twitter facebook rss

What’s wrong with writing passwords down?

Posted by on July 21, 2014.

A new research paper from Microsoft Research (Redmond) and Carleton University (Canada) takes a scientific look at the problem of maintaining multiple strong passwords. The issue is simple and well-known. Users now have so many online accounts that it is impossible to remember strong individual passwords for all of them. The result is that many users simply give up and use a single, often weak, password for all accounts. Even if it is a strong password, it only takes one hacked service provider to store its users’ passwords insecurely for all of that user’s accounts to be potentially compromised.

This new paper, which will be presented at Usenix 2014 next month but is already online, is a scientific analysis of the problem. For example,

Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts

Password Portfolios and the Finite-Effort User:
Sustainably Managing Large Numbers of Accounts

I’m not going to pretend that I can understand much if any of the mathematics; so I’ll skip straight to the conclusion. It is this: contrary to much expert opinion, it is not necessarily the best solution to use strong unique passwords all of the time. The researchers’ conclusion is that a smaller number of strong passwords should be used, possibly using the same password for similar accounts. If, for example, you are required to open an account for, say, a news service; and that news service takes no personal information from you, then it would be reasonable to use the same password for all similar accounts. The risk is equal and minimal; and not that much would be lost even if all accounts are potentially compromised..

The conclusion here is that ‘risk’ is the key factor. Where the risk is high, such as a bank account, then that account deserves a unique strong password.

The research goes further by pointing to dangers in the oft-recommended use of password managers (I use one myself). If the password manager stores the passwords in the cloud and the cloud server is breached then all passwords are potentially lost. If they are stored locally, and malware gets in, then all passwords are potentially lost.

Of course, you could argue that if you get breached by malware locally, then you are pretty much stuffed anyway – but the problem here is that both home users and companies frequently aren’t aware they have been breached, sometimes for months or even years. During that time, covert theft of passwords could lead to covert use on accounts the user believes to be secure.

Surprisingly, perhaps, the researchers conclude:

Our findings are consistent with certain user behaviors that contradict accepted advice, offering to justify the behavior and giving evidence for the model’s utility.

The user may, in fact, not be as naive as is frequently suggested. So might this be the time to consider another user-tendency: writing passwords down so that they do not need to be remembered? Is this as bad as is often portrayed?

Probably not. It has one immediate and overriding advantage – individual paper passwords cannot be lost en masse via an online attack. Of course, they can still be stolen by malware with a keylogger on the PC while they are used, or stolen by a service provider breach; but only one at a time. And if particularly sensitive accounts, such as bank accounts, are further protected by two-factor authentication, then the individual password becomes of even less value to the attacker.

The key to this approach is still storage of the passwords. They must be kept in a secure place and never left in view of others. A lockable drawer would be an example: the paper record would be retrieved, used, and returned to the drawer. It then becomes a physical security rather than a cyber security issue. Most homes and most companies already have better physical than cyber security – so this may be no bad thing.

One remaining problem for companies would be productivity. Staff are often required to have multiple passwords for different parts of the company network. Having to retrieve each password from a drawer and enter it manually, multiplied by hundreds or even thousands of users possibly a dozen or more times every day soon becomes enormously expensive. The standard solution for companies is to use some form of single sign-on for productivity gains.

However, the research suggests that it is perfectly reasonable to store passwords in a manner suitable to the risk. So the majority of low risk passwords could still utilise SSO, while the fewer number of high risk passwords could be stored offline in locked drawers. What the research paper suggests is that user coping mechanisms need to be taken into account during password storage – and the reality is, users’ standard coping methods may not be so silly after all.

4 thoughts on “What’s wrong with writing passwords down?

  1. Darn. I was going to blog something on that here, but you beat me to it. 🙂

    My view is not dissimilar to Kurt’s. It’s easier for a security professional to simply say ‘never share’ than to try to define exactly how to group the passworded services you use. I can certainly envisage scenarios where services may be regarded as low risk and low value but the shared password might offer a clue as to what strategy was used by the same user on a higher value service.

    As always, you can’t rely on every end user to interpret everything you say correctly, even if you express it as you intended. As you and Kurt and I always do, of course. 😉

    • Kevin on said:

      David & Kurt…

      Could it not be part of company password policy to differentiate risk for the user? IT/Security could then specify which parts of the network need a unique offline password together with where and how they must be stored (supported by an employment contract that makes it a disciplinary offence to leave them on show)? Home users, of course, could simply store all passwords off-line.

  2. the problem with the research is that it assumes that end users can do something which they demonstrably cannot do (at least not effectively) – and that is gauging risk. most people would have no clue how important their email account is, for example.

    without the ability to effectively gauge risk, they will not know which sites to use a unique password on and which ones are safe to reuse a password on. thus it is safer to not reuse passwords.

    password storage, in one form or another, is really the only solution to having unique passwords on the scale that is often required. the main problem with that is that, in recording the passwords, they are essentially transformed into security tokens and users may not be aware that they now need to be kept safe the way one might keep one’s credit card or house keys safe.

    it’s true that password managers are vulnerable if your system gets malware, but every account you access is potentially exposed regardless of how you protect your passwords in the event that your system gets malware. at least with a password manager protecting the passwords in other scenarios is basically taken care of for the user.

Leave a Reply to David Harley Cancel reply

Your email address will not be published. Required fields are marked *

Submitted in: Expert Views, Kevin Townsend's opinions | Tags: , , , , ,