Want to start a security nerd slap fight? Ask two of them their opinions of one of these little gems:
For years the conventional wisdom has been: never write down your passwords.
Conventional wisdom has also said: use unique, long, complex passwords on each and every account.
I don’t know about you, but I log into over a dozen different systems/accounts every day. I can’t remember that many long, complex passwords without resorting to some kind of trick or mnemonic or pattern that, in time, someone will be able to figure out and crack. The next best thing to a photographic memory is a password manager (something we talk about in the book). But what about writing down long, complex passwords?
That advice came from a different age. When computers were permeating the workplace and anyone could walk around the office and sneak a peek at the Post-It notes you stuck to your monitor with your password, and then commence their shenanigans posing as you online. Commercial cybersecurity was relatively new and its tools were rudimentary. Today, in an enterprise of any size, that sort of activity would be noticed and investigated.
There are still offices where anyone can walk around and see what’s on your desk (the dreaded ‘open office’ floor plan), and in those situations, no, you shouldn’t write down your passwords. But are you going to force a password manager onto your grandpa, who is retired, lives alone, and is never going to adopt the elaborate security practices common in an enterprise setting? No, you’re not. Grandpa can and should write down his passwords because if that’s how you get him to use unique, strong passwords, and not “password123” then that’s what you do because.
Grandpa’s threat model is not your threat model is not my threat model. Security principals are universal, but there are a thousand ways to implement those principals.