On Second Thought… Microsoft Says To Write Down Your Passwords

from the tradeoffs dept

For years we’ve all been told never to write down your passwords, for the obvious reason that writing them down makes it easier for someone to come by your desk and find out how to login as you. However, a security program manager at Microsoft is now telling people that writing down passwords is a good thing, as it means people are less likely to simply use the same password for everything. This is true, but it’s really just a question of tradeoffs. Unfortunately, though, those who build systems always assume (falsely) that there are no unintended consequences of forcing people to use “secure” passwords. I recently started using a system that is so complex, that it’ll almost never be used. It needs a “group ID” and a “group password” along with a “user ID” and “user password.” All four need to be entered every time you login. The group ID and group password are assigned — and you can’t change them. They emailed the group ID, but you had to call to get the group password, which is an impossibly complex combination of letters and numbers, where the only possible way to remember it is to write it down. Meanwhile, you could pick your own user password, but the conditions made it difficult to remember. It needed to be over 8 characters, and aside from requiring both a number and a letter, it needed to include “something else” — such as a punctuation mark. While this seems like it might be “good security,” it pretty much guarantees that this particular application is mostly useless — or that anyone who uses it will write everything down together, defeating the purpose of such high levels of security.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “On Second Thought… Microsoft Says To Write Down Your Passwords”

Subscribe: RSS Leave a comment
Ivan Sick says:

No Subject Given

The whole “Don’t write your password” concept is no longer valid, if you ask me. Gone are the days of physical computer break-ins. Maybe CIA employees shouldn’t write ’em down, but the rest of us are pretty OK (unless someone you know personally, and come into physical proximity with them in the same room where you keep those passwords has some kind of vendetta.)

Anonymous Coward says:

No Subject Given

I have hundreds of unique passwords, all generated by a simple approach: some 2-3 letter combination that abbreviates the site name (say, WSJ) and then a code word. The combination is long and should it be grabbed by a baddie, it isn’t apparent that it is a code (you’d have to grab 2 passwords to see that pattern).

Using a number for each site, rather than letters would help make it even more secure.

I use a different code word for commerce sites than for regular sites, and occasionally throw a number on the end, but these things stretch the memory a bit. The basic approach works well.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...