On 04/17/2011 04:47 PM, Stuart Jansen wrote: > On Sat, 2011-04-16 at 23:43 -0600, Shane Hathaway wrote: >> Would you actually advise the public to write down their passwords, >> knowing that people leave their wallets or purses unattended quite >> frequently? Stealing a written password requires only a glance or a >> camera. There could easily be no evidence whatsoever of the password >> theft. Written passwords are not at all equivalent to physical security >> tokens. > > Yes I would. Too many people base their notions of "proper" security on > received lore instead of considering threat models and human behavior. > First of all, we're not talking about nuclear launch codes, we're > talking about email and bank logins. > > The primary threat model is brute force, drive-by attacks. Most people > don't want to memorize complex passwords, and don't value their account > enough to spend the effort required to pick good passwords and change > them regularly. If you give them permission to write the password down, > they'll be more willing to pick a higher quality password.
I work for an ISP and something we see a lot is people who use the same password on every site getting their email and password stolen from one site and used on another. Sites where your login name is your email address are especially vulnerable to this. Typically we only see this when somebody's webmail gets used to send spam, but that's just selection bias. The possibilities are limitless. For that reason I've long recommended people use different passwords for every site and write them down. I use pwsafe[1], but a note in the wallet would be fine too. Corey 1. http://passwordsafe.sourceforge.net/
signature.asc
Description: OpenPGP digital signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
