On Sun, 02 Mar 2014 18:52:40 -0700, Ian Kelly wrote: > On Sun, Mar 2, 2014 at 6:16 PM, Steven D'Aprano > <steve+comp.lang.pyt...@pearwood.info> wrote: >> People have managed physical keys for *centuries*. Yes, there are a >> class of threats where you lose your key, or someone steals it, or >> makes a copy, but the risks are well-understood and can be managed even >> by your grandmother. We have good solutions for those problems that >> work well, and many of them apply just as well to sticky notes with >> secure passwords written on them. > > I don't know how well the analogy holds up. People protect their keys, > because a) if they lose them, they can't get into their house or > business, and b) if they're stolen, somebody else could gain access and > steal expensive items from them.
A bit like the password to your bank account, or for that matter your Facebook account. > People are less likely to protect > their sticky notes, because a) nobody is going to steal a piece of > paper, Oh really? Chances are you're wallet is *full* of pieces of paper that people would steal, given half the chance. > and b) if it does go missing, the IT guy is just one phone call > away, Last time I had to call my bank to unlock my account, it took two phone calls and nearly three hours of elapsed time. And I was lucky I didn't have to physically go in to a branch and show photo ID. > and c) who would want to break into my desktop anyway? I don't > have any trade secrets in there. Who would want to steal somebody else's identity? I'm not saying that people are born with an intuitive understanding of the security issues of a modern technological society. But they can *learn* (perhaps only after they get burned) that they need to protect their computer accounts, including their desktop. Having learned that, they're screwed: even in the (uncommon) case that their account will support a cryptographically strong passphrase, most people need a dozen or more different passwords and/or passphrases. (I have about 50, only a dozen of which I keep in my head.) Who is going to remember a 12 character high-entropy string for an account they only use once a year? Most people have trouble remembering four-digit PINs if they don't use them regularly. We cannot solve the social problem that people *don't* care about security with a technical solution, but we might be able to solve the problem that people *can't* remember sufficient passphrases and passwords for their needs. Lacking a technical solution for that, for most people, under many practical threat models, writing down your strong passwords on bits of paper which you then keep safe is better than using weak passwords, using one strong password for everything, or trying to remember a dozen strong, independent passwords. -- Steven -- https://mail.python.org/mailman/listinfo/python-list