and how long it took. just post the easter-egg here.

Saturday, 13 January 2007, 10:42 am | Permalink

Justsayin' said:

Using the same password everywhere is never a good idea. But I do it all the time. However, I always add a letter from the domain for every syllable of the domain (root password:3x4mp13 password for this site: i3x4mp13anas, password for yahoo: 3x4mp13ya). I always know my password, and I always know the password I made for any given site.

Saturday, 13 January 2007, 10:43 am | Permalink

jon said:

Horrible idea. HORRIBLE. That’s akin to giving me 3 out of 4 of your ATM pin numbers.

Saturday, 13 January 2007, 10:47 am | Permalink

lemme know when you get into my server then, jon, if it’s that easy.

Saturday, 13 January 2007, 10:53 am | Permalink

This is a terrible idea and I’ll tell you why.

Password strength is based upon the length of the password and the keyspace of the possible characters. That’s why 8 characters mixed case upper/lower with special characters is difficult to crack. The cracker must try every iteration and, based upon time and CPU power, this would take longer than any of us would be alive.

If a cracking tool knows the approximate length of the password (in your case, 9-10 characters) and the key space is only the 9 different characters in your password, a tool like John the Ripper could obtain your password in a matter of minutes. It reduces the number of attempts the cracker has to try before successfully finding the password.

This is the same reason it isn’t a good idea to use password that have something to do with your Dog’s name, address, and other information. You can feed that into the cracking tool as well and it tries different iterations of passwords that are more likely to be used.

Any penetration testers can chime in on this as well. This method is not a good idea from a security perspective.

Saturday, 13 January 2007, 11:02 am | Permalink

cvfoss said:

The point of the article is not to come up with the most secure password generation scheme, it’s to help the average user choose a much more secure password.

Saturday, 13 January 2007, 11:15 am | Permalink

God said:

You’re an idiot.

Saturday, 13 January 2007, 11:18 am | Permalink

that addressed to anyone in particular there, Supreme Being?

Saturday, 13 January 2007, 11:35 am | Permalink

John said:

For those of us who work in a physically secured environment, who have to change passwords often – this is an outstanding article.

I’ll use a secure password generator, write out the characters I get, and add a random character of my own at a certain position in every password.

Great ideas.

Saturday, 13 January 2007, 11:47 am | Permalink

A fine idea. Although, obviously you don’t want to publish your exact ‘protocol’ that you follow in writing down your password, a myriad of mechanisms can be used to write your passwords down for memorization.

Let’s say your password is 33sissumt$4.
You could do a myriad of things to it when you write it down for yourself, as such:

1. Shift the first 2 characters up and down…
2. Rotate the first 3 characters each up one…
3. Insert random letter at position 2

and so on…..

Love the idea…those who have to remember 40-50 passwords should be thankful for the advice.

Saturday, 13 January 2007, 12:03 pm | Permalink

xoc said:

Paul Theodoropoulos… all I found was ‘.’ and ‘..’. I figured there was something wrong with your machine, so I reformatted the HD for you.

Saturday, 13 January 2007, 12:06 pm | Permalink

Matt said:

It would be better to use a passphrase. Not only is it longer, but it’s easier to type and remember. For instance, if you had a password that was “I am my own #1 fan”, it is 18 characters long (to avoid the NTLM hash), has uppercase, lowercase, a number, and a special character. It’s easy to type and easy to remember.

Saturday, 13 January 2007, 12:08 pm | Permalink

To generate a reasonably strong password, I recommend doing something like this:

cat /dev/random | strings -n 20

The great thing about this is that it generates something very easy to remember, and its fairly secure.

Okay, so take this password and encrypt it using a OTP or you can use just plain 512 bit AES. Now take the encrypted ciphertext and print it out in ASCII format on post it notes. You should print multiple copies of this as coworkers, cleaning people, etc might throw away some of them making password recovery impossible. Now, take the post it notes and put them in key places. For example make a personal position. Mine is 3 so I count down 3 cubes down from me and drop a load of post it notes in that person’s cube. I go to the men’s room and since 3 is my personal position I count 3 urinals down and put a load of them there on the wall. You can stick them anywhere. If you loose your password, just go and collect all of these and then use them to reconstruct your encrypted cipher text, then just decrypt it ( preferably using at least a 20 digit password ) and then you can remember your password. You can also do this with the encryption password. Its great, and easy for end users.

