Common wisdom over the last couple of decades has been to never write
down the passwords you use for accessing networked services. But is now
the time to begin writing them down? Threats are constantly evolving
and perhaps it’s time to revisit one of the longest standing idioms of
security – “never write a password down”.
Back in the day, a password was a critical part of the corporate
identity system. You supplied your user ID and password pair in order to
get online and to access key corporate resources. Access controls then
extended the authentication model to enable greater control of what
users could see, do and change. As new systems came online, and as
business extended beyond the in-house corporate networks, additional
(i.e. separate) authentication systems came in to play. Despite multiple
attempts at developing and deploying single sign-on (SSO), most
employees still need to juggle a dozen passwords in order to do their
work. If they have external Internet accounts as well, then they’ll be
juggling several dozen additional passwords. Once you thrown in their
personal Internet accounts (webmail, Twitter, Facebook, LinkedIn,
PayPal, Amazon, etc.) you’re quickly neck-deep in password soup.
What’s traditionally been the problem with writing down password
anyway? Well, since passwords are the critical ingredient for access
control, corporate security teams have long “educated” employees in to
never writing them down. To do so would potentially expose yourself to
impersonation – and you’d ultimately be responsible for whatever
(damage) the impersonator did in your name.
In the meantime, Internet guides, popular PC magazines, and
practically every website that forces you to create a login account, all
extol the virtues of never writing your passwords down. They also give
you lots of additional advice – such as “use a strong password”, “use a
unique password”, “never use the same password on a different site”,
etc. All of which make it incredibly difficult for any practically
minded human to keep track of which password belongs to which website.
The net result being that the “password rules” are being repeatedly
Now, to ease some of this burden, there have been a spurt of software
tools that’ll help remember passwords on your behalf. For example, the
popular web browsers all provide some capability in this area. The
problem though is that the bad guys have better tools. Practically all
of today’s malware(along with all those botnets you hear about each day)
have the built-in capabilities of grabbing/stealing both the passwords
you’ve remembered and type in each time you visit a favorite website,
and the passwords being conveniently “remembered” by the software on
Why would writing down a password be good? Well, it’s not a question
of being good – just better. Granted, anything you type on your computer
can (and will) be grabbed by the malware it’s been compromised with-
but the lowest hanging fruit for the bad guys lies with all the stuff
you’ve already asked your computer to remember on your behalf. After 3
months of use, web browser “remember” functions may have captured 50+
sets of authentication details. Within a few seconds of computer
compromise, all three months worth of stored credentials will have been
copied and stolen (oh, and they’re neatly formatted and sorted) – so the
malware doesn’t need to do any work, and it doesn’t matter if your
anti-virus software gets an update tomorrow capable of detecting the
malware and removing it. The damage is already done.
Staying hidden on a victims computer is not a trivial task for many
malware – particularly wide-spread Internet malware (anything with a name
you may have read about). There are lots of things that can go wrong.
AV updates may detect the infection, dropper websites may be taken down,
uploading sites may be sinkholed, CnC domains may be hijacked, etc. so
it’s become important for modern malware to steal as much information as
possible within the shortest possible time. Factors such as
conveniently storing all your authentication details on your
computer and recycling popular (i.e. memorable) passwords reduce the
time the malware needs to be operating in order to steal critical data.
What about a few high-level odds?
- 1:3 – home PC being infected with malware with password stealing
capabilities in a given year.
- 1:4 – home PC being infected with a botnet agent in a given year
- 1:8 – corporate PC being infected with malware with password
stealing capabilities in a given year
- 1:12 – corporate PC being infected with a botnet agent in a given
- 1:160 – your car being stolen in a given year
- 1:700 – your home being burgled
- 1:600,000 – being struck by lightning
I think it’s time to revisit the “never write a password down” idiom.
Prioritizing best practices in password management, I’d be inclined to
list them in the following order:
- Don’t use the same password on multiple websites
- Don’t let your computer “remember” your password!
- Use a “strong” password – preferably something with 12+ mixed
- Don’t use a predictable algorithm – e.g. abc<siteName>123
- Change your passwords regularly. For sites with lots of personal
information and associated monies, change every 2-3 months. For other
sites, try every 6-12 months.
- Don’t reuse past passwords – even if you think it’s a cool password.
- Don’t write your password down.
Yes, that’s right – writing down your passwords come in at a distant
7th place. In practical terms, even if you only manage the first 4 on
the list, you’re probably going to be juggling at least a couple of
dozen passwords (or more thank likely that’ll be 40+ on a regular basis
for most people that spend any time online). The probability that your
computer(s) will be compromised and that the information will be stolen
by the bad guys malware is much, much greater than the probability that
someone will manage to break in to your house and target all the post-it
notes you’ve stuck around your screen with all your passwords on them.
In corporate environments there’s a higher probability that the evening
cleaning crew would gain visibility of he passwords (so post-it notes
aren’t to be recommended), but that risk of an insider threat is still
going to be lower than your work computer being compromised.
The first 6 password recommendations would trump the 7th in most
cases – provided you take care in how and where you write your passwords
down. Be smart about it… but don’t underestimate the risks posed by
modern malware either.
Gunter Ollmann is the VP of research at Damballa.