I know that pigs must be flying, but a Microsoft security expert recently made a very wise statement. Jesper Johansson told an Australia CERT gathering that employees should write down their passwords.
“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”
Johansson is absolutely right. Human nature says that if you have many different passwords – as good security policy tells you to – you’ll likely recycle a few to keep things simple. This leads to multiple vulnerabilities should one of those systems become compromised.
Unless you’re Dan Rather, you aren’t going to get accosted on the street by goons asking “what’s the password, Kenneth?” You’re not have your password beaten out of you during a POW interrogation. You’re also not going to have your password pilfered from your wallet using RFID. Until some enterprising hacker invents a way to remotely read the paper on your desk, having your passwords written down rather than stored somewhere (or “recycled”), is actually pretty safe.
I’ve been doing this myself for a few years now and am glad that others are seeing the light. It may not make sense in all situations, but its better than using one lousy password for everything.
If this is the caliber of “security expert” that Microsoft hires, it explains a lot about Windows…. Sure, write down your passwords. And while you’re at it, tape the list to the side of the monitor or under the keyboard (or put it under the doormat, along with your house key). Say, that’s real secure.
Here’s a better idea: use a password management program. Your passwords are stored in a small, encrypted data file, and you only have to remember the main password to access them. I use Password Safe [ http://passwordsafe.sourceforge.net/ ], and it works great (it’s free, too). I memorize the few passwords that I use frequently, and I save all of the others that I have to keep up with (at least 30 or 40) in the program. After I add/change/delete a password, I save a backup copy of the data file on a floppy, a USB key, or a server. If someone gets their hands on the file, they’ll have “fun” trying to break the encryption.
Sure, and lets just say that someone installs a keylogger on your system. Every one of your passwords is compromised. If you don’t have your passwords stored online, you are limited only to those systems you accessed while the keylogger is active.
Keyloggers can’t capture data from OTP systems, and you don’t have to remember passwords to use it. Larger corporations (at least the ones who have a clue) use to maintain security.
OTP seems one of the cheapest and most secure means of proving your identity. Why isn’t its use more widespread?
Sure, and lets just say that someone installs a keylogger on your system. Every one of your passwords is compromised. If you don’t have your passwords stored online, you are limited only to those systems you accessed while the keylogger is active.
The perp would also need to get his hands on the data file (remote control, file download, e-mail attachment, etc.) in order to compromise your entire password list. Simply knowing the master password isn’t enough.
Writing passwords on a sheet of paper is only as secure as the paper itself. If someone swipes your password sheet (or you accidentally leave it in your pocket and run it through the washing machine), you’re s.o.l.
OTP seems one of the cheapest and most secure means of proving your identity. Why isn’t its use more widespread?
Good question. One-time password authentication would eliminate the possibility of replay attacks. I suspect that cost and/or laziness have something to do with it.