On Second Thought... Microsoft Says To Write Down Your Passwords
from the tradeoffs dept
For years we've all been told never to write down your passwords, for the obvious reason that writing them down makes it easier for someone to come by your desk and find out how to login as you. However, a security program manager at Microsoft is now telling people that writing down passwords is a good thing, as it means people are less likely to simply use the same password for everything. This is true, but it's really just a question of tradeoffs. Unfortunately, though, those who build systems always assume (falsely) that there are no unintended consequences of forcing people to use "secure" passwords. I recently started using a system that is so complex, that it'll almost never be used. It needs a "group ID" and a "group password" along with a "user ID" and "user password." All four need to be entered every time you login. The group ID and group password are assigned -- and you can't change them. They emailed the group ID, but you had to call to get the group password, which is an impossibly complex combination of letters and numbers, where the only possible way to remember it is to write it down. Meanwhile, you could pick your own user password, but the conditions made it difficult to remember. It needed to be over 8 characters, and aside from requiring both a number and a letter, it needed to include "something else" -- such as a punctuation mark. While this seems like it might be "good security," it pretty much guarantees that this particular application is mostly useless -- or that anyone who uses it will write everything down together, defeating the purpose of such high levels of security.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Passwords
[ link to this | view in thread ]
Re: Passwords
[ link to this | view in thread ]
No Subject Given
[ link to this | view in thread ]
Keep them in your wallet
[ link to this | view in thread ]
Re: Keep them in your wallet
[ link to this | view in thread ]
No Subject Given
[ link to this | view in thread ]
simple solution
[ link to this | view in thread ]
No Subject Given
[ link to this | view in thread ]
No Subject Given
Using a number for each site, rather than letters would help make it even more secure.
I use a different code word for commerce sites than for regular sites, and occasionally throw a number on the end, but these things stretch the memory a bit. The basic approach works well.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]