Assume that you are drafting the User Identification and Authentication section
ID: 3911611 • Letter: A
Question
Assume that you are drafting the User Identification and Authentication section of an IT Security Policy for an organization. Recognizing that:
- people do not always follow published laws,
- the generally accepted security principal is that passwords should never be written down, and
- research suggests that:
* more than one out of every three enterprise users keep a written record of their passwords (Links to an external site.)Links to an external site.and
* 64% of end users report that they have written down their password at least once (Links to an external site.)Links to an external site..
Should the policy prohibit passwords from being written down or permit passwords being written down in one of the “secured formats” referenced in the "Is It Okay to Write Down My Passwords? How To Do It Right " article (https://tiptopsecurity.com/is-it-okay-to-write-down-my-passwords-how-to-do-it-right/ )?
Note, please do not make any references to Password Managers.
Explanation / Answer
Q1) Should the policy prohibit passwords from being written down or permit passwords being written down in one of the “secured formats” referenced in the "Is It Okay to Write Down My Passwords? How To Do It Right " article:-
So, we should not write down our secret passwords in any format (secured/encrypted format) or on sticky notes or at back of page or at the end of any notebook etc as there are chances of it getting into wrong hands and finally someone can decrypt our passwords and login on behalf of us.
Potential Risks of writing passwords are described below:-
But we can write down our secret passwords, if we follow the right way such as the ones mentioned below:-
Lock it up or keep it on you - Best scenario, you have somewhere to lock it up like a drawer or better yet, a safe. If not, keep it on your person. In a purse or wallet. To keep it manageable, find a tiny notebook or use a folded scrap of paper.
Don’t write the usernames down - Never include any usernames with the passwords. This is very important. If you do, and someone finds your list on the sidewalk or steals your wallet, they’ll have all the information they need to get into your accounts.
Change them slightly - This may be the best thing you can do. Develop a system for slightly modifying your passwords as you write them down. For example, change or remove the third and fifth characters. Or add one character to the beginning and three to the end of each password
Please let me know in case of any clarifications required. Thanks!