Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

more on MS Security says to write down your passwords?!?!

From: David Farber <dave () farber net>
Date: Tue, 24 May 2005 04:41:42 -0400


Begin forwarded message:

From: Bob Hinden <bob.hinden () nokia com>
Date: May 23, 2005 6:58:27 PM EDT
To: dave () farber net
Cc: Bob Hinden <bob.hinden () nokia com>
Subject: Re: [IP] MS Security says to write down your passwords?!?!


Dave,




Microsoft security guru: Jot down your passwords
There is a real problem here and he is probably correct. We are instructed to use hard to forge passwords (i.e., not in the dictionary, mixture of letters and number, etc.), we are not supposed to write them down, we need to have passwords on many different systems, and we are supposed to changed them periodically. Not surprisingly, this just isn't possible.
I think it is better to write down passwords than to use passwords that are easy to guess. The best method I have seen for this is to have all the passwords start or end with the same character(s) and not write down these character(s) in the list.
Personally I do a range of things to manage my passwords. I use high quality password for accounts where my money is involved, medium quality for sites that might retain my credit cards, and low quality passwords for things where it doesn't matter too much (these are usually duplicated), and I write down the passwords for accounts I don't use too often and am likely to forget.
Where I work, they make me change my password much too often and don't allow the reuse of the previous dozen passwords. I think this actually reduces the security because it encourages people to write down passwords and/or use trivial passwords. The scheme I came up with was to have a constant set of numbers and letters and rotate the letters through the numbers every time they make me change the password. This makes it easier for me to remember it, but still results in reasonable quality. BTW, once recently when I was going through airport security, they made me show that my laptop was working. This, of course, was the time that the disk encryption software decided it was time for me to change my password. What fun.... 

Bob






-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: