Posted on 05/24/2005 5:59:30 PM PDT by Panerai
Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.
Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.
"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."
According to Johansson, use of the same password reduces overall security.
"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.
(Excerpt) Read more at news.zdnet.com ...
More or less true...
"Too many passwords" weakens their effectiveness when dealing with people.
Better yet, I keep mine on my personal web page so I can look them up easily if I am somewhere without the piece of paper they were written down on.
he's got a point.
I work for Ford Motor Co. and my password is "dead1"
I work for Arby's and my password is "meat-u"
I work for Hoover and my password is "suck"
I work for Dometic and my password is "blow"
I work for peanuts and my password is "elephant."
I work for nuts and my password is "donkey"
I work for the IRS and my password is "cheatem"
I work for H&R Block and my password is "beatem"
I work for the Chicago White Sox and my password is "batman"
I work for the Chicago Cubs and my password is "Bartman"
I work for the city and my password is "dump"
I work for the state and my password is "the_gov"
I work for my wife and I don't have a computer.
Yes, he might.
Well, I'm IT management. :-) And I'd agree that he's got a point.
I've got a policy that says just that: Don't ever write your password down. I've taken the other tack though, in that I don't force overly complex passwords... because that just forces people to write them down.
It's always a balance though. Doing what this guy says also means that if you want to target a company, just get a job as a janitor there and start checking under keyboards for sticky notes. Eventually, you'll hit paydirt. True enough, that's probly a risk at my company too... so there's really no way to win.
Security is mostly geared to keeping the amateurs out, anyway. A professional will get in, get what he wants, and get out without anyone knowing he was there.
I'll share my favorite password story.
I forgot one of the passwords on a network I use infrequently. I called the help desk, told them I'd forgotten my password and they reset the password. The help desk girl told me to go ahead and use the default password they provided and then she told me I'd have to change the password on my first log-in. She then told me to be sure and not use my old password. I asked if she meant the one I'd forgotten and she, without pause, told me not to use that one. I assured her that I would not.
ƒ¹ƒnƒÔƒßƒÞ„CƒäƒnƒØƒÑƒæƒÕƒnƒÑƒnƒàƒßƒÙƒÞƒä
Banning writing of passwords is the liberal mentality that says because it is banned, it is so. Hardly. Employees constantly write down their passwords.
We use Lotus Notes at work. I have a folder marked "PASSWORDS"
Frankly, I don't work with anything secure and don't care if someone has access.
Waht you do is keep them in an encrypted excel spreadsheet and pick a password for the spreadsheet encryption that you know you will remember.
Man, I just want ONE SINGLE password to have to remember instead of different passwords for e-mail accounts, computer logons, ATMs, and all the other digital crap I use! I know...I know...I'm dreaming.
LOL original, or extra crispy
Poor guy, your brain will explode, or your world will come to an abrupt stop soon.
I cheat on my passwords, and try to keep it balanced. It's even worse when they keep expiring the current password.
It's amazing how many places you can get into with:
Username=username
Password=password
Well... presumably that spreadsheet is already protected behind at least one or two layers of security, whether it is on your computer or on a network share.
This is about having them *with you* on a physical piece of paper.
One approach I saw somebody use that was pretty good was to make up a paper list of passwords, but if you were to look at it, it just looks like a list of names, companies, titles and phone numbers. Utterly useless info to someone that might steal your wallet or briefcase.
But the list was really a list of passwords where the algorithm of combinations of digits was the only thing the user had to remember. Not bad.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.