If your initial gut reaction is NO then you know how I first felt when I saw this popular password notebook on Amazon. I tweeted out my initial reaction and asked for opinions. I’m glad I did, turns out not everybody agrees and I learned something new. I’d love to share with you some of the responses and some additional questions I have as a result. Watch the video for the long version, as well as some short video clips of foggy & windy Norwegian nature.
Troy Hunt was one of the first people to reply. I have tremendous respect for this security expert, I’ve had several discussions with him and always enjoy our conversations. Turns out he had written a blog post about the notebook in question, and in short put forward the argument that having a physical password manager is better than not having one at all. Amanda Deblr was another person that joined the discussion and talked about less-able users. Not everybody is able to use tools such as KeyPass. And I have to agree, it might be challenging to convince my grandmother to use KeyPass. Throughout the discussions the reoccurring arguments for using a notebook were*:
(* please keep in mind that we are talking about users who cannot or won’t use password manager applications. Also, we are discussing single factor authentication- and the factor being a password)
The person will not reuse passwords since they don’t have to memorize them
The person will find it easier to create passwords that comply with increasingly complex password requirements
The notebook is kept in the persons home, thus it won’t be accessible to hackers
These are assumptions, valid assumptions. But I wonder, do the assumptions reflect actual behavior? I tried looking up studies on the topic, but the few I found were small and didn’t focus on behavior around writing down the passwords. What I did learn was that users want to be secure, but don’t know how. Changing passwords (often requirements at work) often led to password recycling and incremental passwords (adding an increasing number to a password). Having many passwords increased the likelihood that a person would write it down- and some would share their password, or have it accessible. Concerns were raised about giving complex and/or conflicting advice.
What I’m wondering is:
Will the person stop reusing passwords? As long as the person still has to come up with the password I’m inclined to think that people will keep reusing passwords nonetheless.
Will the person choose complex passwords? As above I’m thinking that people will choose something memorable (and thus not secure) since they still have to type it in (after locating the notebook and looking up the password).
Will the person keep the notebook secure? Will the person use a notebook at home, but not at work? Can it be a company policy breach? I’m concerned people will carry the notebook with them, not use it discreetly, and even share it with for example colleagues (one of the studies indicated that a few people were happy to share their passwords with colleagues).
Will the person opt to use a notebook over an application even if he/she is capable of using one?
Are we giving complex and conflicting advice- which means the risk of error increases? Can the advice be interpreted as “it’s okay to write down your password” and the password ends up on the computer monitor at work? What are the realistic options?
Here are some of the studies that I took a look at. Please keep in mind that the quality of studies always varies, and sometimes the study group is small and misrepresented. I can only assume that survey based studies have a tendency to attract people that are less security-minded since the questions could pose a risk and that could deter security-minded people 🙂
I have only looked at studies AFTER 2010, since user behavior has changed a lot over the last decade. For the search I used Google Scholar. I have NOT done a proper review/meta-analysis so this is a random pick from some of the studies I enjoyed reading.
Make sure you read the blog post by Troy, and the comments on the post.