Support NeoGAF

[Afro Thunder]

Microsoft's senior program manager for security policy, Jesper Johansson, presents a provocative but interesting view on password policy: He claims that prohibiting users from writing down their passwords is bad for security. His main point is that if users are prohibited from writing down their passwords, they will use the same easy to guess password everywhere." From the article: "Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it...If I write them down and then protect the piece of paper--or whatever it is I wrote them down on--there is nothing wrong with that. That allows us to remember more passwords and better passwords.

http://it.slashdot.org/article.pl?sid=05/05/24/2047228&from=rss

http://news.com.com/Microsoft+secur...asswords/2100-7355_3-5716590.html?tag=nefd.ac

He's right.

 

[Tarazet]

Just one question: how do they think they can prohibit people from writing down their passwords?? Are they slipping cameras into monitors now?

 

[Nerevar]

Just one question: how do they think they can prohibit people from writing down their passwords?? Are they slipping cameras into monitors now?

I think he means in terms of organizational policy. Lots of companies warn you not to write down passwords anywhere, and you will get punished if they find you breaking those rules.

 

[Tarazet]

I think he means in terms of organizational policy. Lots of companies warn you not to write down passwords anywhere, and you will get punished if they find you breaking those rules.

OK, but I'm just a bit skeptical, because I haven't encountered this.

 

[Azih]

Well I don't think you get punished, but it is common policy to recommend that you don't write down your password anywhere.

 

[Diablos]

In some cases, this IS a better idea - it allows you to have a more complex password without having to worry about forgetting it.

There's no real risk of someone getting your password if you write it on a piece of paper and leave it near your desk - if you live at home. It's only when you are at work or school that I question this advice.

 

[teiresias]

My default computer-ID password that I use to log onto all the PC's and various support sites at my university is a pretty damn complex password - one of those generated, hard to crack strings.

I carried around the password for a few days, but after a while my hand muscles basically memorized it and I find that even if I can't sit at a desk and think of what my password is the minute I sit down and try to type it it just comes right out. So writing it down and carrying it around for a few days is actually a good policy IMO.

My main problem comes when one of my "standard" passwords doesn't quite match the password requirements of some other system. Like this one online banking thing required me to have a special character (like @ or %) within the first three characters of the password, which didn't match any of the passwords I used, so I could never remember it. All of those different rules just mean I have all of these different passwords, it sucks.

 

[Phoenix]

OK, but I'm just a bit skeptical, because I haven't encountered this.

There isn't a stated policy where I work now, but when I used to do government contracting at the secret level, there was no way you were going to be writing down anything. My current password is just a random collection of letters and numbers so its unguessable - you'd have to do a brute force to get it.

 

[Tarazet]

There isn't a stated policy where I work now, but when I used to do government contracting at the secret level, there was no way you were going to be writing down anything. My current password is just a random collection of letters and numbers so its unguessable - you'd have to do a brute force to get it.

Ah, government.. that makes perfect sense. I see now.

 

[LakeEarth]

Yeah, I use the same password for a lot of things, but it's not an easy one to guess. It's not a word or sentence or anything.

 

[Drozmight]

Yeah, I use the same password for a lot of things, but it's not an easy one to guess. It's not a word or sentence or anything.

it's blank?

 

[LakeEarth]

it's blank?

Lets not turn this into a 'guess my password' game.

 

[deadfish]

I find it funny when people write down there user names and passwords and sticky them to the computer. :lol

So so stupid.

 

[AniHawk]

Lets not turn this into a 'guess my password' game.

Is it 12345?

 

[demi]

I find it funny when people write down there user names and passwords and sticky them to the computer. :lol

So so stupid.

How else are we supposed to solve the puzzle that we passed earlier in the game?

 

[Dilbert]

Ah, government.. that makes perfect sense. I see now.

It's not "government" which is the key part of that sentence -- it's the word "secret."

Passwords or combinations to physical locks are classified at the same level as the information they protect. If you write down the password or combination, then it must be protected like any other classified information, and if stored in an approved container, the owner of that container must have the appropriate need-to-know for the material guarded by that safe or lock.

