I still don’t ‘get’ the logic that bars employees from using password managers or writing down passwords on slips of paper. In that scenario, I’d probably carry a pad of paper, leaving it in my car in the car park. Each time I need to change password, I’d make a note after I’d left the office, whilst fresh in mind. And each morning, I’d check it, so I could remember it long enough to get to my desk. And then, rules being rules, rather than carry that slip of paper safely in my wallet, I’d leave it in my car, with password visible to anybody who gained sight.
Interestingly, one of the GCHQ/NCSC links I provided earlier, actually suggests that users should be encouraged to use password managers, or to simply write them down.
https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks
It also makes the point, as I interpret it, that while passwords might relied upon by users to protect their own data, they should not be relied upon by systems providers as a means of protecting organisation data...
i never said anyone was barred from using a piece of paper, only that paper/notepads are not permitted on the workfloor.
password managers (although i am against them in general) would the require the user to have yet another username/password (to gain access to the password manager), and as hot-desking is quite common what's to stop them from forgetting the password for that? and if they need to remember it, what stops them from making it an easily guessed password? seeing as they couldn't, i assume, store that password in the password manager.
leaving the piece of paper in your car is fine as the system in question has no external/public access, it's purely internal, so unless it was another member of staff that say the piece of paper with all your passwords on it, it wouldn't be an issue.
if someone other than the owner was to use the password on that piece of paper to gain access to the system then both would be dismissed. 1 for breach of computer misuse act and the other for allowing username/password data to be breached.
anyway, we've drifted quite far off the original topic, which was a question about how to do something. it wasn't a question about whethet something should be done.