On Fri, 2004-10-15 at 12:01, Bruno Wolff III wrote: > On Thu, Oct 14, 2004 at 13:56:32 -0400, > "Scot L. Harris" <webid@xxxxxxxxxx> wrote: > > > > I think we were talking about regular users that stick postit notes > > under their keyboards (or on the face of the monitor) with their > > passwords on them. > > Even in this it isn't necessarily a bad procedure. It depends on what > your threats are. It may very well be that the people who can get a > look at your post it note passwords are the same people that have > unmonitored physical access to your computer. In that case the post it > note only make it slightly easier to steal your passwords. If the people > with such access aren't the people you are worried about, then this > might be a reasonable tradeoff for convenience. (However, I think if > you really want to write passwords down, a wallet is a better place for > most people to keep them, than stuck to a monitor.) Locks are there to keep honest people honest. Leaving your password posted on your monitor (or around your desk) is the same as leaving the key to your home hanging on a string on the front door. A really bad idea. The main problem with this kind of behavior is in an office environment where you don't know who is going to take advantage of easy access to a system given a password. They may not have the skill set, few probably would, to break the passwords on a system even given physical access. But to advertise your password in plain view is inviting someone to take advantage of it. So in general I feel it is a bad procedure under any circumstance since it puts the person who's password is compromised in jeopardy as well as placing all those on the network in jeopardy. Being a good netcitizen means protecting your systems to prevent them from being used as a springboard for an attack on other systems. Even in a home environment you don't know if your child's friends may be over and happen to see your password then use it later that night for who knows what. IMHO, it is never a good idea to leave your passwords exposed like that. But you are right in that each person has to assess the risk they are willing to take. There was some discussion a while back on this list where someone wanted to have no password on their system. Their choice. -- Scot L. Harris webid@xxxxxxxxxx There's got to be more to life than compile-and-go.