Passwords: Complicated or Easy to Remember?

Theories on what constitutes a good password are always fodder for hot debates among information security folks. Should they be complicated (upside: hard to crack, downside: requires the user to write it down) or easy to remember (upside: don’t have to write it down, downside: easy to crack)?

A chief information security officer for a major federal agency, with whom I recently met, admitted he has flip flopped on his opinion about which practice is the best. He informed me that he recently changed his mind â€" again. He now believes that complicated passwords â€" ones with lots of random numbers and letters, uppercase and lowercase â€" are the best. And if you have to write it down, that’s OK, he says. Why? Because the biggest threat this CISO now sees comes from the outside, especially hackers sponsored by a nation state or organized crime. The inside threat â€" a colleague who may use your password to gain access to a files only you have access to â€" is not nearly as grave.

He says just make sure you frequently change the spot where you store that yellow sticky note on which is written your complicated password â€" under your phone, taped to the underside of your drawer, under your speakers, wherever.

Good idea?