Lifehacker notes that a Microsoft security expert contradicts accepted wisdom that says writing down your password is a massive security risk. Jesper Johnson, senior program manager for security policy at Microsoft, speaking at conference hosted by the Australian Computer Emergency Response Team, offered this commonsense (but often-ignored) scenario [c|net link]:
"How many have (a) password policy that says under penalty of death you shall not write down your password?" asked Johansson, to which the majority of attendees raised their hands in agreement. "I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them."Such advice may have made sense twenty years ago, when the majority of users needed password for a one or two systems. But today, even average users sometimes need a handful of passwords. Not counting systems of extremely low importance (like bulletin boards I rarely use or the NY Times), I must have 20 - 30 passwords that I have to maintain, ranging from banking sites to email accounts--sites where security is relatively to extremely important to me. I moved, quite a while back, to an app on my system that encrypts the account info into a file that I can use a master password to open. Not completely secure, but good enough for most of us. (One reader at Lifehacker suggested an index card file, which they can lock up, carry with them, etc. Low tech, but probably also "good enough."
[via Lifehacker]
Posted by johndan at May 24, 2005 03:26 PM | TrackBack