Source Links:

"Write down your passwords; your wallet is a lot more secure than your computer," Whitfield Diffie, chief security officer at Sun Microsystems, said Tuesday. Sun CSO: Write down your password | News Blog - CNET News

Bailey Whitfield 'Whit' Diffie is a US cryptographer and one of the pioneers of public-key cryptography and co-inventer of  Diffie-Hellman key exchange.

--

"I still maintain that writing your password down is the only sane thing to do. At last count, I have 114 different passwords, for different systems, and those are only the ones I actually care about and need written down. The reason I am able to have 114 different passwords is because I do write them down. "

Write down your passwords - Jesper's Blog

Dr.  Jesper M. Johansson , ISSAP, CISSP, MSCE is the author of three books on Windows security for Microsoft Press

--

"Today I did something that I’ve been putting off for awhile. I wrote down all my passwords, and put it in a safe place. It feels morbid to do, so I decided to write an article vindicating why I did it… and why you should to. [...] Obviously, the first reason comes to mind: you die.”

Write Down Passwords, for Your Own Good | Christopher Price .net

--

"Computer security involves a series of trade-offs – that’s just the reality of today’s Internet. And that brings us to the inescapable conclusion, that strong passwords, despite the fact that they may be impossible to remember – which means they must be written down – are considerably more secure than those that are easy to remember." Bill Mullins: Be Safe – Write Down Your Passwords

--

Well, don’t hesitate, write it down! Use a bold Sharpie® on a Post-it® , write it in big letters—if you’re feeling particularly cheeky, write "Password for my computer" right above it. ... The secret—and there’s a pun in there, I promise—is to ‘password protect your password’. Passwords On Post-its? You Bet! | klaatu

--

"Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down."

Schneier on Security: Write Down Your Password

--

“The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services.”

http://www.ffiec.gov/pdf/authentication_guidance.pdf

This is the official U.S. Government paper on three factor authentication.

--

“Human authentication through mutual acquaintance is an age-old practice. In the arena of computer security, it plays roles in privilege delegation, peer-level certification, helpdesk assistance, and reputation networks. As a direct means

of logical authentication, though, the reliance of human being on another has little supporting scientific literature or practice.”

http://www.rsa.com/rsalabs/staff/bios/ajuels/publications/fourth-factor/ccs084-juels.pdf

Co-author Ron Rivest is one of the inventors of the RSA public key encryption algorithm (along with Adi Shamir and Len Adleman).

 

Online password storage:

A comprehensive password storage solution for multiple operating systems. The basic version is free, a premium version is also available.

https://lastpass.com/

 

Primarily designed as a bookmark/favorites synchronizer for multiple computers and browsers, X-marks will also store and synchronize passwords.

http://www.xmarks.com/

 

Local password storage:

The following Wikipedia links refer to two of the more popular solutions:

http://en.wikipedia.org/wiki/KeePass

http://en.wikipedia.org/wiki/Password_safe

 

Lists of frequently used passwords:

 

"There has been three instances that I know of where a significant number of hacked account passwords have been publicly released. I have obtained the lists and made a thorough analysis of each of them, including the most common passwords and character frequencies. In total, there were 116782 passwords."

http://blog.jimmyr.com/Password_analysis_of_databases_that_were_hacked_28_2009.php

--

"...when I got an email from “Admin@MySpace.com” I kind of chuckled. It was the usual scam trying to get me to login to their fake MySpace login page. I have course entered in my bogus login details that I don’t have or will ever have. Then I went to the root directory the script was in. Sure enough it was all indexed. 20,000 emails and passwords to go along with it sitting in a plain text file. I downloaded it and looked through it ..."

Analyzing 20,000 MySpace Passwords · Cyber-Knowledge.net    

--

RockYou Hack Reveals the Worst 20 Passwords

By far, the most popular password on the site was "123456," apparently satisfying a minimum character limit on the site's password restrictions, but doing little for security. A full 290,731 users used this password, far more than the runner-up, the slightly less complex "12345, which attracted 79,078 uses.

http://www.pcmag.com/article2/0,2817,2358273,00.asp

--

“To give you some insight into how predictable humans are, the following is a list of the 500 most common passwords. If you see your password on this list, please change it immediately. Keep in mind that every password listed here has been used by at least hundreds if not thousands of other people.” http://www.whatsmypass.com/the-top-500-worst-passwords-of-all-time