This week saw a flurry of articles on an alleged security risk — 1/3rd of workers in a survey said they write down their passwords in one form or another. Nucleus Research and KnowledgeStorm, which performed the survey, portrayed this as a serious security problem and recommended biometrics and other security methods.
According to ZDNet,
“This [writing down passwords] is really a lot like mom and dad buying a great new security system for the house and junior leaving the combination under the door mat,” said David O’Connell, senior analyst at Nucleus Research.
Couldn’t disagree more. Writing down passwords is, in fact, the best way to deal with the need to a) maintain secure passwords that are not easily subject to brute force or dictionary attacks, and b) the need to maintain passwords for multiple systems.
Personally, I have userids and passwords to 50-60 accounts. Now maybe Mr. O’Connell has a photographic memory that allows him to remember at an instant the userid and password to dozens of accounts, but most of us don’t quite have that skill.
There are two ways people deal with this. One is to compromise the security of the accounts by using an insecure password that is easily circumvented by a determined attacker, or people tend to pick one secure password and use that over and over again for numerous systems.
Microsoft’s Jesper Johansson railed against polices against writing down passwords last year,
“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”
According to Johansson, use of the same password reduces overall security.
“Since not all systems allow good passwords, I am going to pick a really crappy one, use it everywhere and never change it,” Johansson said. “If I write them down and then protect the piece of paper–or whatever it is I wrote them down on–there is nothing wrong with that. That allows us to remember more passwords and better passwords.”
Security expert Bruce Schneier weighed in a month later agreeing that writing down passwords made perfect sense,
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We’re all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet.
Personally, I prefer using programs that handle password management. Typically, the userids and passwords are stored securely in encrypted files that are accessed by a master password. It is much easier for me to memorize and secure a single password than it is to remember dozens of different ones.
Sources:
Microsoft security guru: Jot down your passwords. Munir Kotadia, CNET News.Com, May 23, 2005.
Study: Workers often jot down passwords. Reuters, October 17, 2006.
1/3 of Workers Write Down Passwords. Ed Oswald, BetaNews, October 18, 2006.
