Microsoft security guru: Jot down your passwords

ZDNet News ^ | May 23, 2005 | Munir Kotadia

[NY.SS-Bar9]

°±²³´µ¶

[cryptical]

Don't pi$$ off your SysAdmin.

Just today I suggested to a developer that's implementing a bad password lockout for an enterprise application that he keep a list of all the people who think it's a good idea. I have a small script that their userids need to be hard coded into... 8)

[Constitutionalist Conservative]

Better yet, I keep mine on my personal web page so I can look them up easily if I am somewhere without the piece of paper they were written down on.

Any idea if Google has found your web page?

[perfect stranger]

One IT administrator...who asked not to be named said that his company has a strict policy against allowing employees to write down passwords.

Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords "Rules are for others to follow, not me."

[Hank Rearden]

Frankly, I don't work with anything secure and don't care if someone has access.

So, may I borrow your FreeRepublic password? There's this thing I want to try out . . . . . .

[MarkL]

Actually, it's rather easy to come up with an effective and relatively secure password policy, as long as you're willing to give the users hints on what they should do.

Examples that I used to give my network admin class students included the following:

Everyone remembers the address or phone number of the house where they grew up. Use it as part of your password.

Use the name of the first pet you can remember, but never use a current pet's name.

What was the first car your bought? Year and model.

Use the "Purloined Letter" ploy. Choose an object in your office, outside of your direct sight line while sitting at your computer. Use a combination of any of the following: Numeric description, color, name of the object... For instance, there was a piece of artwork created by a secretary's child on her desk. Her password was "Purple6Star"

Switch letters and numbers, and mix in caps... for instance, the word "carbon" could become "Carb0N" or "bulldogs" becomes "Bu11d0gS" ("ells" to "ones")

Add punctuation, if the password will allow it.

Mark

[talosiv]

'Microsoft' and 'security' is an oxymoron.

-R

[Ramius]

'Microsoft' and 'security' is an oxymoron.

Easy to say, yet not exactly true.

Of all my security risks, the Mac users are probably the worst. Nobody sits with their pants down like those that mistakenly think that they are invulnerable.

[FairOpinion]

Translation: "¥?å, he might have a point."

[the anti-liberal]

It took a guru to come up with this???

[glorgau]

Actually, I write my PINs on my bank cards in binary with a multiple bit shift offset. It helps keep me fresh for reading hex dumps ;-)

[AndrewC]

Is your password safe?

[AndrewC]

Any idea if Google has found your web page?

Yeah. It is here.

http://www.mrs.umn.edu/~sungurea/introstat/public/instruction/ranbox/randomnumbersII.html

TABLE OF RANDOM NUMBERS

_{39634 62349 74088 65564 16379 19713 39153 69459 17986 24537}

_{14595 35050 40469 27478 44526 67331 93365 54526 22356 93208}

_{30734 71571 83722 79712 25775 65178 07763 82928 31131 30196}

_{64628 89126 91254 24090 25752 03091 39411 73146 06089 15630}

_{42831 95113 43511 42082 15140 34733 68076 18292 69486 80468}

_{80583 70361 41047 26792 78466 03395 17635 09697 82447 31405}

_{00209 90404 99457 72570 42194 49043 24330 14939 09865 45906}

_{05409 20830 01911 60767 55248 79253 12317 84120 77772 50103}

_{95836 22530 91785 80210 34361 52228 33869 94332 83868 61672}

_{65358 70469 87149 89509 72176 18103 55169 79954 72002 20582}

_{72249 04037 36192 40221 14918 53437 60571 40995 55006 10694}

_{41692 40581 93050 48734 34652 41577 04631 49184 39295 81776}

_{61885 50796 96822 82002 07973 52925 75467 86013 98072 91942}

_{48917 48129 48624 48248 91465 54898 61220 18721 67387 66575}

_{88378 84299 12193 03785 49314 39761 99132 28775 45276 91816}

_{77800 25734 09801 92087 02955 12872 89848 48579 06028 13827}

_{24028 03405 01178 06316 81916 40170 53665 87202 88638 47121}

_{86558 84750 43994 01760 96205 27937 45416 71964 52261 30781}

_{78545 49201 05329 14182 10971 90472 44682 39304 19819 55799}

_{14969 64623 82780 35686 30941 14622 04126 25498 95452 63937}

_{58697 31973 06303 94202 62287 56164 79157 98375 24558 99241}

_{38449 46438 91579 01907 72146 05764 22400 94490 49833 09258}

_{62134 87244 73348 80114 78490 64735 31010 66975 28652 36166}

_{72749 13347 65030 26128 49067 27904 49953 74674 94617 13317}

_{81638 36566 42709 33717 59943 12027 46547 61303 46699 76243}

_{46574 79670 10342 89543 75030 23428 29541 32501 89422 87474}

_{11873 57196 32209 67663 07990 12288 59245 83638 23642 61715}

_{13862 72778 09949 23096 01791 19472 14634 31690 36602 62943}

_{08312 27886 82321 28666 72998 22514 51054 22940 31842 54245}

_{11071 44430 94664 91294 35163 05494 32882 23904 41340 61185}

_{82509 11842 86963 50307 07510 32545 90717 46856 86079 13769}

_{07426 67341 80314 58910 93948 85738 69444 09370 58194 28207}

_{57696 25592 91221 95386 15857 84645 89659 80535 93233 82798}

_{08074 89810 48521 90740 02687 83117 74920 25954 99629 78978}

_{20128 53721 01518 40699 20849 04710 38989 91322 56057 58573}

_{00190 27157 83208 79446 92987 61357 38752 55424 94518 45205}

_{23798 55425 32454 34611 39605 39981 74691 40836 30812 38563}

_{85306 57995 68222 39055 43890 36956 84861 63624 04961 55439}

_{99719 36036 74274 53901 34643 06157 89500 57514 93977 42403}

_{95970 81452 48873 00784 58347 40269 11880 43395 28249 38743}

_{56651 91460 92462 98566 72062 18556 55052 47614 80044 60015}

_{71499 80220 35750 67337 47556 55272 55249 79100 34014 17037}

_{66660 78443 47545 70736 65419 77489 70831 73237 14970 23129}

_{35483 84563 79956 88618 54619 24853 59783 47537 88822 47227}

_{09262 25041 57862 19203 86103 02800 23198 70639 43757 52064}

---

[Rightwing Conspiratr1]

Some sort of biometric does add a nice layer, but it has its own limitations.

It wouldn't be bad if it checked my sugar at the same time. I have one of those one touch diabetic testing units that has a usb plug to auto upload the test results into my computer diary. ;-)

[muggs]

My favorite password story: The Hamilton County Justice Center (jail) legal law library had the login name and password written on sticky notes and stuck on the monitors. These were the computers used by inmates to do legal research. This was told to me by a guy that would use the library. He was there while waiting to be sentenced on computer hacking charges.

[Larry Lucido]

Ha ha, you said a!

[adam_az]

"Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru."


GURU? LOL.

When you use Active Directory and other Single Sign-On solutions without doing 2-factor authentication (something you have like a token or biometric, something you know like a password) you do just what the MS Security Guru says you shouldn't - you're using the same password to every system in the domain.

[Proud_texan]

I might be missing something but how about a password manager that encrypts the local password file? Assign one finger breaking password to access it and from there the password manager will handle anything as screwy and obtuse as you can think up.

That's what I do anyway, is there a flaw in this method?

[DaGman]

I'm the system administrator and my password is god!