Writing down passwords - yes I am OK with that

The other day I read this article on Threatpost.com:
http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610

The article is making the case that in these times people have so many passwords that we can't reasonably expect them to remember them all. It also makes that case that malware is so pervasive that we can't expect passwords to be secure even in password management software like Keepass.

There are things that I like about this article, and things that I don't like about it. The main thing I don't like is that there are a lot of statistics thrown about without a whiff of citation. On the other hand, the advise is sound, and something I have been recommending as one way of remembering passwords.

Yes, I agree that we're probably safer if people can just remember their password, and that's why I advocate that users select pass phrases that are easy to remember, but difficult to crack. for a while my password was 'My password is awesome!' Tell me that you can't remember that. But some people just aren't going to do that, so the next best alternative is to write it down.

See, to me, it seems that it doesn't matter so much if you write down your password. What matters is where you keep it. Working in higher ed, you have to be pragmatic and realistic in the advise that you provide and the audience you're dealing with. Let's face it, PhD's are really well educated in a single topic and seem unable to learn anything else. So trying to teach them to remember all their passwords is a fool's errand. Shame seems to work much more effectively. So try shaming them into realizing that they're not the first person to think of hiding their password under their mouse pad.

What I tell people is that if you keep your password in your wallet, then someone would have to steal your wallet to get your password. You're very likely to realize that your wallet is missing shortly after it disappears. You're very unlikely to notice if I lift up your keyboard and copy down your password. It also seems unlikely that I can steal your wallet, write down your password, and return your wallet. Possible yes; but unlikely.

This is an actual photo from my office by the way. No, it's not my machine.