And someone "dropped it"... <facepalm>
Japan airport staff dash to replace passcodes after security cock-up
The dangers of writing passwords down on paper were laid bare in the Japanese airport of Haneda this week after a member of staff managed to lose a note containing key security codes ahead of US president Barack Obama’s arrival today. The unlucky Skymark Airlines employee dropped the memo – which contained a list of the codes …
-
-
-
Wednesday 23rd April 2014 07:51 GMT 's water music
Re: Epic fail
Notes containing passcodes are supposed to be stuck to the bottom of ones keyboard!
You have obviously never managed a helpdesk. Do you have any idea of the call volumes from people who have forgotten that their password cribsheet is underneath the keyboard after a bank holiday weekend? Best practice remains to stick the post-it to the monitor bezel. If security is critical, the post-it may be applied to a flat surface and obscured with a gonk.
-
-
Wednesday 23rd April 2014 09:56 GMT James Micallef
With biometrics being too unereliable / easily spoofable / invitation to digital amputation (delete as appropriate), passwords / passcodes still offer the best combination of easy/cheap/secure for electronic access. Although 'cheap' doesn't seem so cheap after you quantify in any potential losses due to security breaches. You get what you pay for.
In this case, since it's physical access, what's wrong with plain old keys?
-
-
Wednesday 23rd April 2014 16:01 GMT Anonymous Coward
"In this case, since it's physical access, what's wrong with plain old keys?"
Volume. And if you drop it someone can pick it up and use it. With a combination you can't drop something you know. Unless you have a half dozen to remember and have to write them down...
Seems the most appropriate solution is 2-factor security - a swipe/RFID card, which is your physical key and means person x can only access those areas they have authority for, in conjunction with a single individual PIN*, such that a dropped card on it's own is useless.
If someone loses their card you only have to disable that card, not reissue cards to everyone else as you would with a physical key (and change the physical locks). Presumably all the staff have ID cards anyway, to prevent someone just telling a mate the codes so they can pop in for a gander at Obama...
Of course someone could give their card to a 3rd party and divulge their PIN, but that's the same risk as them telling a 3rd party the codes or handing over a key/cutting unauthorised copies.
Next step up from that is a security guard checking the photo on the card against the bearer and the reference photo in the database on a terminal, but that'd be overkill for all bar the most sensitive areas.
*Or fingerprint/palm/Iris scanner if you want to go all Mission Impossible, but you could probably recover the fingerprint off a dropped card, so still a risk until the card is reported missing and privileges revoked.
-