Saturday, 13 January 2007, 12:09 pm | Permalink

“you don’t want to publish your exact ‘protocol’ that you follow”

exactly. that’s the key to the whole thing. there’s many, many ways one can vary the idea. the more different ways people approach it, the more obscure and difficult it is for Nosy McHaxor to get very far with any given “password” he finds.

Saturday, 13 January 2007, 12:23 pm | Permalink

Jed said:

This is called ‘security through obscurity’ and it’s idiotic. It won’t stop a determined attacker for more than a few minutes.

Don’t ask me to crack your account, though because I have better things to do after submitting this post. The fact that people smarter than you aren’t taking the time to crack your (possibly nonexistent) account does not prove anything.

Your obvious strong faith (belief without evidence) in your system’s infallibility is a sign of some bigger problem, I suspect.

Oh, by the way.

Please tell us:

1) email sites you use, and passwords for them, using only your current system and secret letter/offset/deletion/whatever… has to be the current one.

2) same thing for your UNIX, Windows, and other accounts. Domain registration, blog hosting, web hosting, etc.

3) since you obviously have nothing to hide, please tell us the SSNs, names, birthdates, addresses, and other contact info for your immediate family members.

Saturday, 13 January 2007, 12:43 pm | Permalink

still waiting for any of the l33t haX0rs out there to get into that account i set up. it’s only an eight character password! i thought it was supposed to be utterly dropdead, dumbass, could-do-it-with-my-eyes-closed, LOLZ PWNED easy!

Saturday, 13 January 2007, 12:43 pm | Permalink

Zack Glennie said:

This is a fine solution if your main problem is that your roommates or co-workers are messing with your machine, but if you’re in a high-security environment this is no good. It’s only marginally better than writing down your password and sticking it to your monitor.

One of the cool techniques used by corporations is to distribute a set of password key devices to employees. These are keychain-sized devices that run on a battery and display a strong password on an LCD screen that changes every minute. The only way to get the password is to steal the device (whereas with a password that’s just been written down, you can copy it and put the note back).

Saturday, 13 January 2007, 12:52 pm | Permalink

Chaz Larson said:

I’ve been using a similar method for a while at work. We’ve got to change our passwords every 90 days, and can’t reuse the previous six or somesuch. I’ve got a few “patterns” I use to generate the passwords, and so I can put a postit on my monitor that reads “A3U”, which tells me exactly what my eight-character password is, and what my next one should be when I need to change it [to avoid repetition].

When jon finds that postit, he doesn’t know how long my password is, doesn’t know if it even has any of those characters in it or where they are, etc. I can look at it and know immediately that the password is “AND3RW3AR” or whatever that three-letter sequence means to me.

Saturday, 13 January 2007, 12:58 pm | Permalink

Elynn said:

I can’t believe no one here has mentioned Roboform yet.

Saturday, 13 January 2007, 1:00 pm | Permalink

I’m with you Elynn. I use roboform for all my windows passwords. Of course….to be truly secure…you need a master password for roboform…which brings up the problem again!

Saturday, 13 January 2007, 1:04 pm | Permalink

what zack said, indeed. i’ve used a securekey, generating throwaway passwords. most excellent.
i definitely do not recommend or encourage the use of this technique in a truly high security environment. however, if you have a stack of servers with 16 character fully random passwords, and must write them down on a cheatsheet to keep in your wallet – well, you have a choice of writing them down verbatim, or obscuring them using this – or a variation upon this – method. i’d go with the latter, if i *had to* write them down.

Saturday, 13 January 2007, 1:28 pm | Permalink

Jed: if it’s so trivial that it would only take “a few minutes”, then the argument that you have better things to do is weak, and merely suggests you’re not up to the task (time to troll, but not enough time to publicly prove i’m an idiot? fat chance). Furthermore, ‘security through obscurity’, *in and of itself*, is no security at all – absolutely. However, obscurity is an important, explicit part of the security equation. Otherwise, why do you hide your passwords in the first place? You seem to have lost that thread of the argument when you go on to list several queries that merely highlight that obscurity is an important part of being secure.

