Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Write Down Passwords

During the AusCERT 2005 information security conference, Jesper Johansson, Senior Program Manager for Security Policy at Microsoft, suggested[2] reversing decades of information security best practice of not writing down passwords. He claimed that the method of password security wherein users are prohibited from writing down passwords is absolutely wrong. Instead, he advocated allowing users to write down their passwords. The reasoning behind his claim is an attempt at solving one of the problems mentioned previously: when users are not allowed to write down their passwords they tend to choose easy to remember (and therefore easy to crack) passwords. Johansson believes that allowing users to write down their passwords will result in more complex passwords being used.

While Mr. Johansson correctly identifies some of the problems of password security, his approach to solving these conundrums is not only short-sighted, but also noncomprehensive. His solution solves users having to remember multiple complex passwords, but lso creates the aforementioned insecure scenarios regarding written passwords which are inherently physically less secure and prone to require administrative reset due to loss.