By Munir Kotadia, 23 May 2005 09:40
NEWS Companies should not ban employees from writing down their passwords because it forces users to use the same weak term on many systems, according to a Microsoft security guru.
Speaking on the opening day of the AusCERT conference on Australia's Gold Coast, Jesper Johansson, senior programme manager for security policy at Microsoft, said the security industry had been giving out the wrong advice to users by telling them not to write down their passwords.
"How many have password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of delegates raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them," he said.
According to Johansson, use of the same password reduces overall security.
"Since not all systems allow good passwords I am going to pick a really crappy one, use it everywhere and never change it. If I write them down and then protect the piece of paper - or whatever it is I wrote them down on - there is nothing wrong with that. That allows us to remember more passwords and better passwords," said Johansson.
Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.
Delegates at the conference agreed that Johansson's advice made sense. However, they did not think it was practical.
One IT administrator from an international entertainment company, who requested anonymity, said that despite it being strict company policy to not make a note of passwords, he collated his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.
Another delegate from a government agency, who also requested anonymity, said storing a password list in an encrypted file may work for the administrator but it would not work for users because they would then forget the password to decrypt the password file.
The delegate said that even using two factor authentication - such as an RSA token - was not safe because people often write their pin number on a piece of paper and tape it to the back of the token.
"I know of a government minister that has done that," the delegate said.
Munir Kotadia writes for ZDNet Australia
Comments
There are 12 comments. Join the discussion
1. anonymous
I've been using "Whister32" (encrypted notepad) for ages and it's great.
I've a file called "passwords.wsp" on my Memory-stick that goes everywere I go and can't be opened without 1) an executable, and 2) the unlock-password.
I've two backup copies for work / home (on two desktops) and whenever I need to update the list I email it (as an attachment) to myself to keep all three copies the same.
Richard101
2. Murdoch Mactaggart
Writing down passwords is eminently sensible advice. A product such as PasswordSafe (see http://passwordsafe.sourceforge.net/) lets you categorise and keep any number of different keys and attendant information, all managed through one or more master passwords and subject to a range of security options. Of course you still need to manage securely the master password(s) ...
3. anonymous
You are obviously not a security conscious individual. Writing down passwords is an awful idea! The admins should configure the systems to not allow weak passwords and force the users to change them on a regular basis. Further if the users can't remember their passwords they are probably a security risk from the start and should be thinking of a career change. Practice saying would you like fries with that!
4. Dozza
Simple encryption is the answer.
Writing down passwords is idiotic; remembering them is impossible, especially strong passwords that have to change every 30 days. However, there are some very simple ways to generate reasonably secure passwords. Try this one:
- use a word and a year that you can remember
- write it down - e.g. Joshua1966
- create your actual password by swapping letters two and three, and adding 1001 e.g. Jsohua2967.
Even government ministers can remember a couple of simple rules like this, yet it would take an awful lot of work for anyone else to crack - even if they found your list of passwords.
5. Lionel A Smith
Remembering passwords can be a problem for some with medical conditions particularly those which require a mix of drugs to control, e.g. statins for heart conditions.
Of course such people should be classified as second class citizens and thus classed as unemployable. Is that what your angle he who suggested 'job-changes'.
6. anonymous
Passwords are out of date.
Pass phrases should be used.
Have a look at http://www.metaforix.info/2004/12/passphrases_not.html
Regards
7. anonymous
Another reason to trust Microsoft when it comes to security - NOT. While I don’t disagree that passwords have become a horrible mess – writing them down is too simplistic an answer – and irresponsible. Putting them into an encrypted file makes a whole lot more sense – but the MS guy doesn’t even mention that. PassPhrases? Get over it. How many OS's and applications can't support those specifics?
8. Ian Savell
"Anonymous security consultant" is an idiot. While he tries to enforce his rules all his users are either suffering lost productivity or writing their passwords on their desktops. Get real and remember the password you are trying to protect isn't the only one your users have to handle. Recognise that people need help managing huge numbers of passwords and manage THAT process, not your one precious (but probably already compromised) resource.
Imagine this scenario. Your finance director, who is a whizz with numbers but has a poor memory for random words, gets round your strictures by using YOUR password for some of his OTHER accounts. One of those is successfully phished or cracked and now your resource is wide open. If you had given him a means to recall his passwords you would still be safe.
Will that be a large meal?
9. Paul Charlton-Thomson
Two things spring to mind. Firstly that this advice is absolutely rubbish. Writing down your passwords will almost certainly lead to someone compromising them and implicating you in undesirable activities. However, I do 'write down' my passwords in an encrypted program for my PDA called Illium eWallet, which is itself protected by the PDA password and the eWallet password.
Secondly, anyone who uses a number of websites and systems will have somewhere in the order of 50 different usernames and passwords. It is about time that someone provides a public/private application to manage single sign-on for users. That way we could have a very strong password which could change regularly to protect our single sign-on account which would then keep safe all of our passwords for individual sites/systems. I gues Microsoft Passport goes some way to providing a solution like this.
10. anonymous
Interesting subject for a PHd. However, most people take the line of least resistance inspite of the efforts of control freaks in IT. Have you thought about trying the line "You can't park there!"
11. Joe Whitehead
A technique I've been suggesting for a long time has been this:
1) Memorize a common password for levels of trust. Three is more then enough.
2) Append random symbols to it and store those in an encrypted file/paper.
3) Keep this on you at all times using a USB drive or your wallet.
If it gets stolen then they get a list without the part they need. If they have both a full password and the list then they still would find out that you changed the passwords in time. The reallity is that repetition=memorized.
What happens is that you use a easy to remember password and then add 'salt' to the end. Stealing one version of the password doesn't automatically release the others.
12. Rob Jones
I use an encrypted document of my 100+ usernames/passwords with its own password of 50 random characters. This is made up of various random-character passwords I have memorised through repetition over the years. The first 4 chars of each are written on a card in my wallet; enough to jog my memory but insufficient to break-in. Try brute-forcing that, then!
I try to change all my passwords every month or two as good practice. If I am choosing strong ones, I have to document them.