Uh, yeah they are, if they're not stored in a secure place. Sticky notes, by design, are meant to be placed somewhere convenient to the user, which, to me, suggests somewhere out in the open. That's completely different from a sheet of paper containing some common passwords necessary to certain functions being in a locked file cabinet, with a limited set of users of said file cabinet having keys. So writing passwords down isn't necessarily bad, based on where the data is actually stored and how it is secured. Writing on a sticky note suggests that the data isn't well secured, and that storage is accessible to someone who can easily see the contents of your work area. Do you have external cleaning staff? Or heck, even internal after hours cleaning staff? How can you be sure that the password hasn't been used by them? On Fri, Mar 16, 2012 at 11:58 AM, Crawford, Scott <crawfo...@evangel.edu>wrote:
> Agreed. Just pointing out that in an office with doors and walls and > other various physical security measures, sticky note passwords aren't > *necessarily* as horrible an idea as we like to joke about. > > > Sent from my Windows Phone > ------------------------------ > From: Andrew S. Baker > Sent: 3/15/2012 5:26 PM > > To: NT System Admin Issues > Subject: Re: Worth some consideration... > > I'd rather not accept a false dilemma. > > There is no reason to have either of the options presented, as both are > bad. > > ** > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott <crawfo...@evangel.edu>wrote: > >> I'd rather have "good" passwords written down on a sticky note >> accessible only to a limited number of coworkers than "bad" passwords that >> can be exploited by any black-hat on the internet. >> >> Sent from my Windows Phone >> ------------------------------ >> From: Heaton, Joseph@DFG >> Sent: 3/15/2012 11:07 AM >> To: NT System Admin Issues >> Subject: RE: Worth some consideration... >> >> >> Wait… I’m NOT supposed to write my password on a sticky note? How am I >> supposed to let my coworker use my login, then? >> >> >> >> Joe Heaton >> >> ITB – Windows Server Support >> >> >> >> *From:* Andrew S. Baker [mailto:asbz...@gmail.com] >> *Sent:* Thursday, March 15, 2012 7:49 AM >> *To:* Heaton, Joseph@DFG; NT System Admin Issues >> *Subject:* Re: Worth some consideration... >> >> >> >> That's an implementation problem. >> >> >> >> If I choose a passphrase of "Mary had a little lamb" then of course that >> will be relatively weak as passphrases go. That that is not an inherent >> weakness of passphrases, but of people. >> >> >> >> Lots of things are undermined by poor choices. Completely random 20 >> character passwords with a unicode character set are undermined by having >> them posted on sticky notes. >> >> >> >> We didn't need a whole article to point that out. >> >> >> >> *ASB* >> >> *http://XeeMe.com/AndrewBaker* >> >> *Harnessing the Advantages of Technology for the SMB market…* >> >> >> >> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <kurt.b...@gmail.com> wrote: >> >> >> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >> >> By Dan Goodin >> Ars Technica >> March 14, 2012 >> >> Passwords that contain multiple words aren't as resistant as some >> researchers expected to certain types of cracking attacks, mainly >> because users frequently pick phrases that occur regularly in everyday >> speech, a recently published paper concludes. >> >> Security managers have long regarded passphrases as an >> easy-to-remember way to pack dozens of characters into the string that >> must be entered to access online accounts or to unlock private >> encryption keys. The more characters, the thinking goes, the harder it >> is for attackers to guess or otherwise crack the code, since there are >> orders of magnitude more possible combinations. >> >> But a pair of computer scientists from Cambridge University has found >> that a significant percentage of passphrases used in a real-world >> scenario were easy to guess. Using a dictionary containing 20,656 >> phrases of movie titles, sports team names, and other proper nouns, >> they were able to find about 8,000 passphrases chosen by users of >> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >> percent of the available accounts. The promise of passphrases' >> increased entropy, it seems, was undone by many users' tendency to >> pick phrases that are staples of the everyday lexicon. >> >> "Our results suggest that users aren't able to choose phrases made of >> completely random words, but are influenced by the probability of a >> phrase occurring in natural language," researchers Joseph Bonneau and >> Ekaterina Shutova wrote in the paper (PDF), which is titled >> "Linguistic properties of multi-word passphrases." "Examining the >> surprisingly weak distribution of phrases in natural language, we can >> conclude that even 4-word phrases probably provide less than 30 bits >> of security which is insufficient against offline attack," the paper >> says. >> >> [...] >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
