That advice mostly originates from security folks working in workplace environments, where passwords that are written down may be visible to people who are threat vectors.
I am not a security person, but I can't help but wonder where the advice of not writing things down comes from? I think my wife's password book on her desk is a lot more safe than most computer experts.
> Doesn't having a secure password on a Post-It note make it insecure?
Technically.
> There are plenty of people near me that would just love to look at my emails.
I just don't think that's actually true for many people. My parents, for instance. Or people with home offices who don't leave the door open when they have crazy parties—or who put their passwords on a piece of paper stuffed in the middle of a book.
The point is that writing your password down, for most people, is actually good advice.
> write passwords down in places that are easy to find (like post-it notes next to the screen)
Writing passwords on post-it notes is often used as a ridicule of non-tech-savvy folks behavior. I'd like to pose this question: If you're doing this not at an office, but at home, is this really so bad?
Say you run a web site on AWS and write your really long AWS password on a piece of paper at home. It would take a hacker finding out where you live and breaking into your house to find the piece of paper to access it. On the other hand, your ordinary neighborhood burglars typically care about cash and jewelry in your house, not post-it notes with passwords. It seems those two categories of intruders rarely overlap, unless you're a world famous target.
I agree, I’m sure it helps but seems like if a malicious coworker wants access they can trivially steal your password with a keylogger or just watching you type it in. May prevent spontaneous acts I guess but feels like if those are really a risk you’ve hired the wrong people.
I agree in spirit but would revise: it's a security threat and against some company policies to explicitly share passwords in the clear. The ideal is to add your password to a corporate password vault, some of which can then authenticate for coworkers without them knowing explicitly what it is.
Many years ago I worked for a defense contractor who not only had 123abc as the password for a workstation that held secret information and was connected to the internet, but a post-it note with "password: 123abc" was kept on top of a monitor which was visible through a window from a corridor that random members of the public had access to. When I brought this up as possibly a poor security practice the reaction was anger towards me, and then moving the post-it note to the side of the monitor so it would not be visible from the window.
No offence, but if your not going to fire people when you find their password written down then there going to write their password down. Written policies are practically irrelevant it's enforced policies people pay attention to.
One example of security. Someone (A) giving a breafing has someone (B) grabs at it so they can read the document. At which point (A) pulls his sidearm and threatens (B). Later (A) is given an intense debriefing to verify that he was willing to shoot (B) and simply wanted to clarify the situation vs being unwilling to shoot (B). (B) was later told he was lucky not to have been shot.
One must think who the most likely person would be that would a) want access and b) try to break in... is it an anonymous hacker across the internet or a co-worker trying to sabotage? This is why "post-it noting passwords" is bad. Most computers/systems don't really have information that hackers want, other than to zombie a machine. This isn't to say we shouldn't worry about exposing our computers with quickly cracked passwords, we should protect all vectors into our systems but realize forcing strong need to "post-it note passwords" drastically increases the likelihood of an internal rat/mole.
I find in talking with people about passwords that most have the "it won't happen to me" syndrome or the "I'm not that important" syndrome and thus they feel it is OK to use weak passwords. The last person I spoke with about this used this logic, "It's not like I work for the CIA. So why bother?"
And always, after their account becomes compromised, they understand that the bad guys may just want access to resources so they can send spam, or do other illegal things. Sadly, it seems to always take something like this to make the point fully understood and after that the person is fully on-board with password security.
I am of two minds about, if it helps security, it sounds somewhat reasonable,but I used questionable passwords in the past partly because they were easy to memorize along the lines of missslippyfist and some numbers/chars. I was forced to stop once company I used to work for started filtering for curses.
And running to HR over perceived creepyness sounds like a dick move.
reply