Day: October 22, 2006

1/3rd of Workers Write Down Passwords &mdash Good for Them

This week saw a flurry of articles on an alleged security risk — 1/3rd of workers in a survey said they write down their passwords in one form or another. Nucleus Research and KnowledgeStorm, which performed the survey, portrayed this as a serious security problem and recommended biometrics and other security methods.

According to ZDNet,

“This [writing down passwords] is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat,” said David O’Connell, senior analyst at Nucleus Research.

Couldn’t disagree more. Writing down passwords is, in fact, the best way to deal with the need to a) maintain secure passwords that are not easily subject to brute force or dictionary attacks, and b) the need to maintain passwords for multiple systems.

Personally, I have userids and passwords to 50-60 accounts. Now maybe Mr. O’Connell has a photographic memory that allows him to remember at an instant the userid and password to dozens of accounts, but most of us don’t quite have that skill.

There are two ways people deal with this. One is to compromise the security of the accounts by using an insecure password that is easily circumvented by a determined attacker, or people tend to pick one secure password and use that over and over again for numerous systems.

Microsoft’s Jesper Johansson railed against polices against writing down passwords last year,

“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”

According to Johansson, use of the same password reduces overall security.

“Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it,” Johansson said. “If I write them down and then protect the piece of paper–or whatever it is I wrote them down on–there is nothing wrong with that. That allows us to remember more passwords and better passwords.”

Security expert Bruce Schneier weighed in a month later agreeing that writing down passwords made perfect sense,

Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.

Personally, I prefer using programs that handle password management. Typically, the userids and passwords are stored securely in encrypted files that are accessed by a master password. It is much easier for me to memorize and secure a single password than it is to remember dozens of different ones.

Sources:

Microsoft security guru: Jot down your passwords. Munir Kotadia, CNET News.Com, May 23, 2005.

Study: Workers often jot down passwords. Reuters, October 17, 2006.

1/3 of Workers Write Down Passwords. Ed Oswald, BetaNews, October 18, 2006.

This Should Help Creative Finally Beat Apple’s iPod

Creative has been trying hard to take away some of Apple’s market share in the portable MP3 player market. In the past it has focused on losing strategies like expanded marketing ignoring the fact that its bloated product line is a serious problem in and of itself.

Now, Creative has apparently hit upon yet another winning strategy — using firmware upgrades to disable features of its players. According to a number of recent reports, Creative released firmware “upgrades” for two of its models that disabled the FM recording ability of the players. Beta News writes,

Specifically, the firmware change affects the company’s Zen MicroPhoto and Zen Vision:M players. In the release notes, Creative gives no reasoning for the change other than saying “this firmware removes your player’s FM recording feature.”

Creative pretty much refused all comment on the changes, but it is almost certainly an attempt to appease rights holders who have complained that FM recording features hurt CD sales.

This new direction should finally help Creative overtake Apple. Perhaps at some point Creative might want to add an electric shock feature that temporarily stuns users who try to play any file on their player not explicitly authorized by the RIAA. That should help Creative leave Apple in its dust.

Source:

Creative Zen Players Lose FM Recording. Ed Oswald, BetaNews, October 17, 2006.

Visa Disconnects AllofMP3.Com

After years of trying to get it shut down outright, the music industry seems to have scored a minor victory with Visa’s decision to suspend service to Russian music site AllofMP3.com. VISA International spokesman Simon Barker told CNET,

It’s [AllofMP3.Com] no longer permitted to accept Visa cards. The action we’ve taken is in line with legislation passed in Russia and international copyright law.

AllofMP3 countered that Visa International’s decision was “arbitrary, capricious and discriminatory.” Moreover, AllofMP3 continues to maintain that its business practices are completely legal in Russia, where it sells MP3s without the permission of copyright holders and pays a pittance in royalties to a Russian rights agency.

Since there are dozens of ways to download the exact same content, even if the Visa change is permanent, its at best a pyrrhic victory for the RIAA. Wow, I can’t buy music at AllofMP3 anymore — I guess I’ll have to go back to downloading it for free.

Sources:

Blacklisted AllofMP3 slams ‘capricious’ Visa and Mastercard. Drew Cullen, The Register, October 19, 2006.

Visa halts its service for allofmp3.com. Greg Sandovel, CNET News.Com, October 18, 2006.