Security Heresy: Write Down Your Password
I keep telling to my users to choose strong, easy to remember passwords, and to never, ever write them down. Why am I saying this? Because today, while reading Watchguard Wire, I stumbled on an article pointing to a guy that has a different point of view on all that "keep your password secure business". And I hate to admit it, but he does score some points with his arguments. Only a few though.
You've got thousands of dollars worth of stuff in your pockets, or your purse. Seriously. You're carrying keys to your eight-year-old Honda, which is worth about $5,000. Your credit cards could bring in thousands of dollars for a crook.You're carrying the keys to the house where your family sleeps. It's hard to put a price on that.Do any of your passwords really need more security than your pocket provides? (Source: The Security Mentor)
The points that Frederick expresses in his post are mostly right. Writing a strong password on a piece of paper and sticking it in your wallet is a good way of keeping it secure, but I only see one problem with this: Human Nature. Some people will never forget to put their little piece of paper back in their wallet, but a good proportion of them will constantly leave it on their desk for a few days. For all to see. After a while, the 'reminder' will simply return to under-the-keyboard, where the user used to keep it before having the brilliant idea of putting it inside his wallet.
To my mind, there's really only one way to truly secure a system: implement a two-factor authentication scheme.
A "factor" of authentication is considered one of these three fundamental "things":
- Something you have (e.g. a smart card, or a secure ID token)
- Something you know (e.g., a user ID and a password)
- Something you are (e.g., a fingerprint, or the tone of a voice)
So, what is YOUR position on this? To write down or not to write down your password, that is the question.
Related [GAS] technology articles: