Nathan's Occasional Blog

Microsoft security guru: Jot down your passwords | CNET News.com:

Companies should not ban employees from writing down their passwords because such bans force people to use the same weak term on many systems, according to a Microsoft security guru.

Speaking on the opening day of a conference hosted by Australia’s national Computer Emergency Response Team, or AusCERT, Microsoft’s Jesper Johansson said that the security industry has been giving out the wrong advice to users by telling them not to write down their passwords. Johansson is senior program manager for security policy at Microsoft.

‘How many have (a) password policy that says under penalty of death you shall not write down your password?’ asked Johansson, to which the majority of attendees raised their hands in agreement. ‘I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.’

I don’t visit Slashdot anymore (and I’m not going to link there) because I’ve found them to be extremely negative on just about everything, especially MS technologies. It’s just not a balanced discussion. And for that reason I’m guessing that this statement from a MS person, while actually good advice if you think it through, is going to be slammed. What we have here, in the case of passwords, is a MAJOR problem. I’m guilty of doing exactly what this guy talks about – using the same relatively weak password in many places.

I disagree with his solution, though. Writing down your passwords, or storing them in an encrypted format on your Blackberry or Scoblephone, isn’t going to solve the issue (and creates new ones). We need some sort of federated, independent seciurity model that uses some form of two-factor authentication. RSA tokens, smart cards, biometric readers, etc. are all in play. The kicker is that we need a system that is (relatively) universally accepted and used, and not one organization (corporate or government) out there has the reputation to be trusted by all of us. Plus I don’t think we can get away with just one way of doing the two-factor authentication.

For example if I’m here at my house I can use a smart card in my laptop (my Dell Latitude D610 already has a reader in it) but I can’t use that same card in my home desktop PC because when I take the card out of my laptop it would lock the system. So I’d use a biometric reader on the desktop. Then if I want to do a transaction online how does that biometric info get passed along to, say, Amazon? That’s where a token makes sense – a device that gives you a personalized password every 60 seconds. But a token still requires a personal memorized PIN code to add to the digits it gives you … plus right now the technology is 1 token per service. RSA is moving in the right direction with their mobile device soft-tokens (I can put up to 10 tokens on my Blackberry) but I’d still have to remember which one is for which service … plus it would take “forever” to get the key. And then we have to make all of this so easy and fool proof that my 90+ year old grandma can use it to authenticate herself with her bank at the ATM and so we don’t have 500,000 people get a letter in the mail saying “sorry we let a hacker have your identity.”

And all of these methods of authentication should be linked to one master identity, just like real life. I have a unique fingerprint; I have a smartcard with a memorized PIN code; I have a token generator with a memorized PIN code. ME. The single ME needs to be recognized to be a single ME across all the entities I come in contact with, as opposed to today where I am a completely different customer on Amazon from MSN from CDW from my office from my voicemail…. Get the picture?

So, Robert Scoble, master of the blogging universe and marketing (just kidding), how does this conversation get discussed in the open in an UNbiased and thoughtful manner without getting blown up into a hissy fight between “pro-MS” and “anti-MS” people. I wonder, was the speaker’s original intention to really have folks write down all their passwords on a piece of paper, or was he trying to jump-start the discussion?