On Tue, Dec 17, 2024 at 12:45 AM <to...@tuxteam.de> wrote: > > On Mon, Dec 16, 2024 at 10:22:43PM -0600, John Hasler wrote: > > songbird writes: > > > perhaps because the accounts are jointly owned and it is much easier > > > to just continue using the credentials as they exist instead of having > > > to set everything up all over again for no real gain. > > > > Then follow Bruce Schneier's advice and*write them down*. > > Do you have a reference?
You might also try Peter Gutmann's Engineering Security, <https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf>. From Chapter 7, Passwords, Section "Passwords on the Client" (p. 614): The most effective client-side password management technique that the typical computer user can employ is to write them down. No, you didn’t read that wrong. From what we’ve found out from the endless surveys and studies that have been done on this topic over the years (see the start of this chapter) and the analysis of how users currently deal with passwords (see the remainder of the chapter) this really is the most effective client-side password management technique for the typical user. And from the Intro to the chapter (p. 564): This 1960s perspective of computing is the type of threat model that some of the password-security guidelines that are in use today were designed to counter! What’s worse is that even today, decades after these archaic threat models were employed as the basis for password-usage guidelines, we’re still fairly consistently giving users the wrong advice about password security such as “Passwords are like underwear, change them often” (solving no identifiable problem but creating several new ones, see “Password Lifetimes” on page 574) and “Firewalls are useless if passwords are stuck to the monitor with a Post-it” [9] (phishers are pretty creative but the one thing they haven’t managed to do yet is reach out of the monitor to read your Post-it notes, see “Passwords on the Client” on page 614). As Bob Blakley puts it, “despite the fact that both attacks and losses have approximately doubled every year since 1992, we continue to rely on old models that are demonstrably ill-suited to the current reality and don’t inhibit the ongoing march of failure” [10]. Gutmann earned his PhD in security usability (SUX). And his book is well cited with conference papers and security usability results. > I ask because I'm in the middle of a discussion (and that was my advice, > too). Seeing what Schneier has to say on that would be very interesting. Jeff
