Source:Information Week

Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.


Flying in the face of convention, a security expert is now telling users to write down passwords and stick the slip of paper in their wallets.

Such advice flies in the face of long-running counsel to not put passwords on paper. But security guru Bruce Schneier -- who is also the founder and chief technology officer of Counterpane Internet Security -- told users to forget the old advice.

"People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier wrote in his online security newsletter.

"We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper -- in their wallet."

To account for a lost wallet, Schneier urged users to finesse the paper record by writing "bank" rather than the bank's URL, or by omitting a username.

"Writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he said.
Now here's what kills me about this: a month or so ago one of Microsoft's VP said the same thing but said to keep it in a secure location, like a vault or locked desk. This makes sense since this is a practise already done with many admin passwords. Writing it down and keeping it in the wallet seems more insecure and problematic. It's very likely that the user name will be used over again or will be written down so as to match the password, particularly if the user has many accounts and passwords to begin with.

I was rather shocked that Schneier is the one suggesting this but..