<<< Date Index >>>     <<< Thread Index >>>

[IP] MS Security says to write down your passwords?!?!



Begin forwarded message:

From: Richard Forno <rforno@xxxxxxxxxxxxxxx>
Date: May 23, 2005 2:28:29 PM EDT
To: Blaster <rforno@xxxxxxxxxxxxxxx>
Cc: Dave Farber <dave@xxxxxxxxxx>
Subject: MS Security says to write down your passwords?!?!


Microsoft security guru: Jot down your passwords

By Munir Kotadia
http://news.com.com/Microsoft+security+guru+Jot+down+your+passwords/ 2100-735 
5_3-5716590.html
Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according 
to a Microsoft security guru.
Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson 
said that the security industry has been giving out the wrong advice to
users by telling them not to write down their passwords. Johansson is senior 
program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you
shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password 
on every one of them."
According to Johansson, use of the same password reduces overall security. 

"Since not all systems allow good passwords, I am going to pick a really
crappy one, use it everywhere and never change it," Johansson said. "If I 
write them down and then protect the piece of paper--or whatever it is I
wrote them down on--there is nothing wrong with that. That allows us to
remember more passwords and better passwords."
Johansson said the security industry had been giving out the wrong advice 
about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense.
However, some said they did not think it was practical.
One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to 
remember multiple strong passwords.
A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, 
but it would not work for some users because they would then forget the
password to decrypt the password file.
The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper 
and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.


Copyright ©1995-2005 CNET Networks, Inc. All rights reserved.




-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/