Microsoft security guru: Jot down your passwords

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense. However, some said they did not think it was practical.

One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.

A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, but it would not work for some users because they would then forget the password to decrypt the password file.

The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.

Munir Kotadia of ZDNet Australia reported from Sydney.

[dlmtechnology]

Microsoft Guru huh?

Are sales of the Microsoft Fingerprint Reader down?

Jot down your passwords, or by the fingerprint reader.

But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.

[dlmtechnology]

Microsoft Guru huh?

Are sales of the Microsoft Fingerprint Reader down?

Jot down your passwords, or by the fingerprint reader.

But then again then we gotta worry about folks going 007 on us
and lifting the prints off the keyboards or our drink glasses or
whatever.

Don't just write them down

So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.

So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.

Don't just write them down

So, I always wrote down my userid & password in an Excel spreadsheet on my iBook (both iBook AND spreadsheet are password protected with different unique passwords). I had close on 200 entries.......when my iBook stopped boting up. Now the password are secure. No-one can access the passwor dlist - including me.

So, I have had to guess my userid, contact whoever I'm trying to access, and then reset my password to something fairly unguessable & more memorable.

Don't write them down, Use Keychain

I have a keychain file that I can even carry with me on a USB flash
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.

Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.

Don't write them down, Use Keychain

I have a keychain file that I can even carry with me on a USB flash
drive and use on other machines. I have one master password
that will open the keychain and make passwords with as many
characters as allowed for each site, service, etc. That way I only
have to remember one very good password and can have the
strongest possible passwords that are secure from anyone
without my master password. My master password is not used
for anything except to unlock my keychain. Websites, shared
resources, etc. are all opened automatically as long as my
keychain is open. All my user names and passwords are
something like J8%6HEF&)L:R.]FTNWO0@CFRAbgie(hhvo;" and
there is no way to remember them or break them if they have 32
characters for the user name and another 32 for the password.
What do I care what they are, they are randomly generated by
the keychain. I never even see the names and passwords since
keychain takes care of all of it for me.

Pretty funny that the guy from Microsoft thinks you should write
it down on a piece of paper for anyone to read. How tech savvy!
No wonder Windows is full of holes.

Wonderful....

So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!

Perhaps I should have been a dentist.

Wonderful....

So as one of my small company's two techs not only must I put up with end users calling me to help them with their spreadsheets and baby them into being able to retrieve a file they themselves typed and saved to a directory they can't find anymore, I should also worry about when and where they are losing the little post-it notes they've made with their user names and passwords!

Perhaps I should have been a dentist.

Pin numbers

I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.

Only my best friend of 53 years MIGHT be able to figure some of them out.

Pin numbers

I keep my pins on a spread sheet. It's not protected because I use a code. Often a single number. I know what pin the number refers to and therefore can use about a dozen different pins and variations on them without fear of them being guessed.

Only my best friend of 53 years MIGHT be able to figure some of them out.

Some thoughts

It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.

I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.

Some thoughts

It is 100% correct when somebody does not write down passwords, he/she tends to use same password for multiple resource. However I do not agree that about the 'Crappy' thing. I do not write down my password but my passwords are fairly strong with up to 12 characters.
Putting all passwords in place is putting oneself in more security concern. Security of a system is as strong as the weakest security link into it. Remember if you write your all password in one place, anybody finding that piece of paper shall have full access to your all passwords.
Similarly if you place all your password in password storage system, which is in turn is protected by master password, you end to loose everything if your master password is leaked.

I suggest maintaining multiple passwords depending upon the security requirement of resources. And no matter how silly it may seem it always better to remember the password than writing them down.

[wbenton]

What a DIP {Filtered word}!!!

I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.

And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.

But it's that last part of the kicker that really gets to me:

>>>That allows us to remember more passwords and better passwords.<<<

That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.

Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)

Walt

[wbenton]

What a DIP {Filtered word}!!!

I'm sure that Microsoft's Jesper Johansson has ALL 68 of his passwords written down somewhere.

And NOW... the rest of the world knows that. (* ROFLOL *) So guess who's gonna need triple security guards from now on as I'm sure he doesn't just have a list of just 68 passwords as I couldn't even remember the order of which password was used for where and thus he's probably also got a name next to that password giving him at least a clue as to what that password is used for.

But it's that last part of the kicker that really gets to me:

>>>That allows us to remember more passwords and better passwords.<<<

That's totally incorrect. You're required to change your password every so often and as long as you have it written down... there's no need to remember it thus this statement is definately false.

Normally, one might think that it takes balls or audacity to stand up and say this at such a crowd, but to me... it sounds more like lack of common sense... it sounds like this guy just tried to let out a silent fart but it turned out to be one of the loudest rippers I've ever heard... (* ROFLOL *)

Walt

Jot your passwords

First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?

Jot your passwords

First question: What was he thinking? (Secondy question: who let the Microsoft guy into a security conference?) As I recall, this was a valid security discussion around 6 years ago. And everyone concluded that writing passwords anywhere was a BAD idea. I have also seen (and written) policies that prohibit passwords in any file. By the way, does anyone know the Australian word for "idiot"?

[montgomeryburns]

Fire Molly Wood

Fire Molly Wood.

[montgomeryburns]

Fire Molly Wood

Fire Molly Wood.

[rmcghie]

Microsoft Security Guru has Wrong Solution

Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.

[rmcghie]

Microsoft Security Guru has Wrong Solution

Write down your password, huh? You would think a high-tech guru would suggest something more neoteric, such as an electronic safeword safe.