Security Corner

May 12 2010   1:22AM GMT

Why Bother Giving Password Advice?

Ken Harthun Ken Harthun Profile: Ken Harthun

I’m miffed. I went to visit one of my clients yesterday – one that I’ve carefully educated in password selection and security – and saw a sticky note on the wall with all his passwords written down on it. I asked him why. He just went on and told me that it was just too much trouble to think about mnemonics, password encoding systems, etc. I said that at least he could put that sticky note on the bottom of his keyboard where it was less obvious. He said it didn’t matter; whomever wanted his passwords would find them there anyway.

I won’t tell you this client’s profession; if I did, you’d be shocked. Let’s just say that a member of the cleaning crew could use information obtained through illegal use of my client’s passwords to do some real damage. And don’t think that a determined hacker would find it beneath him- or herself to take a job as a custodian if there was profit in the offing.

Why bother? Well, here’s the thing: I have all of my advice in writing in the form of emails with training materials attached to them. If my client ever gets hacked, I’m not liable for the consequences of any breach. I told them so. If they chose to ignore my advice, so be it. I did my job.

But I’m still miffed; I thought my opinion was valued.

What would you think?

4  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Yogi
    It won't register until someone steals his wallet and swipes his credit card for as much as they can get. Then your client will be angry and upset at THAT security breach. For some people (OK, probably most people), a security breach doesn't seem to really sink in until it hits "close to home". In other words, personal. And no matter how much we may advise them, people will generally tend to do what is easier and/or faster. And it doesn't necessarily mean that your opinion wasn't valued. Whether they follow it or not, they now have the knowledge to increase their security if they so desire (which it sounds like they won't). I usually liken those scenarios to those where parents leave money out in the open when their kids' friends come visit just to see if they can trust the teenagers who come into their house. If the money is untouched, the kids are allowed back; if the money is gone, they don't get invited back.
    35 pointsBadges:
  • Labnuke99
    Here's an option for your client. [A href=""]PasswordCard[/A]. Maybe he could remember a symbol and a color - he could even just write down the symbol and remember the color.Not foolproof by any means, but better than full password being written on a sheet of paper.
    32,960 pointsBadges:
  • Ken Harthun
    Labnuke, thanks for your comment and the link. That's a very handy tool and I'm going to show it to him when we meet today. In fact, I'm going to put you on the blogroll and post a mention to your article over at Ask the Geek. Yogi, you're so right. I just tend to get frustrated at times. Thanks for your comment! Cheers! Ken
    2,300 pointsBadges:
  • David Scott
    Ken: Great post and good points. I've also had security advice discounted, even in paying environments. They'll learn (the hard way). Here's a "workaround" for the password-challenged - I don't endorse it particularly, and just tell people about it anecdotally (as there is a liability). The trick is to create a "dummy" Contact in MS-Outlook (or similar e-mail system), and simply put passwords in the notes section of the Contact. It's true, of course, that if anyone breaches your e-mail account in that circumstance, they'd corral all of your passwords - but at least the passwords are in a password protected zone (MS-Outlook, or some other contact/e-mail system), AND, a person breaching would have to be perusing ALL of your Contacts in order to stumble on the password cache - very unlikely, as they're motivation would likely be to breach the e-mail, and read that. Of course - for the truly hapless - they COULD forget their e-mail password...
    125 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: