Sunday, March 21, 2010
Write down your password!
Do you have many passwords? How many of them are you able to remember? Do you have the same password across different systems and services? Do you use the same password at work as you do at home - and on Facebook? Write them down - and security will be improved.
It is about time that someone here in Norway speak up and encourage people to write down their passwords. Although I have more than 150 passwords and PINs, and even though passwords is a "passion" for me, there is no chance I can remember them all. So I have written them down, almost all of them. Not only that, but I have them stored on my computer too. (The details on that will come in my next post).
As long as we need to use passwords and PINs, the best option will be remembering them (I think most security experts will agree on that). However, during my approximately 9 years of "research" on passwords, I have long recognized that to require or recommend anyone to remember all their passwords just does not work in real life. (A big "thank you" to my mom, sisters, family, friends, colleagues and others who have all aided me in realizing that)
It does not work requiring or recommending unique passwords per system or service, and to remember them all. It sure doesn't get better when their passwords must be changed with 60-90 day intervals. Norwegian banks require their customers never to write down their passwords or PINs, a requirement i think is highly unreasonable. The result is that customers probably use the same password "everywhere", write them down, and never change them (if they are not forced to it). Funny enough, banks (and card issuers) send out passwords and PINs on paper in closed envelopes in the mail to us, and in many cases they don't allow us to change them.
So write down your passwords!
The explanation is simple. Really simple. You create good (= long) and unique password for every service you've signed up for, and write them down on a piece of paper, in a notebook or the like. Leave it by your computer at home or in a locked drawer at work. Who, not to mention how many are there who have physical access to it? 2, 5, maybe 10 people? Anyhow they will probably be people that you trust just a little bit more than strangers across the globe, on the Internet.
If you have a bad password, and use it on a variety of services across the internet, there's well over 1 billion people on the Internet that may be able to guess that bad password of yours.
The risk assessment is simple: if someone steals your password list, you can probably figure out who did it and report it to the police. If you're lucky they'll even do something about it. With a billion suspects on the Internet they are most likely to drop the investigation.
So to all of you who make password requirements and recommendations; support this. It is time to face the facts, and use common sense here. (To all banks in Norway: the first bank to use common sense in their password requirements gets a new customer, since I have just declared that I do not comply with your requirements for my passwords and PINs).
For those of my colleagues in the industry who now believe that I should be hospitalized and receive psychiatric treatment, take a look here: Jesper's Blog and here: Schneier on Security. I will appreciate any and all feedback from you!