Go Ahead and Put Your Password on a Post-It Note
Many are shaming the Hawaii Emergency Management Agency for keeping passwords on post-its, but the practice isn’t always a terrible idea.
On Saturday, people in Hawaii and across the world panicked after the local government alerted of an incoming missile. Luckily, the alert was just a false alarm caused by an employee clicking the wrong button on his computer.
After the panic came the reckoning. How could the Hawaii Emergency Management Agency make such a mistake? The Federal Communications Commission announced that it would investigate the “absolutely unacceptable” mistake, as FCC commissioner Ajit Pai put it.
Then, someone found a photo from July showing a HEMA officer posing in front of computer screens adorned by a couple of post-its. One of them, as it turns out when you zoom in carefully, spells out: “Password: warningpoint2.”
The internet caught on and began making fun of HEMA and its terrible opsec.
“These people are just as incompetent as you'd expect from a gov't employee,” said someone on Twitter.
Another joked: “The deep state apparently uses Password Post-it Keeper™.”
“You have to write your password on the back of the post-it note to be secure,” wrote a Redditor.
Read more: The Motherboard Guide to Not Getting Hacked
In reality, however, it’s usually OK to have a password printed on a sticky note. Of course, that depends on what password we’re talking about (please don't use 123456 as a password EVER), what screen it’s attached to, and whether photographers or TV crews are coming to film your office.
In other words: it depends on your threat model.
If you have a faulty memory and want to make sure you can unlock your home computer with your new multi-word passphrase, then by all means put the password on a piece of paper until you memorize it. You could even use a physical, offline password manager for your passwords.
That’s much more secure than writing down all your passwords in an unencrypted text file on your computer. Or reusing the same passwords for all your accounts. Generally speaking, the risk of someone breaking into your home to read that sticky note or notebook is much lower than someone infecting your computer with malware and then accessing all your passwords, or than someone getting your old password from a hacked video game forum and then using it to steal money from your PayPal account that has the same password.
In general, we still recommend software password managers. But don’t listen to the security absolutist and tweetshamers who are gloating over what is admittedly a mistake on behalf of HEMA. Think about what your threats are, and how to protect against them. That’s how you, and everyone else, will be more secure.
Of course, if you’re working at a sensitive government post, you need to worry about a lot of things—especially if you broadcast your office to the world.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.