Unlearned lessons

[unixronin]

Today's User Friendly strip makes a security point I've commented on myself many a time:  If you make your password policy demanding enough, you can force all of your users to write their passwords down, and the odds are at least some of them will leave their password notes where they can be seen and/or found by someone who shouldn't have them.  At which point your carefully crafted password policy, proof against any but the most massive distributed brute-force attack, becomes vulnerable to the pizza boy who happens to glance at the receptionist's desk while chatting her up on his way through the front lobby.

Comments

[tabbifli.livejournal.com]

I was all set to use one of my "I can remember this without writing it down and it probably can't be brute-forced with an english-language dictionary" passwords (my passwords are based off of (at least) one of the multiple foreign languages I partially read and then mangled) for work.

And then I was told that I would have to write it down so that someone else could use if if necessary.

It's in english now, and it isn't used *anywhere* else. Fortunately, the system I work on is ancient, decrepit and confusing as hell, so nobody actually WANTS to log into it. Security through stupidity and obsolescence.