Tuesday, December 20, 2005

Password Strength Guidance Redux

Microsoft's Stephen Toulouse corrects my inference that the company's guidance on passwords is conflicting and offers some thoughts of his own on the issue:

"No one should be saying "always write your passwords down", just as no one should be saying "never write your passwords down" because there is no absolute guidance for all users on that point. You have to pick what works for you, balancing the risks in creating complex passwords. If you have no need to keep a password system in your head, then it makes sense to write things down if that's the only way you can do complexity. Just be aware that while you are reducing your risk of a single password being cracked and compromising everything, you are increasing your risk that anyone who finds the paper (or papers if you are smart) has the complete keys to the kingdom. If you take careful enough precautions with the paper then on the balance writing it down can carry less risk because of the gain in randomness and complexity."

On a related note, I don't think Microsoft's password strength checker is working properly. It's telling me that passphrases of more then 50 characters are 'weak' passwords.