UK Says No To Internet Ordered Porn >>
<< Expensive Police Spy Camera Vans Just For Show
 tdicon 


Say That Again

by Mike Masnick

Mon, May 23rd 2005 10:31am





On Second Thought... Microsoft Says To Write Down Your Passwords

from the tradeoffs dept

For years we've all been told never to write down your passwords, for the obvious reason that writing them down makes it easier for someone to come by your desk and find out how to login as you. However, a security program manager at Microsoft is now telling people that writing down passwords is a good thing, as it means people are less likely to simply use the same password for everything. This is true, but it's really just a question of tradeoffs. Unfortunately, though, those who build systems always assume (falsely) that there are no unintended consequences of forcing people to use "secure" passwords. I recently started using a system that is so complex, that it'll almost never be used. It needs a "group ID" and a "group password" along with a "user ID" and "user password." All four need to be entered every time you login. The group ID and group password are assigned -- and you can't change them. They emailed the group ID, but you had to call to get the group password, which is an impossibly complex combination of letters and numbers, where the only possible way to remember it is to write it down. Meanwhile, you could pick your own user password, but the conditions made it difficult to remember. It needed to be over 8 characters, and aside from requiring both a number and a letter, it needed to include "something else" -- such as a punctuation mark. While this seems like it might be "good security," it pretty much guarantees that this particular application is mostly useless -- or that anyone who uses it will write everything down together, defeating the purpose of such high levels of security.

10 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    Passwords

    identicon
    wraith, May 23rd, 2005 @ 1:34pm

    This is exactly why I use password managers for everything I do...now I don't exactly have private material that I don't want anyone to view, however I do want to make it harder for hackers to gain my password.

    reply to this | link to this | view in thread ]

  2.  

    Re: Passwords

    identicon
    www.mygadgetbag.com, May 23rd, 2005 @ 3:08pm

    I just typically use about 4 passwords, and remember the combinations I've used them. If I get it wrong the first time, I will almost always get the right password the second time.

    reply to this | link to this | view in thread ]

  3.  

    No Subject Given

    identicon
    Anonymous Coward, May 23rd, 2005 @ 5:05pm

    http://sourceforge.net/projects/keepass/

    reply to this | link to this | view in thread ]

  4.  

    Keep them in your wallet

    identicon
    Anonymous Coward, May 23rd, 2005 @ 5:23pm

    Keep them on a laminated card in your wallet: about as secure as your driver's license or social security card ID numbers. Replace them every so often.

    reply to this | link to this | view in thread ]

  5.  

    Re: Keep them in your wallet

    identicon
    Anonymous Coward, May 23rd, 2005 @ 6:51pm

    Yah… unfortunately as soon as RFID tags get put on our ID cards, someone sitting on the sidewalk with a reader, snatching the info of every person who walks past who has a card in his / her wallet, will make the issue of password security mostly irrelevant.

    reply to this | link to this | view in thread ]

  6.  

    No Subject Given

    identicon
    M. Brubeck, May 23rd, 2005 @ 7:58pm

    Bruce Schneier also says to pick a good password and write it down. He recommends the written-down password in a relatively guarded place, like your wallet.

    reply to this | link to this | view in thread ]

  7.  

    simple solution

    identicon
    blorpus, May 23rd, 2005 @ 10:23pm

    I use "dorpus" for all my passwords.

    reply to this | link to this | view in thread ]

  8.  

    No Subject Given

    identicon
    Ivan Sick, May 24th, 2005 @ 5:20am

    The whole "Don't write your password" concept is no longer valid, if you ask me. Gone are the days of physical computer break-ins. Maybe CIA employees shouldn't write 'em down, but the rest of us are pretty OK (unless someone you know personally, and come into physical proximity with them in the same room where you keep those passwords has some kind of vendetta.)

    reply to this | link to this | view in thread ]

  9.  

    No Subject Given

    identicon
    Anonymous Coward, May 24th, 2005 @ 5:48am

    I have hundreds of unique passwords, all generated by a simple approach: some 2-3 letter combination that abbreviates the site name (say, WSJ) and then a code word. The combination is long and should it be grabbed by a baddie, it isn't apparent that it is a code (you'd have to grab 2 passwords to see that pattern).

    Using a number for each site, rather than letters would help make it even more secure.

    I use a different code word for commerce sites than for regular sites, and occasionally throw a number on the end, but these things stretch the memory a bit. The basic approach works well.

    reply to this | link to this | view in thread ]

  10.  

    Re:

    identicon
    Rev, Dec 19th, 2006 @ 2:12pm

    Four combinations? Get the @$@% out of here.

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>


UK Says No To Internet Ordered Porn >>
<< Expensive Police Spy Camera Vans Just For Show
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss

Powered by Postrank

From the Techdirt Archive...
A word from our Sponsors...

Close

Email This