Saturday, 13 January 2007, 2:11 pm | Permalink

xeen said:

Here’s another idea: Instead of remembering the password, remember the movements you have to make in order to type that password in. It’s easier with non-auto generated passwords, but (may) work with those ones as well.
Simply try to remember how you have to move your fingers, similar to training piano.
Type it a few times into a normal editor and see if you can do it correctly. I can’t tell most of my passwords without a keyboard in front of me, and even than it’s hard to just imagine which keys are pressed. It’s easier to just type it.
I mightn’t be appealing to everyone, but give it a try.

PS: You should mark which fields are required, I submitted this form and then had to go back, already expecting that I’d lose what I wrote I copied it luckily. You should really make it clear what is required to submit the form and even if someone fails to provide such info offer an easy way to retry.

Saturday, 13 January 2007, 2:26 pm | Permalink

Cerium said:

This was a really great idea. Was. Now that you posted it it is now useless. If I ever encounter a password written down and it doesn’t work first think I will think of is? “Hey.. doesn’t this remind you of that trick on digg 3 years ago. Wait it does!”
So that means that you invincible password is now down to about 10 combinations.

Windows in a corporate environment allows you 5 tries before a 30 second cool down. So in one minute I could be in.

Thanks for the tip!

Saturday, 13 January 2007, 2:36 pm | Permalink

subcorpus said:

i dont think will be safe for someone who uses the same password for hotmail, gmail, skypeout … etc …

Saturday, 13 January 2007, 2:37 pm | Permalink

kurious said:

Paul, I think it’s a fine idea. People are missing the point – if you are in a truly secure environment, tech support wouldn’t be reading you a password over the phone. You’d have biometric / cardkey token / password authentication, etc.

Here’s the point: how many attacks come from your coworkers/neighbors vs. random leet hax0rs on the net?

The current situation is that people “protect” themselves from their coworkers by memorizing an easy password “123abc”, which leaves them open to the hax0rs.

This reverses it: it makes it very hard on the hax0rs (has anyone broken in yet?), and still pretty tough for the coworkers. Again, nobody knows your system – people are assuming coworkers know you are using this system, and know your replacement strategy. Heck, the password could even be written *backward* or be shifted N positions (12345 is actually 23451), or, or… get the picture?

The best is the enemy of the good. This is a *good* system, it’s not meant to be the best. The best is a really annoying multi-factor authorization scheme with 1-time use passwords and urine samples, which nobody wants to use.

Saturday, 13 January 2007, 2:55 pm | Permalink

I absolutely love the comment from the person totally duplicating my name! Thats some 1337 shit there. ;-)

BTW — Although I speak about 5 languages, this is an ENGLISH forum as far as I know. So, Please … *IF* you’re gonna copy my name, please at least say something intelligent or people will know that its not me.

Reitteration of the obvious does not constitute intelligence.

P.S. Thanks Pedro ;-)

Saturday, 13 January 2007, 3:13 pm | Permalink

wht.rbt said:

Can’t believe you people are complaining about changing your passwords every 6 months. I worked at a bank, passwords were changed every month.

I just turned whatever phrase was stuck in my head at the time into a password, swapped some Os for 0s, Ts for +s and so on – found it very easy to remember, and relatively secure.

Writing passwords down. Bah! :)

Saturday, 13 January 2007, 3:46 pm | Permalink

Tronic said:

It’s actually quite good – because in an office setting, no one is going to go through the passwords with a bruteforce – it just wouldn’t be practical.

Here’s another great method that works on the same level.

Find a letter that doesn’t appear in the password, and this will be your secret key (it’s called a sentinel in IT jargon).

Now just add your secret key a few times in various areas of the password, and then when you want to decode the password, just ignore the secret key.

