Comments on: Microsoft security guru: Jot down your passwords
Jesper Johansson says the security industry has been giving out the wrong advice on passwords for 20 years.
Most Popular
Latest tech news headlines
- To troll or not to troll, is that the question?
December 2, 2009 8:32 AM PST
- Mazda, Think, EnerDel partner on electric rentals
December 2, 2009 8:32 AM PST
- FCC's plans take from Peter to pay Paul
December 2, 2009 8:29 AM PST
- See all headlines
RSS Feeds
Add headlines from CNET News to your homepage or feedreader.
More feeds available in our RSS feed index.
- Markets
Related quotes
I wonder if someday it may possible to do that?
I wonder if someday it may possible to do that?
Your entire argument revolves on the premise that you know with certainty the instant that the password slip of paper is lost. We all know that isn't possible.
Now. Your wallet is stolen. Not only do they have the cards, id, and cash, they actually have the passwords PINS and codes required to use them.
A password is a secret and you keep a secret a secret by not telling anyone or writing it down. Would you write secrets down to keep them more secure? This whole thing shows how the "new generation" of security "experts" should all be lined up against a wall and kicked soundly in the babymakers.
Welcome to a world where Microsoft gets to tell people how to make things secure. It's like a burglar recommending you keep your keys under the mat to avoid broken Windows(tm)...
Your entire argument revolves on the premise that you know with certainty the instant that the password slip of paper is lost. We all know that isn't possible.
Now. Your wallet is stolen. Not only do they have the cards, id, and cash, they actually have the passwords PINS and codes required to use them.
A password is a secret and you keep a secret a secret by not telling anyone or writing it down. Would you write secrets down to keep them more secure? This whole thing shows how the "new generation" of security "experts" should all be lined up against a wall and kicked soundly in the babymakers.
Welcome to a world where Microsoft gets to tell people how to make things secure. It's like a burglar recommending you keep your keys under the mat to avoid broken Windows(tm)...
http://www.trustedcomputinggroup.org
I'm using Sticky Password (http://www.stickypassword.com) because it not just remembers passwords, also it automatically fills them to any programs and web sites.
http://www.trustedcomputinggroup.org
I'm using Sticky Password (http://www.stickypassword.com) because it not just remembers passwords, also it automatically fills them to any programs and web sites.
MS(tm) brand Security. It's just like security except it doesn't protect you. Hostile Java applets? EXECUTE EM! Printer mappings inside of IIS? Toss a ton of unchecked buffers in there and enable them by default.
Yes. Microsoft has caused more financial loss then every hacker in the world combined through their shoddy coding, and even shoddier business practices. This time they are serious about security folks, trust them, they release more patches then anyone, so it has to be secure, right?
And now, the largest software company in the world that controls every desktop OS in the world that could easily solve all the password problems by investing 10seconds of Bill Gates earnings into a decent single sign on password manager for the base OS has, instead of solving a problem they create...
Is recommending you write your passwords down, on paper, and carry them with you... so when you lose them, and the hackers eat your babies for breakfast, MS can say "Improper password management, not an inherent weakness in our product"
Great. I think I'll listen to the security experts, not a marketing tool when it comes to password policies.
MS(tm) brand Security. It's just like security except it doesn't protect you. Hostile Java applets? EXECUTE EM! Printer mappings inside of IIS? Toss a ton of unchecked buffers in there and enable them by default.
Yes. Microsoft has caused more financial loss then every hacker in the world combined through their shoddy coding, and even shoddier business practices. This time they are serious about security folks, trust them, they release more patches then anyone, so it has to be secure, right?
And now, the largest software company in the world that controls every desktop OS in the world that could easily solve all the password problems by investing 10seconds of Bill Gates earnings into a decent single sign on password manager for the base OS has, instead of solving a problem they create...
Is recommending you write your passwords down, on paper, and carry them with you... so when you lose them, and the hackers eat your babies for breakfast, MS can say "Improper password management, not an inherent weakness in our product"
Great. I think I'll listen to the security experts, not a marketing tool when it comes to password policies.
