Why you should write down your password

The outrageous idea

The advice that follows will sound bizarre. I'm going to argue that writing down your passwords and keeping them in a safe place is enough protection for most home users. I'm even going to argue that you can improve your security by writing down passwords.

What have I got in my pockets?

Let's take a look. Right now I'm trusting the security of my pockets to protect my car keys, which are worth thousands of dollars. My pockets are guarding my credit cards. I'm even trusting my pockets with the keys to the house where my family sleeps, which is priceless.

How much are your computer passwords worth?

If you're Bill Gates, your home banking passwords are too valuable to write down (and if you're Bill Gates, please read one of my more technical columns). If the computer belongs to your employer, then of course you should follow their policy for protecting their passwords. For a regular person a card in your wallet is plenty of protection for the passwords you use at home. Just don't write down your ATM password there.

Why it can be a good idea to write them down

Writing down your password and carrying it with you can make your security better. If you write your password down, you're free to pick a password without worrying about remembering it. A password you can remember is a weak password. The bad guys have password-guessing programs that know every word in the dictionary and every trick like typing diagonally on the keyboard. These programs can try millions of passwords a second. A password that can stand up to attack looks like comic-book profanity and normal people can't memorize it.

If you're not trying to remember a password then you're free to change it frequently, which also makes things more secure.

Best of all, if you're carrying your password with you you're safe from forgetting it and being locked out of your computer. If you can't use your computer because you've forgotten a password, that's just the same as not being able to use it because a bad guy crashed it.

But don't all the security people say you should never write down a password? Yes, they do, and they'd be right if humans had nothing better to do than memorize passwords. They're right that you shouldn't write it on a Post-it stuck to your monitor. They're right, if you're handling military secrets.

What if your password is really valuable? Then you can keep it in your jewelry box, home safe, or wherever you keep valuables. If you're feeling really protective you can store passwords in a program called Password Safe (https://sourceforge.net/project/showfiles.php?group_id=41019&package_id=33169&release_id=217889) from security guru Bruce Schneier (http://www.schneier.com). Password Safe puts all your zillions of passwords in one file and protects that file with one single password. Then you can put the Password Safe file on one of those nifty thumb-sized USB drives and carry the drive on a chain around your neck.

If you want a strong password that's sort of understandable, go to http://www.diceware.com. The Diceware site has  a free system for creating strings of random words (like "cleft cam synod lacy yr") that you can use on systems that allow long passwords. Windows 2000, Windows XP and Linux all allow long passwords. Windows NT and Mac OS X before version 10.3 limit password lengths so much that Diceware "passphrases" won't work. Visit the Diceware folks anyway! Their site also has the best general password advice I've ever seen in years of studying security.


Send mail to besphere_webmaster@pobox.com with questions or comments about this web site.
Last modified: 03/24/04