On Sat, 2011-04-16 at 23:43 -0600, Shane Hathaway wrote: > Would you actually advise the public to write down their passwords, > knowing that people leave their wallets or purses unattended quite > frequently? Stealing a written password requires only a glance or a > camera. There could easily be no evidence whatsoever of the password > theft. Written passwords are not at all equivalent to physical security > tokens.
Yes I would. Too many people base their notions of "proper" security on received lore instead of considering threat models and human behavior. First of all, we're not talking about nuclear launch codes, we're talking about email and bank logins. The primary threat model is brute force, drive-by attacks. Most people don't want to memorize complex passwords, and don't value their account enough to spend the effort required to pick good passwords and change them regularly. If you give them permission to write the password down, they'll be more willing to pick a higher quality password. Sure a pick pocket could steal their wallet, but that's already a threat they're used to. Personally, I'm much more worried about identity theft than I am about someone reading my email. Sure, someone at Starbucks could snap a picture of the post-it note in their wallet while they pay for a hot chocolate, but is that really a threat model that's worth worrying about? For Joe Public? Or even J. Random Employee? Very few people are or ever will be subject to an attack directed against them specifically. If an employee has significant access to sensitive health or financial data, there's a higher standard. Implement multi-factor authentication, robust auditing, etc. But don't expect a lecture about password safety to accomplish much. Experience has shown that the majority of people do not want to think much about security. Instead of pursuing a theoretic, mathematic ideal, it's time to acknowledge human psychology. /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
