[Discuss] A Little OT: The Password Post-It

[Richard Pieri]

On 4/20/2012 6:46 AM, Chris O'Connell wrote:
> So Rich,  I see your point about enforcement, but how specifically have
> addressed the issues of having passwords on post-its?  I know you mentioned
> becoming friends with the users and making security something they care
> about (which I agree with), but any other suggestions?

It goes both ways.  Just as you want your users to take security 
seriously, we need to take their wants and needs seriously.

Understand the potential threats that you and your users face.  Be 
flexible.  One size fits all security policies ignore users' needs. 
They also ignore how threats grow and change.

We need to be resigned to the fact that there are users who simply won't 
care no matter what we say or do.  All we can do is isolate and contain 
what we can and be prepared for the inevitable cleanup.  And we can hope 
that the corollary loss of productivity is a convincing argument.

-- 
Rich P.