I just read an article which quotes Jesper Johansson as saying that we should reverse the long held truism that users should not write their passwords down for their own reference. Jesper is a well respected (though often contreversial) Security Heavyweight who has worked for Microsoft for some years. I know Jesper from events we both presented at such as TechEd Hong Kong and the New York Security Summit a year or so ago. I often read his advice and take it to heart, but this time I think we need to be less binary. I can see circumstances where you can make this case, but to just reverse the rule is reckless. We need training first and foremost. Have I seen a seasoned professional make this method of password tracking work. Yes, I have. But I have also seen users abuse the hell out of the loosening of such policies.
Silver bullets are few and far between in our space when it comes to security. We have trained most drivers to lock their car and carry the key along with them (don’t even attempt the keyless entry system argument, that is newish and doesn’t weaken my analogy). If you lock the key in your car or lose it then the world takes a healthy bite out of your convieniece factor in terms of cost and delay. If we just trained users to take their passwords as seriously then I think we would be OK.
I recently returned from Huntsville, Alabama where I gave a talk on passwords for developers. The article cites systems that allow only weak (read short and limited character set) passwords to be used. The number of examples of this from the web is staggering so I won’t bother. We need to go after this problem as well. Developers (and managers) don’t get that there are brute force attacks against web site logins just like there are for PC Operating System logins. They are much more mature than most people think.
My bottom line is that I don’t think you can make a blanket statement about something this nuanced and varied by group. I give credit to Jesper for saying shocking things to promote the debate (he has accomplished that), but I can’t buy in that we have a new and diametrically opposed truism to our old and long held on that users should not write down their passwords.