[Cryptography] Of writing down passwords
Dennis E. Hamilton
dennis.hamilton at acm.org
Mon Sep 22 23:12:33 EDT 2014
<orcnote> below
-----Original Message-----
From: Abe Singer
Sent: Monday, September 22, 2014 16:36
To: cryptography at metzdowd.com
Subject: Re: [Cryptography] Of writing down passwords
[ ... ]
The dogma against writing down passwords is one of the worst things that
security practitioners have continued to promulgate, and by "worst" I
mean in terms of impact on effectiveness of security (second only to use
of firewalls, but that's not a crypto discussion). To tell users that
they have to have a password that by definition is hard to remember, but
they're not allowed to write it down, goes against all usability notions,
and invites the crappy password choices that really do cause problems.
[ ... ]
My goal is to have a policy that has my users getting one really strong
password that they never have to change, and they're allowed to write it
down and keep it in a reasonably safe place.
<orcnote>
Bruce Schneier, for one, has been quite happy to recommend
non-memorable and written-down passwords. I think the mantra
about no-writing-down comes from the practice of folks using
a Post-It note with their password on the face of their
workstation terminal.
Having said that, I completely concur with Abe's goal.
</orcnote>
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list