[Discuss] paper password safe

[tmetro+blu at gmail.com (Tom Metro)]

Richard Pieri wrote:
> Kent Borg wrote:
>> better to use paper. Really.  Paper.
> 
> A piece of paper is effectively impervious to remote exploit. It isn't
> vulnerable to malware or key loggers. It doesn't need security updates.

I'll give the Rich Pieri response to this... :-)

Yes, paper is still vulnerable to malware or key loggers, because at
some point you have to type them in. It's just that the bad guys won't
be able to get them all at once.


> Because writing down passwords itself isn't a bad practice. It's writing
> them down and putting the paper near the things being protected that's a
> bad practice.

Agreed. As long as you aren't careless with leaving your paper log of
passwords lying around, if having a paper log permits you to use
stronger passwords, then you've improved your practical security, and
introduced vulnerabilities that are unlikely to be exploited.

(Statistically, this probably works better in a home setting than in a
professional setting, where the temp you hired may rummage through the
boss's desk after hours to see what accounts he can break into.)

The down side to the paper model is that it doesn't help with strong
password generation. A paper log filled with "1passw0rd" style passwords
isn't helping.

There are various schemes for dealing with this, such as:

Perfect Paper Passwords
https://www.grc.com/ppp.htm

 -Tom

-- 
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/