It has always been thought of as IT security suicide, but letting employees write down their passwords is not such a bad idea, according to a leading security expert.
Speaking at a technology conference in Australia, Jesper Johansson, senior program manager for security policy at Microsoft, said the IT industry had been giving out the wrong advice to workers by telling them not to write down their passwords.
“How many have password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of delegates raised their hands in agreement.
“I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them,” he said.
According to Johansson, use of the same password reduces overall security.
“Since not all systems allow good passwords I am going to pick a really crappy one, use it everywhere and never change it,” he said. “If I write them down and then protect the piece of paper – or whatever it is I wrote them down on – there is nothing wrong with that. That allows us to remember more passwords and better passwords.”