Gartner Blog Network

You may not write down unmemorizable passwords

by Jay Heiser  |  April 19, 2012  |  1 Comment

I frequently see end user policies that contain the following two elements:

  • Passwords must be so complex that they cannot be guessed
  • Passwords may not be written down

This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only represent a marginal increase in attack resistance.  No password can be so strong that it cannot be slurped by malware. Infinitely complex passwords are infinitely impossible to memorize, but they are not substantially more secure.  I almost hesitate to further mention that aggressive password aging policies exacerbate the impossibility of memorization.  No normal individual can memorize several dozen non-trivial passwords, especially not when quarterly changes are enforced.

Given that we are stuck with passwords, at least for the time being, my advice would be to teach your users how to carefully protect the complex passwords that they have no choice but to use.  A useful guideline is to treat written passwords like money.

But the point of today’s rant is not to revisit password policies. Its to encourage some attention on those policy elements that never seem to go away, but cannot be followed. Do not force your people to agree to follow impossible policies—it is counterproductive for multiple reasons.  Policies like this are tantamount to saying “You are on your own. We won’t help you, but if you get hacked, we will blame you.”

Choose your policies carefully, and remember that the majority of bad things cannot be prevented just by writing down a rule against it. 

Category: policy  security  

Tags: malware  password-slurping  passwords  policy  slurping-attack  

Jay Heiser
Research VP
6 years at Gartner
24 years IT industry

Jay Heiser is a research vice president specializing in the areas of IT risk management and compliance, security policy and organization, forensics, and investigation. Current research areas include cloud and SaaS computing risk and control, technologies and processes for the secure sharing of data… Read Full Bio

Thoughts on You may not write down unmemorizable passwords

  1. Manasvi Thawani says:

    Great insights, Jay! What are your thoughts on biometric authentication, especially voice authentication, as a substitute/add-on the passwords (multifactor authentication)?

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.