On Fri, Dec 16, 2005 at 08:14:15AM -0500, Michael Stone wrote: > On Fri, Dec 16, 2005 at 01:27:57PM +0100, Javier Fernández-Sanguino Peña > wrote: > >On Thu, Dec 15, 2005 at 05:54:34PM -0500, Noah Meyerhans wrote: > >>Well, at least there's still *some* level of physical security there; > >>an attacker has to be at your user's desk to get the password. Plus, > > > >Noah, meet binoculars: > >http://www.thinkgeek.com/electronics/cameras/798d/ > > Don't be flippant, it lowers the level of the discourse. His point was > that the password written on the paper is a completely different > category of security risk, and may be a much less serious risk > (approaching non-existence) based on the environment in question--and > that point is entirely valid. Don't make knee-jerk reactions to security > dogma like "don't write down passwords" unless you have an understanding > of the risks involved in a particular situation.
I'm not against people writing out passwords, actually, a very good security mechanism is generating a random password, writing it down, and keeping it in your wallet only taking it out when you forget it (but make sure you don't write down what does the password give access to, in case your wallet gets stolen). However, putting them in a screen and *thinking* that only people next to it will be able to read it out is missing the obvious. In most work environments I've been (and I've been to many offices outside my own) you can just walk down the office and remember passwords written in screens or, even, read the passwords of users from an opposite building. So my "knee-jerk reaction" is for people thinking that putting their passwords in plain view provides sufficient security. Had he said that he was dropping the post-it to his desk drawer I wouldn't have jumped in. > FWIW, I'd love to know how your binoculars would be effective in an > environment where the computer is facing a blank wall. Useless, but in office environments there is typically only *some* computers facing the blank wall. They are typically contented as they provide the higher privacy, but they are still few. I welcome people to test my theory in their own offices and think if writing down a password in a post-it (even if virtual, on screen) is a good idea. Regards Javier
signature.asc
Description: Digital signature
