When I first read this article from Munir Kotadia about Microsoft's sr. program manager Jesper Johansson advising users to write down their passwords, I thought my eyes were deceiving me. In fact, I'm surprised that Johansson is even permitted to represent Microsoft, given the fact that Bill Gates has declared the death of the password in favor of Smartcard cryptographic tokens or OTP (One Time Pad) token technology such as RSA's SecurID. The NIST gives Smartcards and OTP the highest ratings for secure authentication. What Johansson is saying about password security seems to be flying in the face of what the Microsoft campus at Redmond is actually doing with Smartcards to consolidate physical building access and computer authentication into a single physical token. I personally can't wait for the demise of the password and the adoption of a universal strong token-based authentication standard that could grant access to everything from your car to your bank account to your corporate network.
Johansson not only evangelized the practice of writing down a complicated single-use and single-factor password for "better security", but went further to criticize two-factor authentication by saying that some people were taping pin numbers to their RSA SecurID tokens. The truth of the matter is, a password can be copied or memorized by an unauthorized person without any indication and therefore constitutes a secret breach of security that can go on indefinitely and lead to many more secret breaches. On the other hand, the theft of a Smartcard or OTP token, at worst (if the thief can also steal the pin and/or user password), will only grant very temporary access until the token is discovered missing and is revoked. Any usage of the token after the time of theft would alert IT to unauthorized access and also indicate the theft of the user's password forcing an immediate revocation of the token and an immediate password change. There is no way to know if and when a password has been copied or memorized by someone else; whereas you will always know a when a token has been stolen since its legitimate owner will call the helpdesk the minute he can't get to his email. If anything, this makes the case for simple multi-use passwords and physical tokens since users will not need to write down a simple password. A hacker with a stolen token will not be able to guess even a simple four-character alpha-numeric password in a reasonable amount of time since it would take an average of over 800,000 manual guesses to break into the system and the token would have long since been revoked.
As an IT consultant who travels from company to company, working on the most sensitive network and server infrastructures, I can't tell you how many times I've been handed a master list of passwords of all the servers, routers, switches, and firewalls simply because that is the only way I can work on the systems. It's almost inevitable that multiple administrators and consultants will know all of the most sensitive passwords that will most likely never be changed due to the disruption that would occur. Tokens, on the other hand, can be granted permissions and revoked on the fly without any sharing of secret keys, and they can seamlessly grant secure access to multiple systems within multiple companies. Passwords have long been obsolete and no fancy policy is ever going to make them any more secure. It doesn't matter if the password is encrypted or not since at some point, you'll have to decrypt it to use it and all it takes is a key logger to defeat the most complex password in the world. Smartcards and RSA tokens have no such problem since there is no way to copy them without physically stealing them and triggering an alert. It's shocking that someone this high up in rank at Microsoft has such a poor grasp of authentication theory and is taking such a great leap backwards while the rest of his company moves forward.