May 23, 2005 8:27 AM PDT

Microsoft security guru: Jot down your passwords

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense. However, some said they did not think it was practical.

One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.

A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, but it would not work for some users because they would then forget the password to decrypt the password file.

The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.

Munir Kotadia of ZDNet Australia reported from Sydney.

80 comments

Join the conversation!
Add your comment
Microsoft Guru huh?
Are sales of the Microsoft Fingerprint Reader down? :-)

Jot down your passwords, or by the fingerprint reader.

But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.
Posted by dlmtechnology (20 comments )
Reply Link Flag
Can't wait
Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...
Posted by 1btb (19 comments )
Link Flag
Use cryptainer
I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!
Posted by gAmEpLaYa (2 comments )
Link Flag
Microsoft Guru huh?
Are sales of the Microsoft Fingerprint Reader down? :-)

Jot down your passwords, or by the fingerprint reader.

But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.
Posted by dlmtechnology (20 comments )
Reply Link Flag
Can't wait
Can't you just wait until the retina scan replaces the fingerprint scan. Then instead of getting your finger chopped off by the bad guys, they instead have to pluck out your eyeball. Wow, what a thrill that will be...
Posted by 1btb (19 comments )
Link Flag
Use cryptainer
I almost always forget my passwords for various websites, such as trying to post a comment on this topic I didn't remember my password so they just emailed me a temporary password, yea for cnet! Nevertheless I just put my passwords on a notebook and put the file in the cryptainer. I use a bible passage for my cryptainer password, with (spaces and capital letters). The novice that I am with computers, I came from a windows 98SE to a windows xp and have never had to reformat my harddrive for any reason even though my computer has been infected with various adware and trojans, but I immediately got rid of them. I really can't understand why people reformat their harddrives. You people at CNET rock though I have learned alot through your fabulous website!
Posted by gAmEpLaYa (2 comments )
Link Flag
Don't just write them down
So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.

So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
Posted by (409 comments )
Reply Link Flag
And another thing
Norton/Symantec Password manager doesn't work with Opera.

What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
Posted by (409 comments )
Link Flag
Don't just write them down
So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.

So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.
Posted by (409 comments )
Reply Link Flag
And another thing
Norton/Symantec Password manager doesn't work with Opera.

What's worse - none of the password aids can help if you have 2 accounts on 1 site. For example - Dice doesn't allow 2 searchable resumes on 1 account (you can have multiple resumes, but only 1 is searchable). Solution is to create 2 accounts, each with 1 searchable resume. I have 1 resume, focussing on my years of mainframe skills & another on my theoretical J2EE & limit middleware skills. So, I now have 2 accounts on Dice - each with a separate resume. If I want to add something to both resumes, I have to change 1, then logoff one account & onto the other account. Yeah - isn't it fun trying to remember the algorithm for each password. Tedious :-(
Posted by (409 comments )
Link Flag
Don't write them down, Use Keychain
I have a keychain file that I can even carry with me on a USB flash
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.

Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.
Posted by (19 comments )
Reply Link Flag
Uh Oh
Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks & will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued & company-inventory tagged PC.
Posted by (409 comments )
Link Flag
Don't write them down, Use Keychain
I have a keychain file that I can even carry with me on a USB flash
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.

Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.
Posted by (19 comments )
Reply Link Flag
Uh Oh
Some employers consider laptops, HHPC's, iPods, USB devices, etc. to be security risks & will NOT allow employees or contractors to enter the building with them. I've even seen a company prevent an employee from entering the building with his company-issued & company-inventory tagged PC.
Posted by (409 comments )
Link Flag
Wonderful....
So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!

Perhaps I should have been a dentist.
Posted by (22 comments )
Reply Link Flag
Wonderful....
So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!

Perhaps I should have been a dentist.
Posted by (22 comments )
Reply Link Flag
Pin numbers
I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.

Only my best friend of 53 years MIGHT be able to figure some of them out.
Posted by (2 comments )
Reply Link Flag
I agree.
I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...
Posted by 1btb (19 comments )
Link Flag
Public and private keys
I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.
Posted by cbihler (2 comments )
Link Flag
Pin numbers
I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.

Only my best friend of 53 years MIGHT be able to figure some of them out.
Posted by (2 comments )
Reply Link Flag
I agree.
I also employ this technique, which requires you only to come up with a coding system, by which you would recognize a password based on a shorthand string that had been jotted-down - rather than the actual password itself. If you make your coding system "generic" - not related to the name of your dog, wife, car, home address, etc, it would not possibly be broken by even those familiar with your otherwise routine life...
Posted by 1btb (19 comments )
Link Flag
Public and private keys
I've used my own version of public and private keys for years. I have a private key which only I (and my wife) know. The public keys I write down. If someone finds my "password list" they still can't get anywhere because they don't have the private key. The public key can be as complex as needed or totally random and I can keep copies of my public keys in multiple places without protection.
Posted by cbihler (2 comments )
Link Flag
Some thoughts
It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.

I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
Posted by (29 comments )
Reply Link Flag
Some thoughts
It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.

I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.
Posted by (29 comments )
Reply Link Flag
What a DIP {Filtered word}!!!
I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.

And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.

But it's that last part of the kicker that really gets to me:

>>>That allows us to remember more passwords and better passwords.<<<

That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.

Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
What a DIP {Filtered word}!!!
I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.

And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.

But it's that last part of the kicker that really gets to me:

>>>That allows us to remember more passwords and better passwords.<<<

That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.

Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Jot your passwords
First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?
Posted by (2 comments )
Reply Link Flag
Jot your passwords
First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?
Posted by (2 comments )
Reply Link Flag
Fire Molly Wood
Fire Molly Wood.
Posted by montgomeryburns (109 comments )
Reply Link Flag
Fire Molly Wood
Fire Molly Wood.
Posted by montgomeryburns (109 comments )
Reply Link Flag
Microsoft Security Guru has Wrong Solution
Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.
Posted by rmcghie (2 comments )
Reply Link Flag
Microsoft Security Guru has Wrong Solution
Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.
Posted by rmcghie (2 comments )
Reply Link Flag
2 words; Password Corral...
The application is freeware from Cygnus Productions. I was sceptical at first (paranoid really) so I installed an active port monitor and ZoneAlarm to see if the app say started up and transferred all of your passowrds all over the internet. Well, it didn't and I've been using it ever since. You can export passwords using 128 bit encryption (you can export in plaintext as well but can't thereafter import again) and then import onto another system etc. It has work well for me and was recommended by cnet.
Posted by (2 comments )
Reply Link Flag
2 words; Password Corral...
The application is freeware from Cygnus Productions. I was sceptical at first (paranoid really) so I installed an active port monitor and ZoneAlarm to see if the app say started up and transferred all of your passowrds all over the internet. Well, it didn't and I've been using it ever since. You can export passwords using 128 bit encryption (you can export in plaintext as well but can't thereafter import again) and then import onto another system etc. It has work well for me and was recommended by cnet.
Posted by (2 comments )
Reply Link Flag
And they want to put Symantec out of business???
With enemies like this, who needs friends?
Posted by frankz00 (196 comments )
Reply Link Flag
And they want to put Symantec out of business???
With enemies like this, who needs friends?
Posted by frankz00 (196 comments )
Reply Link Flag
I remember as a child me and my friends used to say...
"Ill write it under my eyelid so I wont forget"

I wonder if someday it may possible to do that?
Posted by wazzledoozle (288 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.