The average user does not have a large number of passwords to remember, so some of his comments are a little off the mark. The most troubling though is that the "security guru" fails to recognise that the issue is not writing down passwords, or draconian policies, but is, in fact user education.
Passwords will alwasys be a balancing act between security and convenience. Secure passwords are typically impossible to remember and convenient ones tend to be weak, but they don't have to be. This is where education comes in to play, there are simple techniques that anyone can use to create a reasonably secure password that's easy to remember without the need to write it down. One such technique is to use a favortie line from a song, play, movie, or book and then use the first letter of each word. You can then make it more secure by suggesting that the user replace some of the letters with numbers that are a similiar shape. Normally this would not be an effective way of making the password more secure, but that only applies when the number replaces a letter in a dictionary word. Those are easy to defeat. We don't have a dictionary word here, so the substiturion is not obvious and does, indeed add security.
Here is an example, we will use one of the marketing slogans from Microsoft themselves for this example:
We start with this phrase:
"Where do you want to go today?"
...and we get "wdywtgt"
This in itself is more secure than the password a user might normally choose, but we can make it better.
we can "replace" the t from "today" with "2d" and lets put the question mark in there. Now we have:
"wdywtg2d?"
I will agree that for system, network, and security administrators that *DO* have a large number of passwords that the use of an encrypted file that contains system passwords locked with one strong password is the best way to go.
This is all just user education. Any security expert (let alone guru) should know that education is always paramount. It's unfortunate that Microsoft's guru doesn't seem to comprehend this. Maybe he needs some education himself.
The average user does not have a large number of passwords to remember, so some of his comments are a little off the mark. The most troubling though is that the "security guru" fails to recognise that the issue is not writing down passwords, or draconian policies, but is, in fact user education.
Passwords will alwasys be a balancing act between security and convenience. Secure passwords are typically impossible to remember and convenient ones tend to be weak, but they don't have to be. This is where education comes in to play, there are simple techniques that anyone can use to create a reasonably secure password that's easy to remember without the need to write it down. One such technique is to use a favortie line from a song, play, movie, or book and then use the first letter of each word. You can then make it more secure by suggesting that the user replace some of the letters with numbers that are a similiar shape. Normally this would not be an effective way of making the password more secure, but that only applies when the number replaces a letter in a dictionary word. Those are easy to defeat. We don't have a dictionary word here, so the substiturion is not obvious and does, indeed add security.
Here is an example, we will use one of the marketing slogans from Microsoft themselves for this example:
We start with this phrase:
"Where do you want to go today?"
...and we get "wdywtgt"
This in itself is more secure than the password a user might normally choose, but we can make it better.
we can "replace" the t from "today" with "2d" and lets put the question mark in there. Now we have:
"wdywtg2d?"
I will agree that for system, network, and security administrators that *DO* have a large number of passwords that the use of an encrypted file that contains system passwords locked with one strong password is the best way to go.
This is all just user education. Any security expert (let alone guru) should know that education is always paramount. It's unfortunate that Microsoft's guru doesn't seem to comprehend this. Maybe he needs some education himself.
It is the most critical piece in a system to answer several of the most important distressing socioeconomic problems in the public consciousness. When you think about how much sense it makes logically and technologically, it is the inescapable solution.
Then, this MS guy comes along and makes this statement, sewing confusion, causing people to start writing down all these things, mismanaging them, losing them, etc. You will see huge breeches based on found logins.
Just add that to the current security abyss we are falling into, which his plan hopes to stem. Then, along comes salvation:
That beautiful, simple, serene, passive, no-thinking method of biometric, 1- or 2-factor auth. Ohhhh, we masses will loooove it.
It's fascinating to watch us go down that road as the public sleeps. Sometimes we proceed slowly, sometimes in great lurches. But, vectoring intractibly down it, nonetheless.
Someone ought to publish the milestones passed and anticipated along this journey, so we can see the big picture.
I make no judgement here about this --- just observing. Feel free to save this post and look at it in 5 yrs.
seer
Anyone that studies measure V countermeasure can tell you, no one can predict the future. Take car keys for example. They weren't very secure and people's cars were stolen. Now we have car ignitions that cant be hotwired and the upswing was NOT more security, it was CARJACKING. So you get this fancy ignition system and your car is safe when you are not in it, you are not safe when you are. Progress? no.
