Write your passwords down
A heretical thought on password management for the home user
TL;DR If users can’t or won’t use single sign on, two factor authentication or password vaults then writing passwords down is a viable alternative.
While passwords are dead by every account, a technological solution to verifying user’s identity that is long past it’s prime, we still don’t have a universally accepted or implemented alternative which means we’re still stuck with passwords and still need to handle them properly.
As far back as I can remember I’ve always told users, at home or at work, to never write their passwords down to help protect against someone learning their password and gaining access. It’s advice that I learnt almost by rote and it’s firmly established part of the information security orthodoxy; it is almost always paired with the advice of don’t reuse passwords (either in different places or across time), change your password often and make them complicated. This quadriptych of password related advice is all designed to help users protect access to their accounts by reducing the likelihood of someone else learning or guessing the secret set of letters .
Inside the corporate world where users can access most of their work resources, if not all of them, with a single account those three pieces of advice are doable. In fact, inside the walls of a corporation where policies, legislation and regulation rule the day, this advice becomes mandatory. Legislation like Sarbanes Oxley requires proof positive on the effectiveness of financial controls and the possibility of more than one person accessing a computer account is a non-starter for protecting the integrity of financial data.
Outside the walls of a corporation where policies don’t rule the day and where online services, both professional and personal, are proliferating faster and faster this advice is hard to live by for most users as they have dozens of accounts. As the number of accounts increase most users resort to using the same password in different places and unfortunately it’s only a matter of time before a criminal hacker breaks into one of those hapless websites and steals your password along with many others from supposedly but often not secure database. With most online services requiring your email address as the user name for your login, the exposure of a common password could result in much of your digital life being compromised.
Sure there’s Single Sign On where you can use your Facebook , Google+ or some other account to sign-in to various services but not every website integrates with them most importantly your bank and your government service accounts will probably never have a “log-in with” your favourite social network button anywhere on their websites.
Password vaults are the best technical option and most web browsers (and operating systems) provide an integrated tool to help store hundreds of passwords securely all protected by one master password. the password but that doesn’t help if you use different computing devices throughout the day. There are open source and cloud based solutions for password vaulting that solve these problems but their adoption rate is abysmally low relative to the total user population on the Internet; about 1 in 10000 if download rates are any indicator for two of the more popular solutions (Keepass and Lastpass). Even if a user does use a password vault, the bad practices still persist because placing the password in a vault typically comes after the act of signing up for the account and creating the password; it’s not integrated experience for most and is disruptive to the user experience. It’s frustrating for most people and I’ve witnessed time and again even technically proficient users sucumbing to bad practices and eventually abandoning their vault. It takes a zealous mindset to make it work. The perfect technical solution in which a user does nothing, installs nothing, pays nothing, can automatically login from anywhere on any device and is automatically prevented from reusing passwords doesn’t exist at this time.
There are other tricks such as passphrases (using a set of memorable words) and simple mnemonics (varying passwords in some formulaic way based on the website name or some other attribute); the former doesn’t scale any better (a dozen pass phrases are only slightly less hard to remember than a dozen passwords) and the latter is only slightly less worse than a shared password if the mnemonic is easily deducible (“the password was bobFacebook… I wonder what Bob’s password for gmail is?”).
Two factor authentication in which you use something in addition to your password, like a frequently changing secret number on your smartphone, neatly solves the problem except for the prerequisite that you own a smartphone (your great uncle Stanoslav doesn’t even have a simple feature phone) and again that the website has integrated the technology. Unfortunately most internet sites haven’t integrated two factor authentication yet and it’s always opt-in for the user. Google has offered opt-in two factor authentication since early 2011; Dropbox with its 100 million users only added two factor authentication in 2012 after a security breach became public.
So while we wait for that perfect solution, we can educate on the virtues of passphrases, encourage the use of single sign on, two factor authentication and password vaults but if none of that takes hold as part of the user’s normal routine then maybe it’s time to fallback to an old favourite that goes against security orthodoxy. We could be telling home users that it’s okay to write passwords down on a piece of paper; they can easily maintain a list of unique passwords that are longer and more complex than human memory allows for. It’s certainly not acceptable to do this at work and there is a risk that someone getting access to the paper gets the keys to your digital life but in the home environment you’re likely to have more control over your physical surroundings than in your office.
While writing passwords down isn’t ideal, it is better that users have many strong passwords rather than remember one single weak password and use it everywhere.
Email me when Secure the data publishes stories