You mean like the controller at company xyz who thought that securing all the corporate payroll/financial data in an Excel file protected by the password 'black', which was written down and posted on her cork board, was sufficient security?
-Jeff On Fri, Mar 16, 2012 at 1:21 PM, Jonathan Link <[email protected]>wrote: > Uh, yeah they are, if they're not stored in a secure place. Sticky notes, > by design, are meant to be placed somewhere convenient to the user, which, > to me, suggests somewhere out in the open. That's completely different > from a sheet of paper containing some common passwords necessary to certain > functions being in a locked file cabinet, with a limited set of users of > said file cabinet having keys. > So writing passwords down isn't necessarily bad, based on where the data > is actually stored and how it is secured. Writing on a sticky note > suggests that the data isn't well secured, and that storage is accessible > to someone who can easily see the contents of your work area. Do you have > external cleaning staff? Or heck, even internal after hours cleaning > staff? How can you be sure that the password hasn't been used by them? > On Fri, Mar 16, 2012 at 11:58 AM, Crawford, Scott > <[email protected]>wrote: > >> Agreed. Just pointing out that in an office with doors and walls and >> other various physical security measures, sticky note passwords aren't >> *necessarily* as horrible an idea as we like to joke about. >> >> >> Sent from my Windows Phone >> ------------------------------ >> From: Andrew S. Baker >> Sent: 3/15/2012 5:26 PM >> >> To: NT System Admin Issues >> Subject: Re: Worth some consideration... >> >> I'd rather not accept a false dilemma. >> >> There is no reason to have either of the options presented, as both are >> bad. >> >> ** >> >> *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of >> Technology for the SMB market… >> >> * >> >> >> >> On Thu, Mar 15, 2012 at 2:49 PM, Crawford, Scott >> <[email protected]>wrote: >> >>> I'd rather have "good" passwords written down on a sticky note >>> accessible only to a limited number of coworkers than "bad" passwords that >>> can be exploited by any black-hat on the internet. >>> >>> Sent from my Windows Phone >>> ------------------------------ >>> From: Heaton, Joseph@DFG >>> Sent: 3/15/2012 11:07 AM >>> To: NT System Admin Issues >>> Subject: RE: Worth some consideration... >>> >>> >>> Wait… I’m NOT supposed to write my password on a sticky note? How am >>> I supposed to let my coworker use my login, then? >>> >>> >>> >>> Joe Heaton >>> >>> ITB – Windows Server Support >>> >>> >>> >>> *From:* Andrew S. Baker [mailto:[email protected]] >>> *Sent:* Thursday, March 15, 2012 7:49 AM >>> *To:* Heaton, Joseph@DFG; NT System Admin Issues >>> *Subject:* Re: Worth some consideration... >>> >>> >>> >>> That's an implementation problem. >>> >>> >>> >>> If I choose a passphrase of "Mary had a little lamb" then of course that >>> will be relatively weak as passphrases go. That that is not an inherent >>> weakness of passphrases, but of people. >>> >>> >>> >>> Lots of things are undermined by poor choices. Completely random 20 >>> character passwords with a unicode character set are undermined by having >>> them posted on sticky notes. >>> >>> >>> >>> We didn't need a whole article to point that out. >>> >>> >>> >>> *ASB* >>> >>> *http://XeeMe.com/AndrewBaker* >>> >>> *Harnessing the Advantages of Technology for the SMB market…* >>> >>> >>> >>> On Thu, Mar 15, 2012 at 10:12 AM, Kurt Buff <[email protected]> >>> wrote: >>> >>> >>> http://arstechnica.com/business/news/2012/03/passphrases-only-marginally-more-secure-than-passwords-because-of-poor-choices.ars >>> >>> By Dan Goodin >>> Ars Technica >>> March 14, 2012 >>> >>> Passwords that contain multiple words aren't as resistant as some >>> researchers expected to certain types of cracking attacks, mainly >>> because users frequently pick phrases that occur regularly in everyday >>> speech, a recently published paper concludes. >>> >>> Security managers have long regarded passphrases as an >>> easy-to-remember way to pack dozens of characters into the string that >>> must be entered to access online accounts or to unlock private >>> encryption keys. The more characters, the thinking goes, the harder it >>> is for attackers to guess or otherwise crack the code, since there are >>> orders of magnitude more possible combinations. >>> >>> But a pair of computer scientists from Cambridge University has found >>> that a significant percentage of passphrases used in a real-world >>> scenario were easy to guess. Using a dictionary containing 20,656 >>> phrases of movie titles, sports team names, and other proper nouns, >>> they were able to find about 8,000 passphrases chosen by users of >>> Amazon's now-defunct PayPhrase system. That's an estimated 1.13 >>> percent of the available accounts. The promise of passphrases' >>> increased entropy, it seems, was undone by many users' tendency to >>> pick phrases that are staples of the everyday lexicon. >>> >>> "Our results suggest that users aren't able to choose phrases made of >>> completely random words, but are influenced by the probability of a >>> phrase occurring in natural language," researchers Joseph Bonneau and >>> Ekaterina Shutova wrote in the paper (PDF), which is titled >>> "Linguistic properties of multi-word passphrases." "Examining the >>> surprisingly weak distribution of phrases in natural language, we can >>> conclude that even 4-word phrases probably provide less than 30 bits >>> of security which is insufficient against offline attack," the paper >>> says. >>> >>> [...] >>> >>> >>> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> --- >> To manage subscriptions click here: >> http://lyris.sunbelt-software.com/read/my_forums/ >> or send an email to [email protected] >> with the body: unsubscribe ntsysadmin >> > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
