Can't Recall Passwords? Write Them Down

[MrLinus]

Source:Information Week

Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.


Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.

Such advice flies in the face of long-running counsel to not put passwords on paper. But security guru Bruce Schneier -- who is also the founder and chief technology officer of Counterpane Internet Security -- told users to forget the old advice.

"People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier wrote in his online security newsletter.

"We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper -- in their wallet."

To account for a lost wallet, Schneier urged users to finesse the paper record by writing "bank" rather than the bank's URL, or by omitting a username.

"Writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he said.

Now here's what kills me about this: a month or so ago one of Microsoft's VP said the same thing but said to keep it in a secure location, like a vault or locked desk. This makes sense since this is a practise already done with many admin passwords. Writing it down and keeping it in the wallet seems more insecure and problematic. It's very likely that the user name will be used over again or will be written down so as to match the password, particularly if the user has many accounts and passwords to begin with.

I was rather shocked that Schneier is the one suggesting this but..

[rider_royal]

Write down my passwords and keep it with me....

what???? is wheel coming to full circle? or what we say history is about to get repeated???
gosh i can't even find a proper reply

[Egaladeist]

Let's take this to the next possible conclusion write them on a piece of paper and tape it to your computer

Sounds like something Bill gates would suggest as a security measure at Microsoft

[Spyder32]

My only response to that article and that concept (two actually): "Whodathunkit?" and "DUH!". Okay, sorry.. I'm done now.

[therenegade]

Agreed it isnt the most secure way to remember your passwords..but lets give it a thought shall we?A lot of people..including me,think of their wallet as sacred and off limits to other people...hence..the wallet to me would be the equivalent of a vault or safe?well,not exactly..but you get my drift....it'd definitely lead to greater security than taping it to the keyboard..which is pretty much the norm:P

[Egaladeist]

Hi therenegade,

Sorry...but obviously you've been involved with the wrong women ....errr....right women....take your pick ...every woman I've ever known loves to go through wallets...it's the last place I'd put something that's supposed to be a secret.

Eg

[MrLinus]

it'd definitely lead to greater security than taping it to the keyboard..

Not by much. Especially given the way people are in public. I went for sushi today and listened to a group yapping about work. One guy was on his Blackberry and leaving it in public view. I've seen people leave their wallets open after taking out their credit cards. Any sticky notes, which often lose their "stickiness" in a hot wallet, tumble out, unbeknownst to the wallet owner. Personally, IMO, it leads to slack security views and a false sense of security.

Either do it all or not at all. Half-assed security doesn't help.

[therenegade]

Eg,
Next time they say or try to do that...tell 'em that you'll go through their purse/handbag...works like a charm
MsMittens...agreed,but as you said..the comment was dumb to make lol,just trying to see whether he might've meant it in some other way,I like to think things from both points..dumb as I am

[The_Captain]

Maybe his point is more that no matter what you tell them to not write it down they are going to anyway. So, by telling them to write it and put it in their wallet at least they are not writting it down and putting it on their monitor or under their keyboard as they normally would.

I'm just wondering now. What happens when the user has to change their password monthly as they do in my organization? We all know how things like to build up in our wallets. Seems like more of a hassle than a solution.

[Cache]

The_Captain: most people alternate between a small set of passwords anyway. I know a large majority of friends I (think I) have told me they just switch between 2 passwords (unless there is a time restriction on repeating passwords.. then they use a larger cache of passwords). So most people would either write them on the same paper or have a small amount of papers.

I have the ultimate idea: get a tattoo of your password(s). That is safe and secure, especially if it's in a "private" area. I can just picture it now..

"Hey Frank, I forget my password. What's my left cheek say?" or a guy forgets his password and looks to his crotch for help.