Reply to post: Re: Nothing wrong with insecure passwords

It's 2016 and idiots still use '123456' as their password

Cuddles Silver badge

Re: Nothing wrong with insecure passwords

"Actually there *is* something wrong. Sites with no sensitive data should not ask for a password."

The problem is that just because something isn't truly important sensitive data doesn't mean you want it visible to every random person wandering past. Essentially, we have two levels of security - preventing casual access, and protecting valuables. And this applies to pretty much everything, not just computers. For example, most houses are incredibly insecure; many regular locks can be picked in a couple of minutes even if you don't have some clever way of faking a key, and even if the lock is tricky there are few houses that a good kick or a half-brick in a sock won't get you inside. The point of locking our doors is not to stop the determined, highly competent burglars, but simply to prevent people being able to wander into your house on a whim. Similarly, people tend to close their curtains or have nets to prevent people looking in as they pass by, not to prevent investigation by spies or even to hide the kinky things they're getting up to in their living rooms.

So there's nothing wrong with having passwords for pointless sites with no important data. Your My Little Pony forum account might not be important, but it's still your account that you probably don't want others using whenever they feel like. It's just important to recognise the difference between the security necessary on such an account, and the security necessary on something like your bank account where malicious access would actually be a serious problem. The issue isn't that unimportant sites insist on passwords, but rather than all sites tend to insist on the same level of (usually rather poor) security regardless of what level of security is actually appropriate.

@ GrumpenKraut

"at which point everybody has sticky notes with the password of the week somewhere at the desk."

This gets brought up a lot, but it really isn't a big problem. Most attempts at malicious action are made remotely. If someone can see the note stuck to your monitor, they probably already have physical access. Put the note in a drawer and even people walking past can't see it, and if someone has the access and time to physically look through your things it's already game over regardless of what you might have written down. Having a record of your credentials in a place that the vast majority of attackers will never have access to really isn't a bad idea at all; it allows you to have much more secure passwords since you don't need to worry about remembering them. The tiny increase in risk from someone potentially looking at your note is likely to be more than offset by the increase in security it allows.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019