On CBS MoneyWatch: 6 things NOT to do on Twitter, Facebook
BNET Business Network:
BNET
TechRepublic
ZDNet
45 TalkBacks

By Munir Kotadia
Posted on ZDNet News: May 23, 2005 3:27:00 PM

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia's national Computer Emergency Response Team, or AusCERT, Microsoft's Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."

According to Johansson, use of the same password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it," Johansson said. "If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.

Delegates at the conference agreed that Johansson's advice made sense. However, some said they did not think it was practical.

One IT administrator from an international entertainment company who asked not to be named said that his company has a strict policy against allowing employees to write down passwords. Still, he said, he collates his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.

A delegate from a government agency who also requested anonymity said that storing a password list in an encrypted file may work for the administrator, but it would not work for some users because they would then forget the password to decrypt the password file.

The delegate said that even using two-factor authentication--such as an RSA token--was not safe because people often write their PIN on a piece of paper and tape it to the back of the token.

"I know of a government minister that has done that," the delegate said.

Munir Kotadia of ZDNet Australia reported from Sydney.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 45 Talkback(s)
Schneier
Just a note, the first (among recent statements by security experts) person I saw give this advice was Scneier. And the advice is fairly sound. Protect that piece of paper like it was your money. Whic... (Read the rest)
Posted by: Cheiron Posted on: 05/24/05 You are currently: a Guest | | Terms of Use
It depends  cipherskull_z | 05/23/05
Using Schemes  nucrash | 05/23/05
jot down passwords  lpengrg | 05/23/05
Advice from Microsoft security expert...  Xunil_Sierutuf | 05/23/05
Keep lock combo stickered to back of lock  Jeff Spicoli | 05/23/05
Passwords  Letophoro | 05/23/05
forgetting password to decrypt with  CobraA1 | 05/23/05
Microsoft security guru: Jot down your passwords  Loverock Davidson | 05/23/05
Depends really.  nucrash | 05/23/05
Quite frankly ...  George Mitchell | 05/23/05
A slightly better Idea...  Bill_Jackson | 05/23/05
Damn! You cracked my password!  MikeZD | 05/23/05
Why does MS bother  michael_t | 05/23/05
Microsoft should review their hiring practices!  norman_z | 05/23/05
Microsoft Security Guru: Leave Your House Key Under The Mat  itanalyst | 05/23/05
Darn, now I have to change the spot..  Xunil_Sierutuf | 05/23/05
of course a microsoft security guru would take the key with him?  JasonL31 | 05/23/05
unless he used passport  JasonL31 | 05/23/05
nobody wants to use their brainpower  MIS Master | 05/23/05
Bad Advice, VERY bad advice  Ludovit | 05/23/05
no kidding - it was just an example  MIS Master | 05/23/05
yes you are saying your answer is the end all  Been_Done_Before | 05/23/05
Try this  Jeff Spicoli | 05/23/05
So Bitty's would be Bill212* ?  Xunil_Sierutuf | 05/23/05
Bwahahahaha!!! Go X!!  Jeff Spicoli | 05/24/05
not when you have many userid\passwords to change ever 30 days  JasonL31 | 05/23/05
And this is where I would really love...  nucrash | 05/23/05
Not so bad  roland.b.adams@... | 05/23/05
my method, take it or leave it....  Henry Miller | 05/23/05
Write them where?  John L. Ries | 05/23/05
Here..  Xunil_Sierutuf | 05/23/05
That'll fix it!  John L. Ries | 05/23/05
And he is right ...  George Mitchell | 05/23/05
Written down password's I think not  mrlinux | 05/23/05
securing the written password  nmaryn@... | 05/24/05
requirig password changes every 30 days is bad to  JasonL31 | 05/23/05
I write them down all the time  toadlife | 05/23/05
Write it down - and keep the paper secure!  CobraA1 | 05/23/05
Storing passwords  smorris@... | 05/23/05
WHY????  htotten | 05/23/05
passwords are not the problem, it's trust  hipparchus2000 | 05/23/05
Note to self: don't read any stupid articles...  MepisLINUXuser | 05/23/05
ZDNet 1, Posters 0  IT Scion | 05/24/05
Hide it in plain sight.  sophmore | 05/24/05
Schneier  Cheiron | 05/24/05

What do you think?

Essential Topics Click Here

advertisement
advertisement

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline