Security guru Bruce Schneier has backed calls from Microsoft's Jesper Johansson urging [1] users to write down their passwords. In years gone by scribbling down passwords on Post-It notes was often cited as a top security mistake but the sheer volume of passwords people are obliged to remember means people often use easily-guessed login details, another security faux-pas. Schneier - well known for his original thinking and ability to apply common sense to security issues - advocates a low-tech solution to the password conundrum.

"People can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down," Schneier writes in his latest Cryptogram newsletter [2].

Using a password database (such as his own free PasswordSafe [3] utility) is one option. But Schneier is also enthusiastic about a much more low-tech approach - think of difficult-to-guess passwords, write them down and keep them on a bit of paper in your wallet.

"We're all good at securing small pieces of paper. I recommend that people write their valuable passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet," he writes.

The technique could be modified for a little extra security. "Obscure it somehow if you want added security: write "bank" instead of the URL of your bank, transpose some of the characters, leave off your userid. This will give you a little bit of time if you lose your wallet and have to change your passwords. But even if you don't do any of this, writing down your impossible-to-memorize password is more secure than making your password easy to memorize," he concludes. ®

Related stories

Fight fraud not ID theft [4]
Banks 'wasting millions' on two-factor authentication [5]
Americans are pants at password security [6]
Passwords? We don't need no stinking passwords [7]
Women are crap with PIN numbers - shock survey [8]

Links

1. http://tinyurl.com/8tuz3
2. http://www.schneier.com/crypto-gram-0507.html#7
3. http://www.schneier.com/passsafe.html
4. http://www.theregister.co.uk/2005/04/28/id_fraud/
5. http://www.theregister.co.uk/2005/03/15/2-factor_auth_is_pants/
6. http://www.theregister.co.uk/2005/05/06/verisign_password_survey/
7. http://www.theregister.co.uk/2005/02/16/rsa_consumer_survey/
8. http://www.theregister.co.uk/2004/12/14/pin_security_survey/