Monday, October 23, 2006
People are writing down their passwords!
The folks at Watchguard(*)criticize a recent "survey" about people writing down passwords and offer some advice.
I endorse half their advice.
One recommendation was to make passwords longer instead of making them more complex. The math agrees with them: I was just working through it for some security awareness training materials. You get more bang for your agony if you memorize a few extra characters than if you make the password look like comic strip profanity.
IF you have really random passwords. There's no real improvement in going from a password of "These are not the droids you're looking" to "These are not the droids you're looking for". Password strength comes from being unpredictable, so I have to argue with their example password of "The force is strong with this one". I've seen reports that the bad guys have added all the Star Wars scripts to their lists of passwords to try.
Then they proceed to recommend that you have a company policy forbidding people to write down their passwords. You know your employess will anyway. Besides, you need some of the key passwords in a vault for disaster management when the phone lines are down, the people who know the server password can't come in, and you need to shut it down cleanly before the UPS fails.
I've argued before that if you can safeguard the paper (not under the keyboard, please!) and know the worth of the password, then you actually should write down your passwords. It's not the conventional wisdom, but then this is hardly the first time that conventional wisdom failed to hold up to analysis.
(*)Disclosure: they bought an article from me once.
|
I endorse half their advice.
One recommendation was to make passwords longer instead of making them more complex. The math agrees with them: I was just working through it for some security awareness training materials. You get more bang for your agony if you memorize a few extra characters than if you make the password look like comic strip profanity.
IF you have really random passwords. There's no real improvement in going from a password of "These are not the droids you're looking" to "These are not the droids you're looking for". Password strength comes from being unpredictable, so I have to argue with their example password of "The force is strong with this one". I've seen reports that the bad guys have added all the Star Wars scripts to their lists of passwords to try.
Then they proceed to recommend that you have a company policy forbidding people to write down their passwords. You know your employess will anyway. Besides, you need some of the key passwords in a vault for disaster management when the phone lines are down, the people who know the server password can't come in, and you need to shut it down cleanly before the UPS fails.
I've argued before that if you can safeguard the paper (not under the keyboard, please!) and know the worth of the password, then you actually should write down your passwords. It's not the conventional wisdom, but then this is hardly the first time that conventional wisdom failed to hold up to analysis.
(*)Disclosure: they bought an article from me once.
# posted by Frederick @ 12:41 PM Email to a friend:
Haloscan: they provide trackback