I just read this article on news.com entitled “Microsoft security guru: Jot down your passwords”
Lets quickly skip by the fact that this guy already has 0 credibility with me as he is a ‘security guru ‘ that works at microsoft. If that where the case and he had any sort of authrity in the company (as any software vendors security department should) he would have instated rigerouse security audits and regression testing on MS products by now.
He says that its okay to let people write down passwords otherwise it will encourage them to use the same weak password on every system. This has a little bit of logic is over all flawed and false. They will still use the same crappy password, it will just have an extra number in it some place. And they will still use it on all systems only now its written down, most likely on a post-it note under their keyboard.
All these different security profesionals all have different opinions on best practices and thats fine… but when they spurt it off at conferences and in writing it confuses end users. The IT people are (generaly) smart enough to decide on their own… but the end users use this crap to throw in the faces of it people who then have to explain why this guy is wrong.
I think it should all come down to the org ‘s security policy and it should be fluid.