So say my password is:

I could choose my sentinel (secret key) to be the letter “p”, and I could encode my password like so:

Now to decode this, I just ignore every p in the password to get:
klaptptpppup –> klatptpppup –> klatptup –> klattu

Saturday, 13 January 2007, 3:48 pm | Permalink

Rob said:

All my passwords are abc123.

Saturday, 13 January 2007, 4:02 pm | Permalink

Martin said:

I can’t believe you’re actually serious about this.. in an office setting, yeah – perhaps this would be sufficient (or perhaps just change the password to something that you will remember more easily) but for something that requires more security, i.e. online banking, giving a hardened attacker the majority of the password ommiting or adding one character is suicide.

Saturday, 13 January 2007, 4:17 pm | Permalink

techguy said:

I just don’t have anything of worth and so no one wants my password.

Saturday, 13 January 2007, 4:45 pm | Permalink

uh, martin, did i suggest anywhere in the article that this was a good idea in a hardened security environment? i used the silly example of the “IT dude” to try to get the idea across that maybe this was just a typical cubicle farm environment. reasonable security needed, but lives won’t be lost if someone gets in.

i wasn’t being terribly serious about posting the password on your monitor. and anyone with a reasonable understanding of the *concept* will know that there’s many different ways you can modify the password easily, while making it harder for someone *if they find the password to begin with*.

whenever possible, i use fully randomized passwords of up to 40 characters in length for my online banking. but i use roboform to store them. with a reasonably secure master password. which i don’t keep on a post-it on the monitor.


Saturday, 13 January 2007, 4:46 pm | Permalink

mtheo said:

For the benefit of the empty boasthards like "Jed," I can confirm that the ‘breakme’ account exists on the klaatu server just like any of the other user accounts, and the easter-egg is there. How do I know? Well, (a) anastrophe is my brudda, and (b) I have root on the server too. If he’s dumb enough to give his idiot brother root, then you have no excuse for not disproving him. The correct phrase for these situations is, and has always been, "Put up or shut up, jackass, and have a nice day."

Saturday, 13 January 2007, 6:06 pm | Permalink

mtheo said:

Urg. Make that “no excuse for NOT disproving him.” See, I TOLD you his brother was a idjit.

Saturday, 13 January 2007, 6:37 pm | Permalink

Rob said:

Obviously if you’re the president of a bank this is a bad idea; however, some of us aren’t. I support 8,500 end users who are forced to change at least three passwords (network, e-mail, and mainframe) on a monthly basis. These people don’t care about network security — forcing complex passwords is seen as a nuisance to them. The point I’m getting at is, users are writing down their passwords ANYWAY. if they’re going to do it, they might as well try and disguise the information.

As for whoever said this had limited application, I disagree. Sure, if all you are doing is inserting random w’s into passwords, it won’t take long for someone to figure out the pattern. But what if you randomly hit shift on the third character? Or bump the first character down a letter? Or make a rule that whenever you put two numbers together, you drop the second one? I way I see it, the possibilities are endless. And if you change your rule on a yearly basis too …

Saturday, 13 January 2007, 7:04 pm | Permalink

Jed said:

As to how to do it mrtheo, a clue would be Perl and its splice function.

Sorry, too busy to disprove your brother’s crackpot theories.

Maybe next he can tell us about his xor encryption scheme.

BTW I notice that he also spells God with a hyphen in it (G-d) which tells me a lot.

Faith and security, not a good mixture.

Saturday, 13 January 2007, 7:19 pm | Permalink

Someone said:

Actually this is not a secure method at all. By giving the password to someone interested in getting in with a one character difference, you’ve already done most of the work for them. Your in effect reducing the possible permutations of the password. You should really probably read this before tauting falsely secure password methods:,72458-2.html

Saturday, 13 January 2007, 7:24 pm | Permalink

Jed, you live up to my expectations. bogus begging off – time enough to troll digg, and post comments here twice, but not enough time to spend “just a few minutes” to prove your point with actions, not words.

and hey, i wrote an article just for you!

lemme guess – you have a poster of BF Skinner next to the hot water heater there in the basement, and a poster of Battlestar Galactica over your cot.

Ego and virginity, not a good mixture.


