Posted on 05/24/2005 5:59:30 PM PDT by Panerai
Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.
Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.
"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."
According to Johansson, use of the same password reduces overall security.
"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.
(Excerpt) Read more at news.zdnet.com ...
°±²³´µ¶
Just today I suggested to a developer that's implementing a bad password lockout for an enterprise application that he keep a list of all the people who think it's a good idea. I have a small script that their userids need to be hard coded into... 8)
Any idea if Google has found your web page?
Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords "Rules are for others to follow, not me."
So, may I borrow your FreeRepublic password? There's this thing I want to try out . . . . . .
Actually, it's rather easy to come up with an effective and relatively secure password policy, as long as you're willing to give the users hints on what they should do.
Examples that I used to give my network admin class students included the following:
Everyone remembers the address or phone number of the house where they grew up. Use it as part of your password.
Use the name of the first pet you can remember, but never use a current pet's name.
What was the first car your bought? Year and model.
Use the "Purloined Letter" ploy. Choose an object in your office, outside of your direct sight line while sitting at your computer. Use a combination of any of the following: Numeric description, color, name of the object... For instance, there was a piece of artwork created by a secretary's child on her desk. Her password was "Purple6Star"
Switch letters and numbers, and mix in caps... for instance, the word "carbon" could become "Carb0N" or "bulldogs" becomes "Bu11d0gS" ("ells" to "ones")
Add punctuation, if the password will allow it.
Mark
'Microsoft' and 'security' is an oxymoron.
-R
Easy to say, yet not exactly true.
Of all my security risks, the Mac users are probably the worst. Nobody sits with their pants down like those that mistakenly think that they are invulnerable.
Translation: "¥?å, he might have a point."
It took a guru to come up with this???
Actually, I write my PINs on my bank cards in binary with a multiple bit shift offset. It helps keep me fresh for reading hex dumps ;-)
Yeah. It is here.
http://www.mrs.umn.edu/~sungurea/introstat/public/instruction/ranbox/randomnumbersII.html
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It wouldn't be bad if it checked my sugar at the same time. I have one of those one touch diabetic testing units that has a usb plug to auto upload the test results into my computer diary. ;-)
My favorite password story: The Hamilton County Justice Center (jail) legal law library had the login name and password written on sticky notes and stuck on the monitors. These were the computers used by inmates to do legal research. This was told to me by a guy that would use the library. He was there while waiting to be sentenced on computer hacking charges.
"Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru."
GURU? LOL.
When you use Active Directory and other Single Sign-On solutions without doing 2-factor authentication (something you have like a token or biometric, something you know like a password) you do just what the MS Security Guru says you shouldn't - you're using the same password to every system in the domain.
That's what I do anyway, is there a flaw in this method?
I'm the system administrator and my password is god!
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.