Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.
Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.
"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."
According to Johansson, use of the same password reduces overall security.
"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."
Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.
Delegates at the conference agreed that Johansson's advice made sense. However, some said they did not think it was practical.
One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.
A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, but it would not work for some users because they would then forget the password to decrypt the password file.
The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper and tape it to the back of the token.
"I know of a government minister that has done that," the delegate said.
Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...
I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!
Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...
I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!
So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.
So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
Norton/Symantec Password manager doesn't work with Opera.
What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.
So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
Norton/Symantec Password manager doesn't work with Opera.
What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
I have a keychain file that I can even carry with me on a USB flash drive and use on other machines. I have one master password that will open the keychain and make passwords with as many characters as allowed for each site, service, etc. That way I only have to remember one very good password and can have the strongest possible passwords that are secure from anyone without my master password. My master password is not used for anything except to unlock my keychain. Websites, shared resources, etc. are all opened automatically as long as my keychain is open. All my user names and passwords are something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and there is no way to remember them or break them if they have 32 characters for the user name and another 32 for the password. What do I care what they are, they are randomly generated by the keychain. I never even see the names and passwords since keychain takes care of all of it for me.
Pretty funny that the guy from Microsoft thinks you should write it down on a piece of paper for anyone to read. How tech savvy! No wonder Windows is full of holes.
Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks & will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued & company-inventory tagged PC.
I have a keychain file that I can even carry with me on a USB flash drive and use on other machines. I have one master password that will open the keychain and make passwords with as many characters as allowed for each site, service, etc. That way I only have to remember one very good password and can have the strongest possible passwords that are secure from anyone without my master password. My master password is not used for anything except to unlock my keychain. Websites, shared resources, etc. are all opened automatically as long as my keychain is open. All my user names and passwords are something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and there is no way to remember them or break them if they have 32 characters for the user name and another 32 for the password. What do I care what they are, they are randomly generated by the keychain. I never even see the names and passwords since keychain takes care of all of it for me.
Pretty funny that the guy from Microsoft thinks you should write it down on a piece of paper for anyone to read. How tech savvy! No wonder Windows is full of holes.
Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks & will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued & company-inventory tagged PC.
So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!
So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!
I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.
Only my best friend of 53 years MIGHT be able to figure some of them out.
I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...
I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.
I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.
Only my best friend of 53 years MIGHT be able to figure some of them out.
I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...
I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.
It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters. Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords. Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.
I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters. Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords. Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.
I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.
And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.
But it's that last part of the kicker that really gets to me:
>>>That allows us to remember more passwords and better passwords.<<<
That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.
Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)
I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.
And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.
But it's that last part of the kicker that really gets to me:
>>>That allows us to remember more passwords and better passwords.<<<
That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.
Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)
First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?
First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?
The application is freeware from Cygnus Productions. I was sceptical at first (paranoid really) so I installed an active port monitor and ZoneAlarm to see if the app say started up and transferred all of your passowrds all over the internet. Well, it didn't and I've been using it ever since. You can export passwords using 128 bit encryption (you can export in plaintext as well but can't thereafter import again) and then import onto another system etc. It has work well for me and was recommended by cnet.
The application is freeware from Cygnus Productions. I was sceptical at first (paranoid really) so I installed an active port monitor and ZoneAlarm to see if the app say started up and transferred all of your passowrds all over the internet. Well, it didn't and I've been using it ever since. You can export passwords using 128 bit encryption (you can export in plaintext as well but can't thereafter import again) and then import onto another system etc. It has work well for me and was recommended by cnet.
MIT creates a simulation to celebrate the 50th anniversary of Spacewar. A relic of the early days of minicomputers, it was one of the first computer video games and set the stage for many others, including Asteroids.
AstrologyDating.com is a new site that tries to find you your perfect love on the basis of birth date, birth time, and birthplace. But will it tell you the truth? Well, it asks you to pay only per match. So I tried it.
The Web fulminates when it is revealed that executives from VEVO--vehement music industry antipirates--played a pirated stream of an NFL playoff game at a party. VEVO claims it left its Wi-Fi unsupervised. Have we heard that argument before?
Tor's "obfsproxy" technology would make encrypted data look innocuous and let it dodge government censors. That could help citizens in Iran reach blocked sites as antigovernment protests reportedly loom.
iPhones and Angry Birds aside, the arcade endures. Crave pays a visit--and offers up an homage to games and gamers of years past and a tribute to the possibly endangered, but not yet dead, atmosphere of the arcade itself.
Jot down your passwords, or by the fingerprint reader.
But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.
Jot down your passwords, or by the fingerprint reader.
But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.
So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.
Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.
Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.
Perhaps I should have been a dentist.
Perhaps I should have been a dentist.
Only my best friend of 53 years MIGHT be able to figure some of them out.
Only my best friend of 53 years MIGHT be able to figure some of them out.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.
I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.
I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.
But it's that last part of the kicker that really gets to me:
>>>That allows us to remember more passwords and better passwords.<<<
That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.
Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)
Walt
And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.
But it's that last part of the kicker that really gets to me:
>>>That allows us to remember more passwords and better passwords.<<<
That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.
Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)
Walt
I wonder if someday it may possible to do that?