begin quoting Tracy R Reed as of Tue, Sep 19, 2006 at 03:46:29PM -0700: > Stewart Stremler wrote: > >...on a post-it stuck underneath the keyboard, or on the slide-out > >writing surface next to the desk. > > > >Putting valuables in your sock drawer gives a warm feeling of security, > >but hardly slows down an intruder. > > You first assume that I have an intruder. And that he goes through my > sock drawer. And that he knows what he has when he finds the passwords. > But in reality this has never happened and is so unlikely that it is a > perfectly acceptable risk. I don't have meteoroid strike insurance on my > house either. Same idea.
...which means that a post-it underneath the keyboard is just as good. And yet... we generally disdain using post-its under the keyboard as a mechanism for remembering passwords. So either your justification flies, and we've been wronging all those post-it-under-the-keyboard users all these years, or it doesn't. > >A list of 47 passwords with no context is almost as bad as not writing > >down the password at all, in some situations (e.g., three failed logins -> > >lockout). > > I don't have 47 passwords. I have 4. Remembering which goes to which is > not a problem in practice. Then you're not solving the same problem. You ought to be able to remember 4 passwords without a list. It's remembering arbitrarily many passwords that's the problem in question. It would be like me pointing out my strategies for fighting the boredom of my daily commute. > >A sealed envelope in a locked container (firesafe, safe-deposit box, > >etc.) or an encrypted list (remember just /one/ password) is more > >advisable. > > And you are the one always preaching security vs usability. I have *sermons*? Whodathunk? Regardless... what I hope to have conveyed in those "sermons" is that security is defeated by poor usability; but this is not to say that usability should trump security at every turn. Usability needs to be "good enuf" for a given level of security. > >Either way, pick something where you're going to type the decrypting > >passphrase every day; else you risk forgetting _that_. > > Definitely. I use it regularly so as to never forget the password. I've forgotton many passwords due to lack of use (or too-frequent changes). It's always annoying, and self-defeating, security-wise. -Stewart -- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
