I'm a bit ambivalent on the issue myself. On the one hand we've all seen morons who stick important passwords on a post-it note on the side of their office monitor. This is obviously very bad. But I've come to think that on balance, the traditional "never write it down anywhere, under any circumstances" advice does more harm than good. It encourages chosing of weak passwords (because the user is afraid of forgetting the password), discourages password updating (same reason), encourages sharing of passwords between different systems (user can't remember more than one) and increases the frequency of administrative password resets (which facilitates social engineering).

All of these are real world problems that are at least as severe, if not more so, than the post-it-note-on-monitor problem. So nowdays, I suggest a password caching program to savvy users, while I tell less savvy users to write it down - but treat it like a blank, signed cheque until it's comfortably memorised, then burn it.

I personally use both methods - I use a password cacher for most passwords, but some I use so often that the password cacher is inconvenient. For the monthly updates of those, I keep a camouflaged copy in my wallet until I have memorised them (usually about two days).

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/220/25094#25094