There's only one way to stop people writing passwords down, and that is to abolish them altogether.

Most people cannot reliably remember more than about 3 passwords. Telling them they must use different passwords for different functions and/or change them frequently is counterproductive and can only increase the likelihood that they will be found on the wall by the screen.

Fingerprint recognition may be the answer -- but does it work reliably? Until it does, passwords will always be written down.

Could that be somthing to do with the fact that companys expect you to have 8+ caricter passords, numbers letters and simbols in all of them, changed once a month? I have 7 passwords just for work (Plus four diffrent door codes). Security people realy need to come up with a diffrent way of doing things. I am mentaly draind by 9am just getting as far as logging in.

"Just over one third recorded their password or security information by either writing it down or storing it somewhere on their computer."

OK, storing it on the computer is pretty dumb. (I wonder if these people "store" their keys by leaving them in the locks.) However, at the last count I had over 50 passwords, 2 PINs and 2 door-entry codes. Should I pick passwords that are weak enough that I can remember all 50, or should I write them down?

This result has been seen time and time and time again. Why is anyone still wasting money duplicating this kind of report? Now, if they could actually do anything to change this kind of behaviour...

Humans as the security weak link was slated by Kevin Mitnick all those years ago.

That's how he got much of the security information needed to break into systems.

...in a form which isn't stupidly tortuous. Howabout Pageant (or a nice, preconfigured version thereof) on your local machine(s) (or on a USB stick if you want to use it on lots of unfamiliar PCs) that authenticates against a bank's website? Then expand this authentication mechanism to involve more sites (e.g. Hotmail, Gmail, Amazon, eBay) so people have a one-stop shop for logins. This presents its own numerous security issues, but they are more for the vendor to solve than the user to, as the user probably won't need to write down their password if there's only one to remember.

Or howabout this: have three different keys per user, each key allows a different level of access. So your bank accounts login(s) might use one, your email might use another, and sites you don't really trust might use a third. Then as long as you assign the correct site login to the correct key, a potentially dodgy site won't be able to get anywhere near the key that the bank uses. But: you only need to type in one password when the PC loads/a key is needed for the first time to activate all three keys.

Just some thoughts. Security education/usage is ridiculously immature compared to what people currently rely on it for, and it does somehow need to be commoditised so people don't have to know about public and private keys/keyrings/trust levels etc. Most people don't care about creating little trust networks, they just want to authenticate against the websites that they care about without having to remember a million passwords.

The answer might be to generate one time PINs or Passwords.

If we don't exchange the shared secret, that would enable us to lower the number of PINs / passwords, make them easier to remember, and stronger. At present we are all relying on tokens, but there is an idea & company that can do it without additional hardware. One factor authentication could be viable again.

As said, the sheer number of passwords, secureID generators, different rules for passwords in different systems, requirements to change passwords that must differ from previous ones at frequent intervals .... Of course one records them somewhere and gets furious and demotivated having to enter so many so often just to do one's job. Worse still, passwords become limited to easily guessed words to give one a fighting chance of remembering what it is on this system this week.

So, a piece of paper? On the computer? It seems to me that, provided one can remember at least one password, pending reliable other forms of security such as fingerprinting, a computer file is reasonable. What should be part of this however is to encrypt the file, using, for example, PGP or GPG (the free version of PGP) with good encryption keys.

Of course, if the network is secure and the work place is secure, the most important barriers are all ready in place.

I'm in total agreement.

At work alone, I have to know passwords for 13 databases currently. These last 28 days and must be a mixture of upper and lowercase, include at least one number and be at least 8 characters long. If we then add in all the other passwords, for websites, applications, networks etc., the total comes to nearly 40.

Do I write them down? Of course I do!

So, what's the answer?

Unfortunately, there is no simple answer, otherwise we would already be using it.

However, I would make one request - please stop building websites which require users to have passwords for no damned good reason. It's cumbersome and unnecessary.

I shouldn't need to register a password with Tesco/Sainsbury's just so I can browse the online shelves. You don't ask me for ID when I enter a Tesco/Sainsbury's store, so why do it online?

Security is a great idea, but if it prevents legitimate users from using the software or encourages insecure methodologies, it's not working correctly.

One-time passwords are still vulnerable to phishing. They've been used for some European internet-based banking for a while (TAN) and are being superseded in some places e.g. by mTAN (a one-time password sent at the time of transaction to the user's registered mobile phone, only valid for the one transfer). Traditional passwords are used in addition, so somebody finding the phone before the legitimate owner has it blocked wouldn't have an advantage.

I don't really see what the fuss is with writing down passwords. There are some passwords that you wouldn't want to write down, but in most cases (especially for website passwords) it's far safer than reusing one password at multiple locations, and allows a much stronger password to be used than can be easily memorized...

Is the fact that I have to log in to my computor at work and then log in to lots of programs. Why? Isn't that a bit like having a lock on my front door, and then a lock on every room? No-one should be using my logon appart from me in the first place.

There may be somthing I'm missing but it dose seem a bit overkill.

may be neccessary if you use one of those rooms in your home as an office for your business (as I do). Yes, I use my laptop for personal use too, but client files on the hardrive are under very severe lock-and-key in a secure folder. (Just in case!)

We been telling you this for,what, 5 years - now we have 3 studies being undertaken, costing how much??

First and foremost: educate your users, secondly security boffins: stop behaving like policemen and show your users why strong passwords are important to THEM.

Strong passwords are not that difficult once concepts are grasped - this will stop most of the unsophisticated attacks and risk will be lowered.

Think "real world = virtual world" so physical security and network security concepts are similar. If we remind our users how they behave in the real world and relate this back to the virtual world it is amazing how quickly they grasp the concepts add to this some "tips and tricks" and 90% of risk disappears.

It is as true in the virtual world as in the real world that a determined thief can and will obtain access to the most secure environment. All we can do is lessen the risk by being prudent

The problem lies in the technology (passwords), not in the users! Stop blaming the users and begin to invest more effort in alternative authentication methods. Focus on an authentication technology that takes account of the requirements of real people! Users are human beings. Why is this so difficult to understand?

...and then log in to lots of programs. Why?"

Your domain login grants you the security credentials required for domain or AD access, and from here all of your AD or NTFS accesses are controlled, so server, file, application, all security control really.

However a LOT of third party vendor applications don't hook into AD or use domain accounts, so they require a seperate non-Windows security credential to grant you the correct accesses required. Multiply by number of non-integrated 3rd party apps, and that's why.