You may not write down unmemorizable passwords

I frequently see end user policies that contain the following two elements:

• Passwords must be so complex that they cannot be guessed
• Passwords may not be written down

This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only represent a marginal increase in attack resistance.  No password can be so strong that it cannot be slurped by malware. Infinitely complex passwords are infinitely impossible to memorize, but they are not substantially more secure.  I almost hesitate to further mention that aggressive password aging policies exacerbate the impossibility of memorization.  No normal individual can memorize several dozen non-trivial passwords, especially not when quarterly changes are enforced.

Given that we are stuck with passwords, at least for the time being, my advice would be to teach your users how to carefully protect the complex passwords that they have no choice but to use.  A useful guideline is to treat written passwords like money.

But the point of today’s rant is not to revisit password policies. Its to encourage some attention on those policy elements that never seem to go away, but cannot be followed. Do not force your people to agree to follow impossible policies—it is counterproductive for multiple reasons.  Policies like this are tantamount to saying “You are on your own. We won’t help you, but if you get hacked, we will blame you.”

Choose your policies carefully, and remember that the majority of bad things cannot be prevented just by writing down a rule against it.