[unisog] Password policies

Leinweber, James jiml at mail.slh.wisc.edu
Thu Apr 20 04:03:56 GMT 2006

> I don't understand the constant worry that users can't remember their
> password so they have to write it down...

I think I do :-)

I agree that a single password used multiple times a day is
one that should be memorized.  And that there are good ways of
writing passwords down (hint carried in wallet) and bad ways
(exact password scrawled on bottom of mouse pad, or on a post-
it note attached to a monitor).

The problem comes when there are a lot of passwords,
particularly if they have to be changed often.  I actually use
different passwords with every account.  And I have multiple
accounts on multiple computers, some of which are are used
very infrequently.  I can't possibly remember several hundred
good ones, and that's how many I'm dealing with.  Plus for
some system administrative passwords, business continuity
required by law and regulation (e.g. HIPAA) means we have to
have an escrow mechanism.

So, I do a variety of things.  I memorize my PGP passphrase. I
carry some teeny handwritten reminders in my wallet (not full
passwords, and not annotated by account & system).  I keep
PGP encrypted files of important passwords.  We use "pwsafe"
from Counterpane.com to share administrative passwords.  We
write key passwords down, put them in sealed envelopes, and
lock those in fire-resistant safes (along with some of our
tape media) inside locked rooms, and don't give the safe
combination out to very many staff.

For low security web registrations, e.g. New York Times, I
just keep plaintext notes in private files.  I also let web
browsers like Firefox cache these under a master password.
(That master is, of course, kept PGP encrypted.)  Ditto
for Apple keychain when I'm using a Mac.

I reduce the need to write down passwords by using passphrase
generating schemas that take into consideration various
aspects of the account, site, organization, location etc.
This gives me families of similar but different passwords.
I usually need to PGP encrypt the schemas, though.  Thinking
up new schemas every time I change passwords is a nuisance,
but a feasible one.

Most end users will need at least five (5!) passwords or
schemas for families of passwords to cover these categories:

1) A primary single sign-on work password for departmental systems

2) A different work one for central systems

3) A really good personal one for high risk financial sites such
  as banks and stock brokers

4) A different good one for medium security e-commerce sites
  used with credit cards such as e-bay, amazon, paypal etc.

5) A low security one for web registration sites with neither
  privacy nor financial implications
Telling users to "just memorize your password" doesn't cover
all of the problems, in my opinion.  We need to give them
more nuanced advice about when to be different, and how to
keep track.

-- James E. Leinweber
Information Systems, State Laboratory of Hygiene, University of Wisconsin
<jiml at slh.wisc.edu> 465 Henry Mall, Madison WI 53706, US; +1 608 221 6281
PGP id: 5C6BC8B9  fp: 2E36 47BC DB03 57CE 86AD  19CC 41A1 9179 5C6B C8B9

More information about the unisog mailing list