There is an awful rule of basic password management which actually works counter to good security. Yet it continues to be suggested by even the top security organizations in the world. The rule is this: don’t write down your passwords.
There are lots of problems with this idea. Not the least of which is the fact that if we make our passwords so easy to remember that we don’t have to write them down, well, they may well be too easy. Or, if we decide to make it simple and use the same password for everything, that means all our banking accounts could be compromised the minute someone breaks into our gun club registry or recipe-swapping website. And one glaring reality this rule hasn’t kept pace with is that these days we need way too many passwords: one person can easily visit 15 different sites in a few hours – all of which require passwords.
I like to write them on my mirror.
So why the dumb rule?
In their defense, this was accepted wisdom twenty years ago for two reasons. Back then there was only one password that mattered: the one to get onto your computer. Naturally you didn’t want that password to be in the same place as the system! And apparently in those days people weren’t clever enough to write down passwords anywhere except on sticky notes attached to the computer. (Duh! At least put it in your shoe!)
More importantly – reason #2 – in those days what we worried about most of all was what we call “internal threats”. That is, we worried about other people at our place of business gaining unauthorized access to the computer or the network.
But in today’s world, the danger of “external threats” – cybercriminals trying to break in – has far surpassed the danger from “internal threats” or insiders. At least, this is true for most businesses – the possible exception being the ones who regularly piss off their employees. Hopefully, this rule also holds true for most of us at home – that we have more to worry about from the outside world than each other 
So anyway, when external threats are the biggest issue, we’re better off having very secure passwords which cybercriminals can’t guess even if we have to write them down. Sure, it’s possible that a burglar will stop ransacking your house long enough to try hacking into your computer if he comes across your password list (which naturally will be labeled: Computer and Website Password List so he doesn’t miss it). But let’s admit it’s not very likely!
About now it’s also worth mentioning that we are all grownups here. Somehow the majority of us have learned to maintain possession of our keys, driver’s license, passport, and our walking-around money. Gee, do you think we can finally handle a list of our own passwords too? (If you’re uncertain on this point, you can skip my next few blogs too.)
So my tip of the day is this: whatever clever passwords you come up with, for gosh sakes write them down! Just keep them somewhere private and safe, like your sock drawer.
best,
cj