One of the shows I’ve started watching since coming to the UK is called “QI XL“. It’s a quiz show/comedy hour hosted by Stephen Fry where he asks trivia questions of people who I assume are celebrities here in Britain. As often as not I have no clue who these people are. It’s fun because rather than simply asking his questions one after another, the group of them riff off one another and sound a little bit like my friends do when we get together for drinks. I wouldn’t say it’s a show for kids though, since the topics and the conversation can get a little risque, occasionally straying into territory you don’t want to explain to anyone under 18.
Last night I watched a show with someone I definitely recognized: Jeremy Clarkson from Top Gear. A question came up about passwords and securing them, which Clarkson was surprisingly adept at answering, with the whole “upper case, lower case, numbers and symbols” mantra that we do so love in security. He even knew he wasn’t supposed to write them down. Except he was wrong on that last part. As Stephen Fry pointed out, “No one can remember all those complex passwords! At least no one you’d want to have a conversation with.”
Telling people not to write down their passwords is a disservice we as a community have been pushing for far too long. Mr. Fry is absolutely correct that no one can remember all the passwords we need to get by in our daily life. I don’t know about anyone else, but I’ll probably have to enter at least a dozen passwords before the end of today, each one different, with different levels of security and confidentiality needed. I can’t remember that many passwords, and luckily I don’t have to since I use 1Password to record them for me.
But lets think about the average user for a moment; even as easy as 1Password or LastPass are to use, they’re probably still too complex for many users. I’m not trying to belittle users, but many people don’t have the time or interest to learn how to use a new tool, no matter how easy. So why can’t they use something they’re intimately familiar with, the pen and paper? The answer is, they can, they just have to learn to keep those secrets safe, rather than taping the password on a note under their keyboard.
We have a secret every one of us carry with us every day, our keys. You can consider it a physical token as well, but really it’s the shape of your keys in particular that are the secret. If someone else knows the shape of your keys, they can create their own and open anything your keys will open. This is a paradigm every user is familiar with and they know how to secure their keys. So why aren’t more of us teaching our users to write down their passwords in a small booklet and treat it with the same care and attention they give their keys? Other than the fact it’s not what we were taught by our mentors from the beginning, that is.
A user who can write down their passwords is more likely to choose a long, complex passsword, something they’d probably have a hard time remembering otherwise. And as long as they are going to treat that written password as what it is, a key to their accounts, then we’ll all end up with a little more security on the whole. So next time your preparing to teach a security awareness class, go back to the stationary store and pick up one of those little password notebooks we’ve all made fun of and hand them out to your users, but rememind them they need to keep the booklet as safe as they do their other keys. If you’re smart, you’ll also include a note with a link to LastPass or 1Password as well; might as well give them a chance to have even a little better security.