Tuesday, January 2, 2007

"Never write down passwords"

Does anybody know when this security tenet began? It reminds me of TSA gibberish such as taking off one's shoes to keep people secure. "Never write down passwords" made sense ten years ago when you had one or two passwords each 4 characters long.

Not as easy when there are more and more passwords accumulating in a persons head. There's nothing wrong with writing these passwords down, just when you do it insecurely. The entire slogan boils down to awareness. It seems every security program out there recommends not to jot down the dredded secret you keep in your mind. When did awareness programs stop being honest and practical? Were they ever?

Do I advocate passwords on sticky notes? Don't be silly. But I do think that it's not an all or nothing idea. These awareness programs need to explain how to securely keep passwords documented (keeping them in safes, keeping them on your person, etc) and start being realistic. This "never write down passwords" mantra just makes everyone look like a zealot and accomplishes very little. Stupid.

No comments:

Post a Comment