[Discuss] paper password safe

[richard.pieri at gmail.com (Richard Pieri)]

Tom Metro wrote:
> Yes, paper is still vulnerable to malware or key loggers, because at
> some point you have to type them in. It's just that the bad guys won't
> be able to get them all at once.

The paper is not compromised. The system on the other side of the human 
being is compromised. This might seem like picking nits but it is 
actually a very important distinction. The human has control over the 
piece of paper. The human may not have control over the system being used.

Use of a system that you do not control requires you to forfeit control 
of your credentials for that system. This is not a user problem. This is 
a server problem, where the server is any system, software or hardware, 
that provides a service. It could be the Ubuntu Forums. It could be the 
workstation on your desk. It could be the smartphone in your pocket.


> (Statistically, this probably works better in a home setting than in a
> professional setting, where the temp you hired may rummage through the
> boss's desk after hours to see what accounts he can break into.)

Most people aren't so careless with their cash and credit cards, 
drivers' license and other ID, particularly when that ID is required for 
physical access to the premises. This is why putting the list next to 
the money is an important part of physical security.


> The down side to the paper model is that it doesn't help with strong
> password generation. A paper log filled with "1passw0rd" style passwords
> isn't helping.

You don't need a program to make strong passwords. Remember what you had 
for lunch today. "chicken fingers and fries". Three or four words. This 
is an incredibly strong password.

-- 
Rich P.