Clearly, except for a tiny minority of super-conscientious experts, humans aren’t capable of maintaining the level of knowledge and especially discipline necessary to keep the computers they operate reliably secure. On several occasions, I’ve seen hilarious instances of super-smart people with advanced degrees in computing, some of them even security experts, leaving their machines or data wide open to intrusion by some petty accidental oversight.
This isn’t limited to computers, of course. For example, Richard Feynman’s stories of his hobbyist safe-cracking provide some amusing examples from a previous era. The only way to force people to maintain discipline in security are the old-fashioned military methods, but this requires draconian penalties (up to and including death penalty) for petty negligence.
On the other hand, it can be argued that most people’s negligence in computer security is quite rational, in that additional marginal benefit from added security effort wouldn’t be worth the (internalized) cost. See e.g. C. Herley, “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.” (Ungated link here.)
My father used to do work for a company that made him change his password every two weeks and wouldn’t let him reuse any of the last ten passwords he used. As a result, he resorted to writing down the password and taping it to his laptop so he could remember what the current password was—and made a point of it to the IT department.
If he had stored the paper in his wallet rather than on the laptop, I would have said the he handled the situation very well. For most people, the physical security afforded by their wallet is more than sufficient to safely store passwords. HBGary Federal would certainly have been better off if Aaron Barr and Ted Vera had used better passwords but written them down.
Telling people to never write down their passwords probably does more harm than good. Many people have too many passwords that change too often to legitimately expect them to be able to memorize them all. And when they do write them down, they have never been told that their wallet is a safer place to store them than under their keyboard.
My father and I eventually came up with a better system: he came up with a list that had enough passwords that he could reuse the first one after the last one on the list expired, and then taped to his laptop a list that had about half of each password on it. He would then put a little pencil mark next to whatever password hint corresponded to the password he was using at the time.
One thing I find fascinating is people’s occasional ingenuity in getting around password strength requirements. For example, faced with the requirement that the password can’t be the same as their name or username, sometimes they’ll figure out what is the smallest change that will make it acceptable (like e.g. leaving out the last letter), and use that.
(Come to think of it, the very fact that I know all this also says something by itself.)
You need to change your password. I checked it and you’re using the wrong one. Set it to “Vladimir_”—make sure to use the capital letter and underscore so it will be more secure.
Clearly, except for a tiny minority of super-conscientious experts, humans aren’t capable of maintaining the level of knowledge and especially discipline necessary to keep the computers they operate reliably secure. On several occasions, I’ve seen hilarious instances of super-smart people with advanced degrees in computing, some of them even security experts, leaving their machines or data wide open to intrusion by some petty accidental oversight.
This isn’t limited to computers, of course. For example, Richard Feynman’s stories of his hobbyist safe-cracking provide some amusing examples from a previous era. The only way to force people to maintain discipline in security are the old-fashioned military methods, but this requires draconian penalties (up to and including death penalty) for petty negligence.
On the other hand, it can be argued that most people’s negligence in computer security is quite rational, in that additional marginal benefit from added security effort wouldn’t be worth the (internalized) cost. See e.g. C. Herley, “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.” (Ungated link here.)
My father used to do work for a company that made him change his password every two weeks and wouldn’t let him reuse any of the last ten passwords he used. As a result, he resorted to writing down the password and taping it to his laptop so he could remember what the current password was—and made a point of it to the IT department.
If I had to do that I’d just incorporate the date into the password somehow and otherwise leave it the same.
If he had stored the paper in his wallet rather than on the laptop, I would have said the he handled the situation very well. For most people, the physical security afforded by their wallet is more than sufficient to safely store passwords. HBGary Federal would certainly have been better off if Aaron Barr and Ted Vera had used better passwords but written them down.
Telling people to never write down their passwords probably does more harm than good. Many people have too many passwords that change too often to legitimately expect them to be able to memorize them all. And when they do write them down, they have never been told that their wallet is a safer place to store them than under their keyboard.
My father and I eventually came up with a better system: he came up with a list that had enough passwords that he could reuse the first one after the last one on the list expired, and then taped to his laptop a list that had about half of each password on it. He would then put a little pencil mark next to whatever password hint corresponded to the password he was using at the time.
One thing I find fascinating is people’s occasional ingenuity in getting around password strength requirements. For example, faced with the requirement that the password can’t be the same as their name or username, sometimes they’ll figure out what is the smallest change that will make it acceptable (like e.g. leaving out the last letter), and use that.
(Come to think of it, the very fact that I know all this also says something by itself.)
You need to change your password. I checked it and you’re using the wrong one. Set it to “Vladimir_”—make sure to use the capital letter and underscore so it will be more secure.