A (not) new security idea

Scot L. Harris webid at cfl.rr.com
Fri Oct 15 16:14:14 UTC 2004 

On Fri, 2004-10-15 at 12:01, Bruno Wolff III wrote:
> On Thu, Oct 14, 2004 at 13:56:32 -0400,
>   "Scot L. Harris" <webid at cfl.rr.com> wrote:
> > 
> > I think we were talking about regular users that stick postit notes
> > under their keyboards (or on the face of the monitor) with their
> > passwords on them.  
> 
> Even in this it isn't necessarily a bad procedure. It depends on what
> your threats are. It may very well be that the people who can get a
> look at your post it note passwords are the same people that have
> unmonitored physical access to your computer. In that case the post it
> note only make it slightly easier to steal your passwords. If the people
> with such access aren't the people you are worried about, then this
> might be a reasonable tradeoff for convenience. (However, I think if
> you really want to write passwords down, a wallet is a better place for
> most people to keep them, than stuck to a monitor.)

Locks are there to keep honest people honest.  

Leaving your password posted on your monitor (or around your desk) is
the same as leaving the key to your home hanging on a string on the
front door.  A really bad idea.  

The main problem with this kind of behavior is in an office environment
where you don't know who is going to take advantage of easy access to a
system given a password.  They may not have the skill set, few probably
would, to break the passwords on a system even given physical access. 
But to advertise your password in plain view is inviting someone to take
advantage of it.  So in general I feel it is a bad procedure under any
circumstance since it puts the person who's password is compromised in
jeopardy as well as placing all those on the network in jeopardy.  Being
a good netcitizen means protecting your systems to prevent them from
being used as a springboard for an attack on other systems. 

Even in a home environment you don't know if your child's friends may be
over and happen to see your password then use it later that night for
who knows what.  

IMHO, it is never a good idea to leave your passwords exposed like that.

But you are right in that each person has to assess the risk they are
willing to take.  There was some discussion a while back on this list
where someone wanted to have no password on their system.  Their choice.


-- 
Scot L. Harris
webid at cfl.rr.com

There's got to be more to life than compile-and-go.

More information about the fedora-list mailing list