As others said, you can't stop them. But you can remove the incentive.

Does your password policy require any of the following?

• Changing at regular intervals


• Manual entering (password managers blocked)


• Complex format (differing cases, special characters, etc.)

If so, you are actively incentivizing people to write the password down. Drop the outdated password policy and your users will be much more likely to play along.

Recommendations based on the new NIST guidelines. There is a nice summary here.

There is no way that you can be sure that a user hasn't written down their password. Even if you have complete access to their computer, what if they noted it down in their phone? Or on paper?

And even if you did have access to all their devices, you can only check that they haven't written down the password if you, as a sysadmin, yourself know the password. Which you shouldn't! Passwords should always be hashed, and never stored in plaintext or in a form which allows you to retrieve the original password.

What about password managers? They're known to significantly increase security since now the user only has to remember one passphrase and is less likely to use an easy-to-guess password for your system.

This is a social issue, which can only be solved by educating your users/employees about the dangers of leaving passwords written in plaintext around.

Install a camera behind their desk, better yet multiple cameras to cover all angles, and have somebody watch them.

You might be bothered by this being unethical but don't worry, it's in no way worse than almost any other way that achieves what you want to do.

About that almost:

Use "passwords" that cannot be reasonably represented in plaintext by a user. Fingerprint scans, keycards/dongles, 2 factor authentication, retina scans, ... any of them achieves what you want.

You don't.

By forbidding users to write down their passwords, you're forbidding them to use the second-best password manager in existence. People are generally quite good at protecting the contents of their wallets; a list of complex passwords written on a piece of paper stored between their driver's license and their credit card is about as secure as you can reasonably expect.

Instead of creating "don't do this" rules, provide your users with guidelines on how they should secure their passwords. If they've got a list of "Password Manager X, Password Manager Y, slip of paper in your wallet" to work from, they're far more likely to store their passwords securely than if you try to enumerate all they ways they shouldn't store their passwords and enforce it through punitive means.

What is your threat model?

I know I ask that counter-question to almost everything here, but most question about security never state what they actually try to secure against.

Are unauthorized people regularily in your environment and could spot passwords that are written down? If so, awareness in your users can be improved to this specific and easily understood threat, and it will have (some, limited) effect.

If your threat model is insiders, awareness tends to be much, much less effective. Officially forbidding the writing down of passwords, with a threat of sanctions, can gain a few percents of compliance, but is rarely effective to a degree that matters.

Giving people sanctioned ways to store passwords securely, such as a pre-installed password manager, will also give you some compliance and is probably the most user-friendly way to solve the problem.

The best way is to do away with passwords. If you have SSO that is actually relatively easy to do. All you need is a passwordless authentication to the SSO and go from there. From hardware token to smartphone apps to even using the smartphone itself as a token there are many solutions on the market already. Pick one. Because the only password that your users are guaranteed to never write down is the one that they don't even have.

First off, I agree with the answers that say that this is a bad idea for a variety of reasons.

Second, it appears that you are trying to use technology to solve a human problem. It is very, very rare for that to end well.

Instead of focusing on technical measures to prevent writing passwords down, such as cameras, non-pasteable password fields, and so on, you should focus on the (perceived or real) problem the users see which cause them to want to write down the passwords (or use insecure ones, or whatever the problem might be) in the first place.

One way of doing this might be to send out a notice to all employees along the lines of "if you are writing down, sharing or reusing your work-related passwords in any way, we'd love to know how and why" and offer a completely anonymous way of answering. (That latter is important, since people are usually more honest about imperfect security-related choices when they don't need to worry about getting into trouble for being honest.) For example, you could set up a physical box where people can drop pieces of paper with their answer, and which is clearly non-trivial to get into in a way that isn't visible. (It doesn't need to be tamper resistant, just tamper evident.) Then look at the answers you get.

If a large portion of the answers say something like "it's so hard to remember a new complex password every month", then fix that. The recent NIST guidelines aren't half bad, actually; to require a long password, to encourage using passphrases, but not set other complexity or renewal requirements, goes a long way.

If a large portion of the answers say something like "I use short passwords because it's so inconvenient to unlock the computer after it automatically locks after two minutes while I'm reading a web page", then fix that.

If a large portion of the answers say something like "I can't think of good passwords", then offer guidance on how to select good passwords. Diceware (sometimes referred to as "xkcd passwords" after xkcd 936) is a good start. This requires that the system supports long passwords, which any sanely built modern system will.

And so on.

The people who write passwords down insecurely are humans, and they are almost certainly doing it for human reasons, not technological. Human problems should be solved by human means, not technological ones.

As everyone has said, you don't.

