The Register highlights the ongoing debate started (this time) by Jesper Johansson about writing passwords down. Apparently we are all supposed to be used to controlling access to bits of paper.
Jesper was at Tech-Ed and he made some comment about this there. One of his arguments was about single-sign-on solutions. His point was that these systems drive to the lowest common denominator and hence are bad. He’d rather people write different, complicated passwords down.
I have mixed feelings about writing passwords down.
Firstly, if users write passwords down on the same piece of paper, they may as well just have the same password for every system. If they loose the piece of paper, they have lost all of their access and all of the systems are compromised. This is the same as having the same password for everything.
Secondly, organisations need to start differentiating systems on the basis of the importance of the information. Some businesses do this, but many don’t. For these systems it should never be acceptable to write your password down. Single sign-on solutions should be used to simplify the general purpose systems, but not the important systems.
Thirdly, I’m not sure the assertion that people are used to protecting bits of paper is true. Just look at how much credit card fraud goes on after people have thrown credit card statements, etc. away, in an in controlled way.
The biggest issue, as always, is user experience and education. People need to realise the potential consequences of their actions. This type of education is sadly lacking, it’s also not easy to give. The technology does not provide a clear indication of impact or consequences. If someone were to drop a carton outside my house containing nuclear material, I would know immediately that what it contains is very dangerous. I also know that there are certain handling rules. I know all of this from a couple of pictures on the side of the carton. If I start an application, how do I know what the handling rules are for the data held within it. Even if it was communicated within the application it wouldn’t be in anything like as intuitive a way as the one on the side of the carton of nuclear material. If people are going to have a piece of paper with their passwords on it, they need handling rules, and those handling rules need to be different for each password.
Uwe Hermann makes a similar point.
Discover more from Graham Chastney
Subscribe to get the latest posts sent to your email.
Graham Chastney 