Via email, Fred Wamsley provided a persuasive counterpoint to my post about what to do when your users keep writing down their passwords. He says, let ‘em. Upon one condition: they don’t store their written passwords around their desk. He has more to say, which is worth your time to read.

Fred, in his role as The Security Mentor, wrote on this issue back in 2004 in “Heresy: Write Down Your Password.” His viewpoint echoes musings from Bruce Schneier, but I prefer Fred’s post. Because he writes so simply and clearly, his article stands the test of time. He also points out in a more recent blog entry that sometimes you have to write passwords down. Some servers might need their passwords stored in a vault for disaster management.

No one writing about network security is easier to understand than Fred. When I have a networking concept I need to communicate to non-technical employees, I sometimes check Fred’s blog to see if he’s covered it. If he has, he always has an apt metaphor or concise way of stating it. Security Mentor probably belongs on your list of bookmarked blogs. And in case his Mentor blog is a little too simple for you, you might prefer his more technical blog, The Security Nerd.

Thanks to Fred for reading and commenting. And we haven’t even touched on yet another favorite passwords solution: letting users store them in an encrypted database, so that all they have to remember is the one password that decrypts the database. I hope the main point of my previous post remains: you can enforce strong passwords without resorting to passwords that resemble (in Fred’s words) “cartoon swearing.” — D. Scott Pinzon, CISSP