Microsoft security guru: Jot down your passwords

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense. However, some said they did not think it was practical.

One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.

A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, but it would not work for some users because they would then forget the password to decrypt the password file.

The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.

Munir Kotadia of ZDNet Australia reported from Sydney.

[dlmtechnology]

Microsoft Guru huh?

Are sales of the Microsoft Fingerprint Reader down? :-)<br /><br />Jot down your passwords, or by the fingerprint reader.<br /><br />But then again then we gotta worry about folks going 007 on us <br />and lifting the prints off the keyboards or our drink glasses or <br />whatever.

[1btb]

Can't wait

Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...

[gAmEpLaYa]

Use cryptainer

I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!

[dlmtechnology]

Microsoft Guru huh?

Are sales of the Microsoft Fingerprint Reader down? :-)<br /><br />Jot down your passwords, or by the fingerprint reader.<br /><br />But then again then we gotta worry about folks going 007 on us <br />and lifting the prints off the keyboards or our drink glasses or <br />whatever.

[1btb]

Can't wait

Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...

[gAmEpLaYa]

Use cryptainer

I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!

Don't just write them down

So, I always wrote down my userid &#38; password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.<br /><br />So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable &#38; more memorable.

And another thing

Norton/Symantec Password manager doesn't work with Opera.<br /><br />What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills &#38; another on my theoretical J2EE &#38; limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account &#38; onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(

Don't just write them down

So, I always wrote down my userid &#38; password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.<br /><br />So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable &#38; more memorable.

And another thing

Norton/Symantec Password manager doesn't work with Opera.<br /><br />What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills &#38; another on my theoretical J2EE &#38; limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account &#38; onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(

Don't write them down, Use Keychain

I have a keychain file that I can even carry with me on a USB flash <br />drive and use on other machines. I have one master password <br />that will open the keychain and make passwords with as many <br />characters as allowed for each site, service, etc. That way I only <br />have to remember one very good password and can have the <br />strongest possible passwords that are secure from anyone <br />without my master password. My master password is not used <br />for anything except to unlock my keychain. Websites, shared <br />resources, etc. are all opened automatically as long as my <br />keychain is open. All my user names and passwords are <br />something like J8%6HEF&#38;)L:R.]FTNWO0@CFRAbgie(hhvo;" and <br />there is no way to remember them or break them if they have 32 <br />characters for the user name and another 32 for the password. <br />What do I care what they are, they are randomly generated by <br />the keychain. I never even see the names and passwords since <br />keychain takes care of all of it for me.<br /><br />Pretty funny that the guy from Microsoft thinks you should write <br />it down on a piece of paper for anyone to read. How tech savvy! <br />No wonder Windows is full of holes.

Uh Oh

Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks &#38; will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued &#38; company-inventory tagged PC.

Don't write them down, Use Keychain

I have a keychain file that I can even carry with me on a USB flash <br />drive and use on other machines. I have one master password <br />that will open the keychain and make passwords with as many <br />characters as allowed for each site, service, etc. That way I only <br />have to remember one very good password and can have the <br />strongest possible passwords that are secure from anyone <br />without my master password. My master password is not used <br />for anything except to unlock my keychain. Websites, shared <br />resources, etc. are all opened automatically as long as my <br />keychain is open. All my user names and passwords are <br />something like J8%6HEF&#38;)L:R.]FTNWO0@CFRAbgie(hhvo;" and <br />there is no way to remember them or break them if they have 32 <br />characters for the user name and another 32 for the password. <br />What do I care what they are, they are randomly generated by <br />the keychain. I never even see the names and passwords since <br />keychain takes care of all of it for me.<br /><br />Pretty funny that the guy from Microsoft thinks you should write <br />it down on a piece of paper for anyone to read. How tech savvy! <br />No wonder Windows is full of holes.

Uh Oh

Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks &#38; will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued &#38; company-inventory tagged PC.

Wonderful....

So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!<br /><br />Perhaps I should have been a dentist.

Wonderful....

So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!<br /><br />Perhaps I should have been a dentist.

Pin numbers

I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed. <br /><br />Only my best friend of 53 years MIGHT be able to figure some of them out.

[1btb]

I agree.

I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...

[cbihler]

Public and private keys

I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.

Pin numbers

I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed. <br /><br />Only my best friend of 53 years MIGHT be able to figure some of them out.

[1btb]

I agree.

I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...

[cbihler]

Public and private keys

I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.

Some thoughts

It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.<br />Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.<br />Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.<br /><br />I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.

Some thoughts

It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.<br />Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.<br />Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.<br /><br />I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.

[wbenton]

What a DIP {Filtered word}!!!

I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.<br /><br />And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.<br /><br />But it's that last part of the kicker that really gets to me:<br /><br />&gt;&gt;&gt;That allows us to remember more passwords and better passwords.&lt;&lt;&lt;<br /><br />That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.<br /><br />Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)<br /><br />Walt

[wbenton]

What a DIP {Filtered word}!!!

I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.<br /><br />And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.<br /><br />But it's that last part of the kicker that really gets to me:<br /><br />&gt;&gt;&gt;That allows us to remember more passwords and better passwords.&lt;&lt;&lt;<br /><br />That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.<br /><br />Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)<br /><br />Walt

Jot your passwords

First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?

Jot your passwords

First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?

[montgomeryburns]

Fire Molly Wood

Fire Molly Wood.

[montgomeryburns]

Fire Molly Wood

Fire Molly Wood.

[rmcghie]

Microsoft Security Guru has Wrong Solution

Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.

[rmcghie]

Microsoft Security Guru has Wrong Solution

Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.