I know that pigs must be flying, but a Microsoft security expert recently made a very wise statement. Jesper Johansson told an Australia CERT gathering that employees should write down their passwords.

“How many have (a) password policy that says under penalty of death you shall not write down your password?” asked Johansson, to which the majority of attendees raised their hands in agreement. “I claim that is absolutely wrong. I claim that password policy should say you should write down your password. I have 68 different passwords. If I am not allowed to write any of them down, guess what I am going to do? I am going to use the same password on every one of them.”

Johansson is absolutely right. Human nature says that if you have many different passwords – as good security policy tells you to – you’ll likely recycle a few to keep things simple. This leads to multiple vulnerabilities should one of those systems become compromised.

Unless you’re Dan Rather, you aren’t going to get accosted on the street by goons asking “what’s the password, Kenneth?” You’re not have your password beaten out of you during a POW interrogation. You’re also not going to have your password pilfered from your wallet using RFID. Until some enterprising hacker invents a way to remotely read the paper on your desk, having your passwords written down rather than stored somewhere (or “recycled”), is actually pretty safe.

I’ve been doing this myself for a few years now and am glad that others are seeing the light. It may not make sense in all situations, but its better than using one lousy password for everything.