A basic rule of password-based security is "don't write down your password." A second rule might be "don't train people to write down passwords." And a third rule, which few follow, is "don't adopt password policies that lead to people writing their passwords down" (over-aggressive change requirements often have this effect, for instance).

Best Buy hasn't received the memo, apparently. This past Friday I came in contact with a surprisingly bad password policy in action as I shopped with my brother for his new computer in Scottsdale, Arizona. He had settled on an HP Windows 7 machine and was in the process of paying for it when a Best Buy employee handed him an 8.5” by 11” sheet of paper labeled “PC Recommendation Worksheet.”

Emblazoned with the familiar Best Buy and Geek Squad logos, one side contained a “new computer setup” form, where you can select antivirus software, Geek Squad tech support, data transfer services, Microsoft Office, and so forth. The other side had more of the same—along with a request for my brother’s e-mail and password, right below the fields for name, address, and phone number. Anyone reading this form would interpret it as a request for your e-mail address and e-mail password. And less-sophisticated users will fill it in, no questions asked. But we balked.

“So, why do you need my password?” my brother asked. The Best Buy employee quickly said, “you can just ignore that.” Intrigued, I asked the employee if I could have a clean copy of the sheet and he graciously complied. It’s good, because the sheet my brother filled in—without his password, of course—was taken by the Best Buy employee. You can see a scanned copy at the top of this post (click the image to get a larger view). Even though we were told to ignore it, my curiosity was piqued. Who and what is this meant for?

Best Buy's official spokespeople tell Ars that they collect the passwords so Geek Squad technicians can set up the user's preferred password for logging into their new PC. In other words, this field is where users put in a desired password for their new (Administrator-level) account. This strikes us as unwise, even if it is not a cardinal security sin. Best Buy also tells us that our inquiry has triggered a review of the form and that a revision is forthcoming. We don't know exactly how the forms will be changed, but we're glad Best Buy is working to fix the problem.

Given the placement of the password field underneath the e-mail address field, it certainly looks like Best Buy is asking for the password to a Yahoo Mail, Gmail, or similar account. More important, however, is the simple fact that asking users for their preferred password to set up their user account on the machine is bad security practice.

PC sellers helping customers set computers up isn’t unusual—but asking them to write their passwords down in plain text on a sheet of paper to be handed to the store employee is obviously questionable from a security standpoint. It's also unnecessary. Windows lets third parties set up a PC with a temporary password and provides a self-explanatory option titled "User must change password at next log on." This was a missed opportunity for Best Buy to help users become more responsible for their security. Instead, the big box retailer misses the mark and does nothing to boost the security consciousness of its customers.

(Note that the above process would not work exactly the same for Mac OS X, as the OS doesn't have an option for forcing users to reset the password. There is an option titled "Allow user to reset password using Apple ID," and of course, Geek Squad could set their own temporary password and give it to users along with instructions on how to change it. UPDATE: One reader helpfully notes that Mac OS X does have such an option—it's not in the graphical user interface, but it can be enabled in the command line.)

Also worrisome is the fact that Best Buy is handing these sheets to any old PC buyer, even individuals like my brother who had no intention of paying Best Buy extra cash to set up his computer. In case you're wondering: Geek Squad's basic PC setup runs $69.99, creation of recovery discs is $59.99 (or $100 for both PC setup and discs), while ongoing tech support starts at $99.99 for a single year. Transfer of "up to 9.4GB of data" from an old PC to a new one is $75. Yet they still gave him this form, and we absolutely contend that it appears to request e-mail passwords. It isn’t hard to imagine the less tech-savvy user filling in the e-mail and password fields without much thought.

We've asked both Apple and Microsoft how their retail stores handle passwords during PC setup, but haven't heard back yet. UPDATE: Microsoft tells us that “As a general procedure we ask the customer to remove the password on their machine or change it temporarily so that the store is never in possession of a customer’s real password. If an e-mail or other online password is necessary in completing the service, the customer is asked to enter the password directly on the device.”

In response to our inquiry, Best Buy told us that the forms in question are "stored at a Best Buy store as protected customer information and destroyed after three years." We asked Best Buy if Geek Squad members are required to instruct PC buyers to change their passwords after their PCs are set up. It seems not to be a requirement, but Best Buy told us Geek Squad agents do "encourage customers to change their passwords after set-up."

Even if Best Buy employees are conscientious enough to tell PC buyers not to fill in the password field, it's a practice that should be abandoned entirely. These sheets should not be placed in front of customers during the PC purchase process, and those who opt for Geek Squad setup should not be asked to determine a preferred password for setup and to write it down. Best Buy can and should do more here to inform users of proper security practices, and that begins with not telling a complete stranger what you want your desktop computer password to be, or worse yet, writing it down for them.