We now get to what I consider the greatest threat to computer security: the Yellow Sticky of Doom!
Passwords written down on yellow sticky notes. These are everywhere.
What is the difference between a secure facility and an insecure facility? In an insecure facility the yellow sticky notes are stuck to monitors. In a secure facility the yellow sticky notes are stuck to the bottom of the keyboard. In really secure facilities they are in desk drawers – and maybe even locked up!
The solution is obvious: ban people from writing down their passwords!
Except that this won’t work. Full stop. Period. Won’t. Work.
Why? Because passwords are crap for security.
Passwords that are difficult to guess or to crack with a brute force attack are impossible for people to remember – look at the ones in the yellow sticky above! All of these passwords were produced by a password generator with a high security setting. Anyone who can remember one of these passwords scares me!
Consider the usual guidelines for producing a secure password: 12-16 characters, no dictionary words, a combination of upper case, lower case, numbers, and punctuation. And changed every 1-6 months.
Human brains don’t work this way.
Correct Horse Battery Staple
If you want people to actually remember passwords, consider the way the human brain works. Look at XKCD on Password Strength: this is an example of a password that a human can remember. It builds on the way the mind and memory work, through chunking, context, and pattern recognition. Correct Horse Battery Staple has become an Internet meme – a code term referencing a way to make passwords somewhat work.
But, can your system handle it? Do you allow passwords this long? Do you allow spaces in passwords?
And look at your policies. If a person can remember a word, it is in a dictionary! The only thing a “no dictionary words” policy does is guarantee that passwords will be written down.
At a minimum, encourage pass phrases rather than classical passwords.
If you actually care about security, implement multi-factor authentication – a combination of what you know, what you have, and what you are.
Traditional passwords serve only one purpose – to allow you to blame innocent users for your mistakes. They are no longer an effective security or authentication mechanism. Forget trying to stop people from writing them down and get serious about security.
Get rid of the Yellow Sticky of Doom by making it obsolete!