Saturday, 13 January 2007, 7:29 pm | Permalink

Rich said:

This entire discussion just goes to show how “password policies” can lead to insecure practices by those subject to them. I think the best way for an organization to elevate their level of security is to educate the users about insecure password practices and teach their users how to make their passwords more secure.

Saturday, 13 January 2007, 7:43 pm | Permalink

mtheo said:

Excellent point, Rich. I’d only add to it the helpful complementary practice of also educating the “IT dudes” themselves — about some basic facts of human nature, perhaps adding some basic facts of existence in society and organizations, and maybe some elementary canons of social behavior. Too bad with so many of ’em it seems the only truly effective venue and trainer would be dark alley and 2×4 respectively.

Saturday, 13 January 2007, 8:26 pm | Permalink

Kardanat said:

Sorry for my English..

Let’s try to write a “Post-it password recovery” program

i guess these type of passwords needs MAXIMUM of;

S= P1 + P2 + P3 + ………………………………….. Pn

operations to be cracked.

P=Max number of operations for a particular method to be cracked.
Exmple: In the character removal method it is 28^(k+1)[Maximum]

n = Number of reasonable methods,,algorithms .That means the number of practical ways –easy to remember and doesn’t involve too many operations to decode and not easy to notice– which i believe nearly imposible to formulate here and don’t know either it’s a big number or not.

As a software developer i want my program to find passwords as quickly as possible so in this kind of software i take acount most briliant ideas (practical yet secure ones ) before.

So P1 would be character removal method or something like it….


Password Mind Post-it
axCAT4wkrv Keys: 3 and CAT ax4wkrv
Algorithm:Removal of keywords
or letters.

…………….. …………………………………..


Password Mind: Post-it
ke3xz9t Some complex key: 1dfkt5c Something like:fq3fk39ds
Some complex algorithm:…….

Saturday, 13 January 2007, 10:06 pm | Permalink

root-klaatu /% grep Failed /var/adm/authlog | wc -l

this is pathetic. laughable. I gave away the farm in my challenge, yet this task that supposedly should take ‘a few minutes’ has yet to be complete in more than 13 hours now, after 647 attempts.

oh well. i’ve configured it so i’ll get paged if someone ever does actually get in.

bon chance!

Sunday, 14 January 2007, 1:07 am | Permalink

oh – for the sticklers for accuracy out there:

root-klaatu /% grep Failed /var/adm/authlog | grep breakme | wc -l

and while i’m sure it won’t satisfy Jed, here’s my test connections from remote after I set up the account.

root-klaatu /% last breakme
breakme pts/3 Sat Jan 13 10:07 – 10:07 (00:00)
breakme pts/3 Sat Jan 13 10:00 – 10:00 (00:00)
breakme pts/3 Sat Jan 13 09:58 – 09:59 (00:01)

wtmp begins Sun Oct 23 15:53

Sunday, 14 January 2007, 1:16 am | Permalink

I’m all for this Paul. The folks who work in the cube farm that I support all write down their passwords and put them in easy to find places. We don’t have any users who arent in IT with more than 1 password, and we only require a change every 6 weeks…hardly a stringent policy. The way I deal with this is every couple weeks I come in about a half hour early and roam around the office and take all of the post-it notes. About 2 hours later I get a call from the help desk guy (who happens to be a good friend of mine) who wants to know how in the hell half of my office has locked themselves out of the network. Every time I do it I get less and less people writing their passwords down.

I love this idea. Most people don’t steal passwords like I do, and so at least their passwords will be safer than the plaintext. I also am surprised that these folks who say that your method isnt secure haven’t yet gotten into your server. Keep up the good work man, from one sysadmin to another.

Sunday, 14 January 2007, 8:13 am | Permalink

Coda Hale said:

Paul, security professionals don’t tend to rely on “if you’re so smart then hack this”-type stunts to demonstrate how resistant something is to attack — there are too many confounding variables to draw any conclusions. First, your pool of potential attackers is small and not particularly well-trained; second, an online target like an SSH server introduces network latency, which adds a large measure of computational expense to any attack attempts. While that’s good for SSH, it doesn’t make for a good demonstration of your claim.