 

[Nikashi]

Is it 12345?

Hey, that's the combination on my luggage!

 

[Zaptruder]

For a semi decent password, use something that you can easily remember, but then apply leetspeak to it...

so, corporatelackey becomes c0|2p0r@+3|@<|<3y

... of course it might become tricky remembering which characters are leet characters and which ones aren't... in which case you might assign a second part to decrypt the first part, by using your pin number as the identifier for which characters are normal characters or are leet characters...

on second thought, just right down a random password on a piece of paper.

 

[SFA_AOK]

I take a line from a song and use the initial of each letter of that line, throw in some capitalisation and/or special characters, away you go. So:

"The warden threw a party an the county jail"

becomes:

tWtaP@tCj

 

[ToxicAdam]

I find it funny when people write down there user names and passwords and sticky them to the computer. :lol

So so stupid.

I'm guilty.


At our work they have two levels of passwords on our computers (One to access the computer, and another to access key software). They make us change our password every 2 months and you can't use repeats. It's damn hard to keep thinking up new passwords and then remembering them.

 

[gblues]

Guilty here too. I need too many damn passwords to make them all different.

1 password for login into the NT domain (must be 8 characters, cannot reuse last 8 passwords)
1 password for login to call tracking software (must be 9 characters and contain a number)
1 password for VMS-based tool
1 password for the workorder system
1 password for the order management system
1 password for the timecard system

All systems are used on a daily basis.

At my previous job, I had to change passwords every 45 days. I would use the "change password" function in XP (on the ctrl+alt+del screen) and use A1b2c3 through A6b7c8 before going back to my original password.

Nathan

 

[LakeEarth]

Hey, that's the combination on my luggage!

Mental note, steal Nikashi's luggage.

 

[Tamanon]

Yeah one of the systems we use at work has such an ornery password system(must have at least 1 number, no 2 characters in a row, no character in the same place as the previous 10 passwords) so that basically all of us have our password posted on our monitor.....

sucks.

 

[Christoff Yurievich]

Yeah one of the systems we use at work has such an ornery password system(must have at least 1 number, no 2 characters in a row, no character in the same place as the previous 10 passwords) so that basically all of us have our password posted on our monitor.....

sucks.

so does that mean you have to have your last 10 passwords written down as well?

my global password is just one word and when it's a slightly more tricky system I add a . or a 1 to the end of said word. stupid gmail wouldn't let me use that and I had to use a random number password. I might change all my passwords to that as it's easy to remember and very hard to figure out.

 

[Phoenix]

It's not "government" which is the key part of that sentence -- it's the word "secret."

Passwords or combinations to physical locks are classified at the same level as the information they protect. If you write down the password or combination, then it must be protected like any other classified information, and if stored in an approved container, the owner of that container must have the appropriate need-to-know for the material guarded by that safe or lock.

Another goverment person in our midst

 

[Christoff Yurievich]

my gov't computer didn't have a password, but then again I wasn't working with sensitive materials. Funny thing is our office did, at one point, have some classified documents. why is this funny? That particular office was for the veterinarians. What in the world could have been classified about veterinary medicine? :lol

 

[Phoenix]

so does that mean you have to have your last 10 passwords written down as well?

my global password is just one word and when it's a slightly more tricky system I add a . or a 1 to the end of said word. stupid gmail wouldn't let me use that and I had to use a random number password. I might change all my passwords to that as it's easy to remember and very hard to figure out.

What I suggest to people it so pick two STRONG random passwords and just commit them to memory. Use one only for stuff that is confidential to yourself (like you bank account), and use the other one for pretty much everything else.

Don't use the leetspeak passwords! They are exceptionally vulnerable to dictionary attacks as todays dictionary attack systems use the leetspeak derivatives of words as well. Just pick something random. Close your eyes and peck around randomly with both hands on the keyboard.

That's your new password. In my case:

[`0zu29rn`bcxty89

toss out the symbold

0zu29rnbcxty89

If someone guesses that - power to them. THAT is a strong as hell random password