[jaabe]

We’re required to have password expiration by law in the public sector of Denmark. So I’m sure we’ll continue to have it for at least some years to come.

I must admit I never really understood the function of it. Obviously lifetime access is more damaging than 3 months access, but the truly devastating thing is the unauthorised access itself not the length of it. Also the policy results in really bad practices like people using summer2019 as their password or writing their current password down on post it’s. We tried blocking stuff like summer2019, but people get really creative. People also forget to renew their passwords, costing hundred of hours in the process.

We have 2FA now, which will soon be required by our adoption of the GDPR, but you have to wonder why we didn’t get that decades ago instead of the password expiration.

[gowld]

Writing passwords on paper is recommended by security professionals, in the common case where your physical security is far more trustworthy than your digit security, because it supports the use of long, strong password. A 2FA device is very similar to a Post-It note.

[rtempaccount1]

Actually most security professionals have a serious downer on writing passwords down.

I can see some circumstances where it could make sense, as you say where physical security concerns are less of an issue.

That said I wouldn't say a 2FA device is like a post-it note really.

Assuming you're thinking about TOTP like google authenticator, access to the codes is protected by the devices' security, which adds a bit more to it than a post-it under a keyboard.

[redthrow]

For example Bruce Schneier recommends writing down the password and keeping it in a relatively safe place like the wallet (where people keep other sensitive information like credit card numbers).

https://www.schneier.com/blog/archives/2005/06/write_down_yo...

I don't think anyone recommends writing down the password on a post-it note and put it on the computer screen at work.

[kurtisc]

Even then, if it's an OS password (drive encryption n/inc) and they have physical access to the disks containing assets then it's already game over.

[LeoPanthera]

I briefly worked at a place that enforced quarterly password changes and I literally used <Season><Year> as my password. I am not good at remembering passwords and I don't think I'm that unusual. Writing them down seemed worse than using a poor password that I can at least remember.

Probably these days if forced I would use <Prefix><Season><Year>. I don't know how much better that is. But luckily now I work for myself.

[tzs]

How often have you had information stolen off a credit card, passport, driver's license, insurance card, or other item with sensitive information printed on it that you routinely carry around in your wallet?

For most people, the answer is "never".

We are actually quite good at safely keeping secrets on paper in our wallets, and so generally writing down a password and keeping it there is fine, especially if the choice is between doing that with a strong password or using a weak password that you memorize.

[mamon]

Plus, people usually have a better memory that they give themselves credit for. With reasonably short random password (say, 10-12 chars, uppercase, lowercase, digits) that you use often, you will memorize it after a week, at which point you can simply destroy post-it note you carried in your wallet.

[ClassyJacket]

Plus if your wallet gets stolen, you will know someone potentially has your password, and change it.

[gowld]

Writing down is much better than using a guessable password. Your physical location is more secure than a password in a rainbow table