Luckily for you, though, I’m not a security professional — I’m just a bored programmer who hasn’t had his coffee yet — so I took a swing at your server. I guessed you were using some combination of removing a single character and adding a single character, which meant 3480 possible unique permutations — a computational expense less than 2^12. That’s not much; it’s less than the security provided by a 12-bit password. I ran this list of passwords against your SSH server, and a bit over 40% of the way through my projected keyspace it reset a connection. Because I didn’t have any error handling for that, the loop died and I gave up. Like I said, I haven’t had my coffee yet.

But you can see why it’s a flawed experiment; which is the most likely explanation — that your method is secure, or that I’m a crappy hacker? You’re the one proposing a method for storing passwords, and you’re the one claiming it’s reasonably secure; the burden of proof lies with you, and taunting commenters in your blog about their lack of skill, time, patience, or motivation doesn’t seem like a good demonstration of your claim.

Here’s a suggestion on what I think *would* be a convincing argument for your method — calculate the number of algorithms that a person could possibly use to obscure their password. Then calculate the number of permutations each of these algorithms would produce. The number of total permutations which could be produced by all the algorithms would be the size of the keyspace for this method; if it’s large enough, you’re on to something. If we take the add-a-letter/remove-a-letter algorithm as a decent example (and we don’t know that it is), then you’d need there to be something like 2^42 potential algorithms in order for your method to be equivalent to a 56-bit DES key, and even that is an extremely weak key, crackable by dedicated hardware in an hour or so.

So is this method better than just a password on a post-it? You bet. Is this as secure are you’re claiming? I doubt it.

I liked Bruce Schneier’s suggestion for managing passwords — write them on a piece of paper and put that in your wallet. People usually have decades of experience in keeping their wallet safe. If you’re concerned about what would happen if your wallet was stolen, you could keep a copy of the list in a safety deposit box or safe, and once you’re done canceling your credit cards, you could change all your passwords.

Sunday, 14 January 2007, 9:59 am | Permalink

Thanks for your comments, Coda. I appreciate what you say, and particularly how you’ve said it. Our friend Jed above did nothing but sneer and suggest it was a task easily done in ‘a few minutes’. I tend to come back at people the way they came at me – not my best trait. So I sneered back at him.

I agree that a remote ssh challenge is more difficult than just running against the target directly – but still. You guessed correctly that the key I’ve used is add a char, remove a char. that still means that 75% of the password has already been provided – and by the sneers here and on digg’s comments, i’m a lame-ass idiot for thinking that has any security at all. until someone gets in, those suggestions will remain…dubious.

i made a big mistake in going for an attention-getting title for my article, and for going too far in my claims in the article. i’ve already written most of a followup article to address that, which i’ll be posting shortly. certainly it’s “crackable” – particularly the example i provided in the article – as is any scheme, particularly when the attacker knows in advance how long the password should be, and what method you used to obscure it. But the essence of the idea is that those two variables should be known only to you, the password holder. posting your password on your monitor…uh, no. not a good idea, generally! but it sure worked to pique people’s interest!

your last paragraph sums it up – and actually, the article grew from exactly that idea. i worked briefly at a prominent web company, with a very large net-facing server farm, and they took security deadly seriously. only a very limited number of people had total access, and they each carried securekey fobs which generated throwaway passwords for the *second* level of four levels that were required to go through to actually reach one of about a dozen ‘jumping off’ servers from which the rest of the servers were accessible. and it was those jumping off servers that had fully random character, very long passwords. which needed to be changed regularly. which meant the busy admins couldn’t possibly keep them all memorized. so – they kept a tiny printed list in their wallets. since there were three levels of security that had to be gone through before even reaching those servers, the list of passwords with hostname aliases was essentially worthless to anyone who might find or steal the wallet. but still, it gave me the ‘eeby jeebies’ when they showed me that list my first day there. and that is where it occurred to me that throwing a particular character into each of those passwords would add another layer of protection – paranoid-admin style – into a printed out list.

as you might be able to deduce, my morning coffee is talking!

your attempts indeed showed up –
root-klaatu /% grep Failed /var/adm/authlog | grep breakme | wc -l
and again i appreciate your point that it’s a flawed challenge.

nevertheless. how long do you think it would have taken you to get in if you’d found that postit (or pretend you found it in a wallet) – and the password that was written down was indeed the actual password?

therein is the ultimate intent of the article. you had to expend a fair bit of effort to try to get in, even though you ‘found a wallet with a list of passwords’. you’d have posted the easter egg “in just a few minutes” had that virtual postit had the real password on it.

