For many years the best practices have been to create passwords that were difficult but able to be remembered so they would not have to be written down. Writing it down, the thinking goes, increases the risk that it would be seen by somebody else.
I guess I could just buy a gimongous safe to put all of those envelopes in, but that seems a strange departure to me.
My guess is that the call comes from Jessper J (confirmed here: http://www.theregister.co.uk/2005/07/19/password_schneier/
http://software.silicon.com/security/0,39024655,39130618,00.htm )
I strongly disagree with the assertion and reversal of thinking. I believe that what's really being said is that, "well, we give up. We can't find any other way outside of causing all computer users to also carry a wallet. No purses, money-carrying socks, or running shorts if they have no pockets when you use the computer. We don't know how to change the world so that we have less than 68 passwords."
Maybe I just need more information about this change in concept and what's really being said vs. what's printed in that article and the others like it (Sun has similar statements out there - big surprise, right?)
Of course, if he's right about the number of passwords not being reduced, then he's likely also right about the number of people that use the LCD password and spray it across all systems thereby dumbing down the password strength across the systems.
I love the back and forth thinking that comes with this and look forward to the steady and long term thinking that allows folks to get a handle on this problem. I'm not sure I appreciate the way this is going however. Obfuscating my passwords on my desk? Hmm... I would have thought we could do better. I know we should. I know we can. I know one-size fits all is not high on my list of appreciated approaches.
I do agree, Ken, that it's all about acceptable risk and that not all risk is accepted equally. On that we agree 120%. For all the time that has been put into Vista to make it more security friendly, I hate to see them throw in the hat on this one though. I suspect that's a recommendation that may change in Vista sp1 time-frame similar to using empty root domains ;-)
Al
Agreed
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ken Schaefer
Sent: Friday, September 08, 2006 7:30 AMSubject: RE: [ActiveDir] OT: admin account in Vista
I'm always pretty sure that the advice has been to avoid writing down your username/password and storing it in an *insecure* location (i.e. taped to your monitor at work)
On the other hand, if you write down the details and store it in a safe place (e.g. place it into a safe) then surely you are relying on the security of the physical device to protect you. That may be an acceptable risk. I'm pretty sure if you wrote down your admin password at home, and stored the piece of paper underneath your keyboard, you probably wouldn't have that much to worry about (unless you couldn't trust whoever else was living in the house/unit/apartment). Anyone breaking into your house has full physical access anyway…
Cheers
Ken
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Friday, 8 September 2006 1:36 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] OT: admin account in Vista
"Write down your username and password and store it in a safe location."
That's an interesting departure from the usual recommendations. ;-)
On 9/6/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] <[EMAIL PROTECTED]> wrote:
Windows Vista Security : Built-in Administrator Account Disabled:
http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/27/windowsvistasecurity_.aspx
