Microsoft security guru: Jot down your passwords

ZDNet News ^ | May 23, 2005 | Munir Kotadia

[Panerai]

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

[hispanichoosier]

It's amazing how many places you can get into with:
Username=username
Password=password

LOL! Too true...too true.

[1FASTGLOCK45]

null and void wrote:

It's amazing how many places you can get into with:

Username=username
Password=password

LOL i'll have to try it out. never thought of trying it.

[Fester Chugabrew]

I guarantee you other FReepers could add some doozies. The mind boggles.

[Xenophobic Alien]

If you're like most people, you have more than a dozen passwords and user names to remember. Whether you're checking your e-mail for new messages, catching up on the news, posting to a Web discussion group, or playing games on the Web, you have to sign in all the time.

Have you ever sat there, staring at your screen, wondering which password you set?

Was it your dog's name?

Your birthday backwards?

Your best friend's nickname?

Wonder no more. Microsoft has developed a convenient solution for replacing all those passwords with something you don't have to worry about forgetting: your fingerprint. Integrated into some of Microsoft’s latest keyboard and mouse products and also sold separately, the Microsoft® Fingerprint Reader lets you log on to your favorite Web sites without scrambling for passwords—just touch the fingerprint reader with a registered fingerprint whenever a password or user name is required, and you're in. Just like that.

Quick setup for easy sign in and Fast User Switching Easy-to-use software makes replacing passwords with your fingerprint a snap. First, the Registration Wizard opens and helps you register your fingerprints. Then, when you visit a site that requires a password, just touch the Fingerprint Reader with any registered finger, enter your data, and then click OK—it's the last time you need to enter that information. Now, you can browse to the Web site, and then log in with a swipe of the finger or log in with a click of the mouse via Quick Links.

If you turn on Fast User Switching in Windows XP, you can use the Fingerprint Reader to switch between user accounts without actually logging off from the computer. With a touch of a finger, you can quickly switch between users without closing programs and files—and each user's personal content stays personal.

[1FASTGLOCK45]

LOL
Thanks, i'd rather forget my passwords than trust Microsoft. :)

[Ramius]

Some sort of biometric does add a nice layer, but it has its own limitations.

Doesn't work on a borrowed or shared computer that doesn't have that biometric system on it. Users still might need to access their webmail account from some internet cafe in Kandahar (laugh, but I have users with that issue...). Then you're back to ordinary passwords.

[SampleMan]

Absolutely true. We once had an IT come up with the brilliant plan to have a 14 digit password, alpha numeric, symbol, and case. On top of this, it changed every two weeks, and no four digit sequence could be the same.

I thought this was the worst possible security, as no one could possible remember their passwords without writing them down.

[null and void]

*cough* Not that I've ever done it, mind you....

[Ramius]

IT come up with the brilliant plan to have a 14 digit password, alpha numeric, symbol, and case. On top of this, it changed every two weeks, and no four digit sequence could be the same.

That's just plain stupid.

[Reeses]

Microsoft security guru

It's sort of like an Worldcom accounting expert, a Democrat ethicist, an anorexic sumo wrestler.

[Calvin Locke]

I worked for a company that for dial-in access, they gave you a small calculator type device. You had to call up a
help desk to program the dang thing first. Then when you dialed in, you typed your code into the calculator, then
logged in to the server/host, and I think you entered the digits from the host in to the calculator, then typed that
response back to the host.

Also, the most annoying problem was that it came with a soft case, and if it was turned on 3x without a
valid challenge code, it lost its programming. I finally figured out that a cassette box worked great if the
tabs were broken off.

[Billthedrill]

As a scarred, cynical, and dyspeptic SysAdmin I have to say the guy's partly right. But for Pete's sake DON'T WRITE 'EM ON YELLOW STICKIES AND PUT THEM ON THE MONITOR!! Don't stash 'em under the keyboard, either.

One of the nice things about login scripting is that you can personalize it. I know of a manager who was greeted with "new password policy in effect - minimum 32 characters, upper, lower cases, numerals, and special characters required." His password expired every 10 days.

Don't pi$$ off your SysAdmin.

[Cobra64]

"..."Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said...."

This guy doesn't work in an IT environment. I work on a half dozen systems, many of which force me to change my password on a monthly basis. Even user IDs are not consistent in the syntax on differing systems. Ergo, I keep my user IDs and P/Ws in my Palm Pilot.

[N3WBI3]

Systems should be configured to not accept weak passwords, and nobody should know the admin/root password only equivalents. The root / admin should be randomly generated printed to paper and locked in a fire safe..

[Ramius]

Don't pi$$ off your SysAdmin.

Hah! Words to live by. :-)

[Cobra64]

And then the IT administrator at work times you out and asks you to establish a new password. Then when you go to three more accounts, they mix and match your time-outs. I guess is that if you're just a web-surfer your solution might work. In the business environment, the IT guys have their own rules and instructions. I was an IT Administrator for IBM on a project. I kept it simple, but still had to abide by IBM's security regs.

[N3WBI3]

Depends on what the access was for right? if you work for say an aerospace company in their research division this might make sense, this is an area when different logins for desktop and data are a good idea..

[Logophile]

Wonder no more. Microsoft has developed a convenient solution for replacing all those passwords with something you don't have to worry about forgetting: your fingerprint.

Alas, even biometrics are not foolproof if the bad guys are determined to break in. I recall hearing of a case in which a criminal gang wanted to steal a man's car, which was protected by a fingerprint reader. Their solution was to cut off the man's fingers to use them on the fingerprint reader. Crude but effective.

[BJungNan]

Protect Your Password

Passwords are a first defense in guarding your information and computer from malicious attack. Use a good password.

Good Password
Lz14#09pW

Bad Password
gonewiththewind


It will take only a couple of minutes for a password "cracking" program to obtain the bad password. To crack the good password
will take days, even months.

DON'T use your login name in any form (as-is, reversed, capitalized, doubled, etc.).

DON'T use your first, middle, or last name in any form. DON'T use your spouse's or child's name.

DON'T use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the make of your automobile, the name of the street you live on, etc.

DON'T use a password with all numbers or using only letters.

DON'T use a word contained in English or foreign language dictionaries.

DON'T use a password shorter than six characters. These are easy to crack.

DO use a password with upper and lower case letters.

Never give out a password or any
sensitive information to an unsolicited telephone call or e-mail.

More at this address:
http://gogov.com/Netcessities.htm

[kezekiel]

Microsoft has developed a convenient solution for replacing all those passwords with something you don't have to worry about forgetting: your fingerprint.

Microsoft has developed... biometric fingerprint scanning? Unfreakin believeable. How about, "recognizing a good thing when it sees it, Microsoft is apeing what other vendors are already doing and pretending it's an innovation!"