Sunday, 14 January 2007, 10:25 am | Permalink

57391 said:

Randomly fill a grid with characters, i.e.

o N O j v e ! W
A b 6 u J % 0 G
Z c ^ f Q V L S
) @ X * R 8 t & F

Pick out a meaningful but semi-random path through the grid. Preferably not something simple like a straight line, but even a 3×3 square randomly located somewhere quickly makes a good password. I could just remember “start at Q” and “clockwise by 3” and I get:


And who’s to turn that grid into that password? The corporate password policy come around again? Just remember one new character. Say I switch to u:


Just like that! Significantly better than this trivial cipher presented above.

Sunday, 14 January 2007, 10:32 am | Permalink

Coda Hale said:

If I had my password on a post-it, and I had the choice of handing it to Hacky McHackersons in either plaintext or obfuscated form, I’d totally go with obfuscated. Best case scenario — it’s to an online account, and my account gets disabled on the fourth try. Worst case scenario — it’s to an GPG file, and he’s got it open in a few milliseconds.

Also I just realized the server I’d been trying was port 22, not port 32. Whoops! Lemme run that again. This time with the right port and some error handling.

Sunday, 14 January 2007, 12:01 pm | Permalink

Coda Hale said:

Well, my script didn’t work, so I guess the keyspace is bigger than I thought it was.

Sunday, 14 January 2007, 12:21 pm | Permalink

Josh said:

Idiot. You might as well underline your big bad “secret” character. This is the dumbest “trick” I’ve seen.

Sunday, 14 January 2007, 4:31 pm | Permalink

JunkIT said:

This has been around for along long time only its been done better all my passwords contain random characters and a keyword mixed in randomly.

For example my keywork is BIRD

My passwords are –

1_2_3_4_ + BIRD = 1B2I3R4D
1234____ + BIRD = 1234BIRD
__1234__ + BIRD = BI1234RD

You can mix this up anyway you want and you can write down your passwords and all you have to remember is the 4 (or more) letter/number combination that makes up your keyword. :)

Sunday, 14 January 2007, 5:31 pm | Permalink

Simpleton said:

This is the most retarded idea I have ever hear of and it still makes your password easy to crack. You are as like “God” said AN IDIOT.

Sunday, 14 January 2007, 5:59 pm | Permalink

A bored guy said:

While I appreciate anyone trying to find a good method to secure peoples passwords, I have to agree that this masking method would be fairly easily cracked. Here is how I would accomplish this in 2-3 days with little or no work on my part. Agree or disagree with me I don’t care.

Day 1
1) I go to your office and steal your post it.
2) Now since you didn’t memorize your password you have no idea what it is so you have to have “IT Dude” reset it. Of course you don’t want to memorize the new one either so you right it down and mask it.

Day 2
1) I go to your office and steal your post it.
2) Now I have 2 of your post it’s with 2 different passwords but both masked the same way it is fairly simple to discover at this point which character needs to be taken out but if I want an even easier time I just wait until tomorrow and steal your 3rd post it and password now it is child’s play.

Day 3
1) By now I probably have your password if not I can simply steal the 3rd one as stated above and I definitely know it.

Now I am not saying you couldn’t change your method or hide your password and make it difficult for me but this is the attack to the method you suggested in the article. Also if I am patient enough to wait for you to change your password on your own I won’t even make you suspicious.

Sunday, 14 January 2007, 6:07 pm | Permalink

Tarball said:

Just out of interest, how many people check their machine for an inline keystroke logger each day? Because, let’s face it, if someone can read a post-it stuck to your monitor, plugging in a keylogger is child’s play.

