Companies should not ban employees from writing down their passwords because it forces users to use the same weak term on many systems, according to a Microsoft security guru.
Speaking on the opening day of the AusCERT conference on Australia's Gold Coast, Jesper Johansson, senior programme manager for security policy at Microsoft, said the security industry had been giving out the wrong advice to users by telling them not to write down their passwords.
"How many have password policy that says 'under penalty of death you shall not write down your password'?" asked Johansson, to which the majority of delegates raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them," he said.
According to Johansson, use of the same password reduces overall security.
"Since not all systems allow good passwords I am going to pick a really crappy one, use it everywhere and never change it. If I write them down and then protect the piece of paper — or whatever it is I wrote them down on — there is nothing wrong with that. That allows us to remember more passwords and better passwords," said Johansson.
Johansson said the security industry had been giving out the wrong advice about passwords for 20 years.
Delegates at the conference agreed that Johansson's advice made sense. However, they did not think it was practical.
One IT administrator from an international entertainment company, who requested anonymity, said that despite it being strict company policy to not make a note of passwords, he collated his personal passwords in an encrypted file because it "made more sense" than trying to remember multiple strong passwords.
Another delegate from a government agency, who also requested anonymity, said storing a password list in an encrypted file may work for the administrator but it would not work for users because they would then forget the password to decrypt the password file.
The delegate said that even using two-factor authentication — such as an RSA token — was not safe because people often write their pin number on a piece of paper and tape it to the back of the token.
"I know of a government minister that has done that," the delegate said.
Munir Kotadia reported from Sydney for ZDNet Australia. For more ZDNet Australia stories, click here.
Talkback
Huh? Ever heard of secret stores and identity management? Proven technology for years on end and such. Oh, I forgot, Redmond hasn't "invented" that fully yet so that's why "the next best thing" is to write down passwords on a piece of paper until Microsoft comes with something "better" (for a price ofcourse because why get it right the first time if you can get tax payers to pay for it twice or more even?).
Lucky for us this is the same company running the show in many government security projects around the world like ID cards, national registration systems and such. Ahum.
Whether users should be allowed to write down their passwords depends on how much you can trust their judgement about storing the written material (either on paper or electronically).
if you're relying on a piece of paper instead of your memory, you've just changed from 'something you know' authentication to 'something you have' authentication. Accordingly, you have to address different risks.
Most organizations probably wouldn't trust their normal users to write down a password on paper because it would probably be kept with or near the computer. Those organizations probably would trust that administrators would do a better job of keeping the paper with them.
A better plan than letting the average user write down their passwords is working on two areas: One, give them secure, but easily memorable passwords. Two, reduce the number of unique passwords they need to use for business systems (i.e. reduced sign-on).
PalmOS has applications designed specifically for storage of secure passwds and I know a lot of Net and Sys Admins that use it. Why? Because they have far too many passwds and systems to remember.