Microsoft: Write down your passwords

23 May 2005 04:53 PM

Tags: security, rsa, european union, token, password, store, keep, encrypt

Companies should not ban employees from writing down their passwords because it forces users to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of the AusCERT conference on Australia's Gold Coast, Jesper Johansson, senior program manager for security policy at Microsoft, said the security industry had been giving out the wrong advice to users by telling them not to write down their passwords.

"How many have password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of delegates raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them," he said.

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords I am going to pick a really crappy one, use it everywhere and never change it. If I write them down and then protect the piece of paper -- or whatever it is I wrote them down on -- there is nothing wrong with that. That allows us to remember more passwords and better passwords," said Johansson.

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense. However, they did not think it was practical.

One IT administrator from an international entertainment company, who requested anonymity, said that despite it being strict company policy to not make a note of passwords, he collated his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.

Another delegate from a government agency, who also requested anonymity, said storing a password list in an encrypted file may work for the administrator, but it would not work for users because they would then forget the password to decrypt the password file.

The delegate said that even using two factor authentication -- such as an RSA token -- was not safe because people often write their pin number on a piece of paper and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.

Talkback (3)
Print
E-mail
Share
- del.icio.us
- Digg
- Reddit
- Slashdot
- StumbleUpon

Talkback 3 comments

Add your opinion

Real men use ssh public/private keys. Anonymous -- 23/05/05

Real men use ssh public/private keys.
I think that he is spot on. One of the things that you learn as an SA is that people will write them down, no matter what you say. The better approach is to accept this and then educate on *how* to write them down. eg stickin Anonymous -- 23/05/05

I think that he is spot on.

One of the things that you learn as an SA is that people will write them down, no matter what you say.

The better approach is to accept this and then educate on *how* to write them down.

eg sticking it to your keyboard is a bad idea.
My suggestion is to forget about passwords and all the complexity, use a passphrase, write it down if needed as it will look like a shopping list or similar. Use Caps etc if need to be...just an alternate suggestion unless 2 factor/biometrics is really an Anonymous -- 23/05/05

My suggestion is to forget about passwords and all the complexity, use a passphrase, write it down if needed as it will look like a shopping list or similar. Use Caps etc if need to be...just an alternate suggestion unless 2 factor/biometrics is really an option for you

Add your opinion

Latest Videos

Play now

Visa CIO touts new transaction technologies
Michael Dreyer, CIO of Visa, expresses what innovation means to him in different areas, such as their PayWave … Watch it now
Planet CNET: Spooning at 40,000 feet
Apple drops iPhone NDA
Planet CNET: running low on oxygen
More videos »

Blogs

Australian Govt funds IT start-ups
This week Australia's Federal Government announced it had allocated $3.6 million in funding to 57 local research projects so that they could be commercialised, with many of them being web or IT-related start-ups.
Google should come clean on datacentres
It's nice that Google says it has put an effort into making its datacentres more energy efficient, but the search giant's pledges won't mean much until it discloses just how many of the beasties it's actually running.
US shows what OPEL could have been
Sprint's WiMAX roll-out in Baltimore will prove the Australian government's decision to worm its way out of the Opel WiMAX contract was a short-sighted, and ultimately damaging, political stunt that has benefited nobody.
More blogs »

Hot Spot - What's Important

Achieve continuous availability with high performance NonStop blade technology

Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.

Download Your Microsoft Unified Communications Fact Pack now.

Microsoft Unified Communications - Take your Self Assessment Today.

Reader Services

Essentials

Superguide: Printers
Looking to buy a printer? Our superguide rates the latest printers and shines a light into the industry.
Storage and server superguide
Over the last decade the art of maintaining the datacentre of a large organisation has evolved into an art form.
Broadband speedtest
How fast is your Internet connection? Calculate the speed here.

Microsoft: Write down your passwords

Talkback 3 comments

Real men use ssh public/private keys. Anonymous -- 23/05/05

I think that he is spot on. One of the things that you learn as an SA is that people will write them down, no matter what you say. The better approach is to accept this and then educate on how to write them down. eg stickin Anonymous -- 23/05/05