While sitting outside the Principal's office, David Lightman, the main character of that classic 80's gem, WarGames, cautiously slides open a panel on a nearby computer desk to reveal a list of words. The last word on the list, "pencil," is the only one that isn't crossed out, which David understands to be the newest password to the school's grading system and a shortcut to an easy "A." While David goes on to save the world from thermonuclear destruction[DL1] , the movie took time to make a point - writing down passwords was a bad security practice in 1983, yet this practice continues to this day. [DL2]
As an auditor, I've seen the stigma and shame cast on a user when the keyboard was lifted up, the mouse pad moved, or the drawer opened to reveal that bright, yellow sticky note. You know the one. You might even be imagining the spot where you keep yours (Auditor Security Tip: go take care of this ASAP!). We know this isn't the most secure solution, yet so many of us continue to use it.
When it's audit time and we find out that users are choosing convenience over security, we shame them, we re-train them, and just maybe, depending[DL3] on the user and how many times they've been guilty of this heinous crime in the past, consider terminating their position. But can the next person in line really do any better? Will they be inherently better disciplined or have greater security awareness? Often, we think having better employees instead of better security practices will solve our problems and protect us. The "do better" and "try harder" approach likely won't be very effective here. As long as we have passwords, we'll have this problem – we are fighting human nature after all. Even so, there are some things that you may consider implementing to help keep passwords off of paper.
Passphrases – Did you know this sentence could be your "password?" Yes, it's true! It doesn't even have to be a sensical sentence; four random words with spaces (tablet paint metal corner) is an excellent framework for generating passphrases. The benefits are two-fold: First, any phrase will typically be longer than any lone word (plus some numbers), which inherently makes the string more difficult to crack or guess. Second, passphrases are arguably easier to remember (and type!) than a word accompanied by a mixture of complexities (P@ssW0rD2o19!#?). Just steer clear of common phrases or song lyrics, which could be guessed or may appear in cracking tools like rainbow tables.
Password Expiration Length – This is currently a bit of a hot topic, with Microsoft[i] recently proposing to drop password expiration policies from their recommended baselines. [DL4] Research[ii] has shown there is a correlation between the frequency users are required to change their passwords and users writing down passwords (or choosing weak password and other bad practices). It's difficult to recommend, from an audit perspective[DL5] , anything greater than the typical 30 to 90 day expiration policies without any mitigating factors in place, such as the use of passphrases[DL6] , banned password lists, multi-factor authentication, frequent user training, etc. However, institutions and organizations with strong mitigating controls may consider it, following a risk assessment and building a case of evidence to support a decision in the face of any examiner questioning.
Password Managers – People write down their passwords because they need them for things that are important, such as doing their job. If they forget, they can't do said job and will face consequences. Additionally, we don't just have a single password to remember anymore. One company found[iii] that the average business user is responsible for 191 passwords! When faced with these circumstances, it's no wonder people write things down. That's why password managers are great. Reputable ones (LastPass, Keeper, etc.) offer a secure place to store passwords that is also easily accessible. The idea is that you have one strong password to access your vault, which allows access to the rest of your passwords. Most password managers also have tools to generate strong passwords on the fly and browser extensions that can auto-fill password info. Businesses will want to implement managed versions of these tools that can revoke user vault access for terminated employees.
One day the traditional password will be dead. Until then, the instinct to write passwords down will be strong – but these recommendations can help! And that's a good thing because you never know when weak password practices could allow a teenage hacker to change their grade, or, even worse, a proto-artificial intelligence, to start thermonuclear war!
[i] https://blogs.technet.microsoft.com/secguide/2019/04/24/security-baseline-draft-for-windows-10-v1903-and-windows-server-v1903/
[ii] https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
[iii] https://blog.lastpass.com/2017/11/lastpass-reveals-8-truths-about-passwords-in-the-new-password-expose.html/