I keep telling to my users to choose strong, easy to remember passwords, and to never, ever write them down. Why am I saying this? Because today, while reading Watchguard Wire, I stumbled on an article pointing to a guy that has a different point of view on all that "keep your password secure business". And I hate to admit it, but he does score some points with his arguments. Only a few though.



You've got thousands of dollars worth of stuff in your pockets, or your purse. Seriously. You're carrying keys to your eight-year-old Honda, which is worth about $5,000. Your credit cards could bring in thousands of dollars for a crook.You're carrying the keys to the house where your family sleeps. It's hard to put a price on that.Do any of your passwords really need more security than your pocket provides? (Source: The Security Mentor)

The points that Frederick expresses in his post are mostly right. Writing a strong password on a piece of paper and sticking it in your wallet is a good way of keeping it secure, but I only see one problem with this: Human Nature. Some people will never forget to put their little piece of paper back in their wallet, but a good proportion of them will constantly leave it on their desk for a few days. For all to see. After a while, the 'reminder' will simply return to under-the-keyboard, where the user used to keep it before having the brilliant idea of putting it inside his wallet.



To my mind, there's really only one way to truly secure a system: implement a two-factor authentication scheme.



A "factor" of authentication is considered one of these three fundamental "things":





Something you have (e.g. a smart card, or a secure ID token)

Something you know (e.g., a user ID and a password)

Something you are (e.g., a fingerprint, or the tone of a voice)

So there you are. By combining 2 or more of these 'factors', you create an authentication scheme that negates most of the security risks associated with the use of simple, conventional passwords. So even if someone writes his password down on a piece of paper and this paper falls in the hands of a evil black-hat hacker, the password itself would be of little use to the attacker if he doesn't possess one or more of the other authentication factors.

So, what is YOUR position on this? To write down or not to write down your password, that is the question.