Back to your whistful future, does a mugger just take your cash? No he cuts off your fingers too. Biometrics have issues deeper then technology can solve.
But my real point was measure V countermeasure. If fingerprint scanners become necessary, then there will be an enormous number of people who have their fingers routinely cut off.
You think identity theft is bad now? Wait until you have a nation of fingerless victims who can't open tin cans, file police reports, drive etc.
There really are hard and fast security rules for a reason. Microsoft might think password management isn't important, but they also don't think any security at all is important.
Do you want your fingers cut off? Don't write your passwords down!
It is the most critical piece in a system to answer several of the most important distressing socioeconomic problems in the public consciousness. When you think about how much sense it makes logically and technologically, it is the inescapable solution.
Then, this MS guy comes along and makes this statement, sewing confusion, causing people to start writing down all these things, mismanaging them, losing them, etc. You will see huge breeches based on found logins.
Just add that to the current security abyss we are falling into, which his plan hopes to stem. Then, along comes salvation:
That beautiful, simple, serene, passive, no-thinking method of biometric, 1- or 2-factor auth. Ohhhh, we masses will loooove it.
It's fascinating to watch us go down that road as the public sleeps. Sometimes we proceed slowly, sometimes in great lurches. But, vectoring intractibly down it, nonetheless.
Someone ought to publish the milestones passed and anticipated along this journey, so we can see the big picture.
I make no judgement here about this --- just observing. Feel free to save this post and look at it in 5 yrs.
seer
Anyone that studies measure V countermeasure can tell you, no one can predict the future. Take car keys for example. They weren't very secure and people's cars were stolen. Now we have car ignitions that cant be hotwired and the upswing was NOT more security, it was CARJACKING. So you get this fancy ignition system and your car is safe when you are not in it, you are not safe when you are. Progress? no.
Back to your whistful future, does a mugger just take your cash? No he cuts off your fingers too. Biometrics have issues deeper then technology can solve.
But my real point was measure V countermeasure. If fingerprint scanners become necessary, then there will be an enormous number of people who have their fingers routinely cut off.
You think identity theft is bad now? Wait until you have a nation of fingerless victims who can't open tin cans, file police reports, drive etc.
There really are hard and fast security rules for a reason. Microsoft might think password management isn't important, but they also don't think any security at all is important.
Do you want your fingers cut off? Don't write your passwords down!
For all who wonder why Microsft ranks last in security, this security 'guru' is a prime example why.
For all who wonder why Microsft ranks last in security, this security 'guru' is a prime example why.
For user authentication, passwords are generally a poor test. I would prefer a random series of Q & A from a list specified by the user. Jesper Johansson is probably right to advise most people to write them down on a piece of paper.
Specialists and gadget freaks may feel a technical solution is better but I think any password store that is online may be copied / compromised - a cracker has to be on location to do that with paper.
Thanks to jesper for opening the discussion and revealing how many of us seem incapable of reasoned discussion.
BTW On the subject of tokens I discovered our help desk advising users to put whiteout (snowpaque) on the back of their tokens so they could write their pin there.
- Crazy? Passwords are No 1 security risk.
- by evorg the elder May 27, 2005 1:35 AM PDT
- My beef is the routine expiry of passwords. This aggravates password issues and is only justified if your passwords start off without any integrity. Changing individual passwords when their compromise is suspected is more useful.
- Like this Reply to this comment
-
Showing 2 of 3 pages (80 Comments)For user authentication, passwords are generally a poor test. I would prefer a random series of Q & A from a list specified by the user. Jesper Johansson is probably right to advise most people to write them down on a piece of paper.
Specialists and gadget freaks may feel a technical solution is better but I think any password store that is online may be copied / compromised - a cracker has to be on location to do that with paper.
Thanks to jesper for opening the discussion and revealing how many of us seem incapable of reasoned discussion.
BTW On the subject of tokens I discovered our help desk advising users to put whiteout (snowpaque) on the back of their tokens so they could write their pin there.