Sunday, 14 January 2007, 6:49 pm | Permalink

dear Josh and Simpleton,

root-klaatu /% grep breakme /var/adm/authlog |grep Failed| wc -l

Sunday, 14 January 2007, 6:56 pm | Permalink

I’ve posted a followup article, addressing some of the concerns expressed. you can find it on the main page, natch.

Monday, 15 January 2007, 12:52 am | Permalink

F1ank3r said:

Paul, why are you still taunting Josh and Simpleton if you read and understood Coda Hale’s first post?

Monday, 15 January 2007, 3:31 am | Permalink

mainly because it amuses me to do so. when i read their brilliantly concieved, crafted, and executed rebuttals to my article, i can’t help but respond in the same spirit!

Monday, 15 January 2007, 7:17 am | Permalink

we have a winner! just got paged that someone logged into the breakme account. authlogs show that IP made 12,350 attempts to get in. first attempt was
Jan 14 05:11:33
and successful login was
Jan 15 18:03:56
or about 11 seconds per attempt over about 37 hours.

while acknowledging the caveats Coda noted, it still seems it was remarkably difficult to break into the account. Did it help knowing 3/4ths of the password in advance? Sure doesn’t seem like it. Heck, I can change the password and we can try again – and see which takes less time.
I’d be surprised if there were much difference at all.
Which once again highlights one of my main points – the method isn’t intended to stop a determined perp.

Monday, 15 January 2007, 6:17 pm | Permalink

mtheo said:

Web 2007: No matter how many times and in how many ways you reiterate your main points, the loudest voices will be those that don’t get it.

Monday, 15 January 2007, 7:01 pm | Permalink

kludge said:


What was the easter egg grand anastrophe muckety-muck?

Tuesday, 16 January 2007, 9:23 am | Permalink

ah yes. the Easter-egg file said

“My Middle Name Is Christopher”

and the ironic thing is, later today depending upon the Court’s decision – that won’t be true any more!

(for those unclear on that, see

Tuesday, 16 January 2007, 9:35 am | Permalink

JJ said:

I’m sorry, but this isn’t going to cut it if you’re working in an office with hackers (computer programmers). It would be very easy to find your password.

Maybe you’re a bunch of Excel-user goons, it seems soooo smart.

I feel bad for you. Really, I do.

Friday, 26 January 2007, 10:57 am | Permalink

thanks for sharing! could you point out where in the article i suggested this was appropriate for an office filled with hackers, computer programmers, professional blackhats, security consultants, encryption researchers, etc?


Friday, 26 January 2007, 11:07 am | Permalink

Kenneth said:

Although a determined hacker could theoretically brute force a password, this would imply that the hacker has an undetermined amount of allowable attempts at a system. Most systems, banks most notably, will lock you out after a few attempts. Good luck guessing the scheme in 3 tries. On a side note, if you happen to know the user’s username, and you happen to be a prick, you can simply try 3 random passwords just to lock them out of their own account. :-)

Monday, 19 February 2007, 9:26 pm | Permalink

Because no one seems to have mentioned this already, there is a handy little program available for linux called “apg” (advanced password generator). What it does it create passwords out of noises or phonemes, because you can actually pronounce the password it’s much easier to remember.

$ apg

Please enter some random data (only first 8 are significant)
(eg. your old password):>
rolpUc9joy (rolp-Uc-NINE-joy)
thosGon6 (thos-Gon-SIX)
HovEtsaw0 (Hov-Ets-aw-ZERO)

I haven’t tried it but it seems it may work in windows too

Monday, 26 March 2007, 5:32 am | Permalink

Jim Rippon said:

Why complicate matters?

I encourage my users to write down their passwords, it means they are more likely to choose difficult-to-crack passwords.

The only caveat is that they must treat their passwords as they do their credit cards. They should be kept on them at all times, and if they lose them or they are stolen we are informed.

Tuesday, 14 August 2007, 2:34 am | Permalink

Why not JUST the position. Then randomly insert ANY character into that position when writing it down. All you have to remember is to exclude the 5th character, whatever it is.

Saturday, 23 July 2011, 12:13 am | Permalink


Made with WordPress and the Semiologic CMS | Design by Antonella Pavese