You should consider whether passwords (single-factor authentication) are adequate for your needs. Even if all your users abive by password guidelines, there are other risks such as shoulder-surfers and key-loggers. A much better solution is two-factor authentication. There are various dongles that you can buy, or there's the free and open Google authenticator that can be installed on any smartphone. The user can have a fairly simple and easy to remember password and never needs to change it, because there is also a six-digit number that changes every thirty seconds, without which their password is useless.

Should perhaps add, a shoulder-surfer doesn't even have to be in the building. In my student days, somebody bought a telescope in, and showed everybody what could be seen through the windows of a tower-block hotel the better part of a kilometer away. Nobody bothered drawing the curtains on the 14th floor! Today, they probably would in a hotel by night, but in an office by day?

I realise I am late to party, but....

How can I ensure that they haven't done so by writing their password in emails, scripts, documents or files

You Can't. Not practically.

Passwords are a single layer authorisation mechanism. If you care about passwords being "written" or recorded then you need to:

• Quantify the risk factor and mitigate these risk types. What is the risk if someone else reads the password? If it's a fellow employee, a member of the public? Add security layers to mitigate these risks (such as asking for additional information at login)




• If doing things such as tracking your userbase keylogs, tracking your userbase physical movements, tracking anything about your userbase in real-time in order to ensure they are not plaintexting their passwords, then you really, really need to up your game, and instead of spending thousands trying to soup up your old ford cortina, invest in a Nissan Skyline and give your userbase hardware-token-authentication and 2FA credentials.




• Encourage better user behaviour. Remembered passwords are easy to remember and by this nature are going to be weak - So you have a choice between a complex password that more people will write down, for reference, or a simple password which is exponentially easier for a machine to brute force or otherwise compromise. So heavily pressure and encourage your userbase to use a Password Manager. So that they can use complex passwords without needing to remember them OR write them down.

I repeat; if you care this much about your users not writing down their passwords you must provide them with valid and reliable alternatives, as detailed on various answers here.

The typical way to enforce this is with a Clean Desk Policy. But I like your question; I think the solution can be brought to a ridiculous extreme :)

It is common to enforce character groups, like lowercase, uppercase, etc.

If you could set a reasonable minimum length, set a very low lockout threshold, and then enforce the inclusion of a character group "circles" [ o, O, 0 ] and enforce the use of a character group "lines" [ I, l, 1, | ] then you could theoretically make a written-down password have a very low utility value.

If your users are bilingual, you have even more options; e.g. [ c C с С ] etc.

OK, the above is a borderline joke, and should illustrate how futile it is to "check that users don't [do something]". BUT: isn't there a carrot and a stick?

If you read NIST 800-63 you will find new advice to let users choose their own passwords freely, and not to force them to rotate unless there is reason to believe the password is compromised. To wit:

Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.

If the passwords are not difficult for users to remember, then wouldn't that go a long way to prevent them being written down?

Make your passwords into non-textual ones. Like they can pick from a random set of images. Whatever is not easy to write down.
Here is what Wikipedia has on it today:

"Non-text-based passwords, such as graphical passwords or
mouse-movement based passwords.[70] Graphical passwords are an
alternative means of authentication for log-in intended to be used in
place of conventional password; they use images, graphics or colours
instead of letters, digits or special characters. One system requires
users to select a series of faces as a password, utilizing the human
brain's ability to recall faces easily.[71] In some implementations
the user is required to pick from a series of images in the correct
sequence in order to gain access.[72] Another graphical password
solution creates a one-time password using a randomly generated grid
of images. Each time the user is required to authenticate, they look
for the images that fit their pre-chosen categories and enter the
randomly generated alphanumeric character that appears in the image to
form the one-time password.[73][74] So far, graphical passwords are
promising, but are not widely used. Studies on this subject have been
made to determine its usability in the real world. While some believe
that graphical passwords would be harder to crack, others suggest that
people will be just as likely to pick common images or sequences as
they are to pick common passwords."

Wikipedia contributors. "Password." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 25 Jun. 2019. Web. 5 Jul. 2019.

For example if you used the faces method, you could use random stock images of people. So they can't just write down Steve from sales.
If the images are very similar and just show a plain portrait. They can also not write down something like the woman with the red scarf or the guy with big ben in the background.

Use certificates or device-based authentication. Yes, this doesn't answer your question straight, but provides a different approach to the problem.

As pointed out by others, you can't enforce anything that will prevent a user to write their password down. So... my advice is to throw passwords.

A certificate-based authentication system does not require passwords (rather, the private key may be password protected), and perhaps doesn't even allow to back up the private keys.

Please take my answer as an inspiration. You have few choice. As one commented here, you can still cut the fingers from your employees, but I doubt they will be able to input the password that now they remember.