On Tue, Dec 17, 2024 at 06:45:05AM +0100, to...@tuxteam.de wrote:
Do you have a reference?
I ask because I'm in the middle of a discussion (and that was my advice,
too). Seeing what Schneier has to say on that would be very interesting.
All of this advice is overly simplistic. The right answer depends on
understanding your threats and making a conscious decision what risks
you want to mitigate and which you want to accept. If your threats
include a coworker using your account to get a higher level of access
than permitted, or to avoid/shift accountability, then putting your
passwords on your monitor at work with a post-it is a tremendously
stupid idea. If your threats include a person in your home (e.g., health
aide, plumber's assistant, whatever) potentially accessing banking
information, then putting your passwords on your monitor at home is a
tremendously stupid idea. If your main threat is forgetting a password,
and you don't have to worry at all about anyone else seeing your
post-it, then putting your password on your monitor may be a very good
idea. Putting your passwords in a notebook in a drawer may be a
reasonable mitigation in some environments, but not others. Locking the
drawer may or may not be an effective additional layer. People like to
throw out bombs like "passwords should be written down" for shock value,
but reality needs more effort and significantly more nuance. Schneier
would, I think, agree with this as he already has nuances like "put it
in your wallet". The problem of an elderly person with memory problems
that potentially does/will have people in their home is particularly
difficult as the wallet advice has minimal utility--there do exist
people who take advantage of the elderly and steal their money,
sometimes from their wallet and sometimes from their accounts, and if
both are vulnerable it is not effective to secure one with the other. I
don't think there is a good, general, simple answer to this without much
more knowledge of the particulars of the situation than is probably
appropriate for a mailing list.
