One of the biggest security expertise redpills is this is unironically a good idea and the time spent making fun of it was ill-advised for most users whose physical security threat is not a factor in comparison.
@SwiftOnSecurity@cstross Yes, I interviewed Bruce Schneier years ago and he endorsed the practice of writing down passwords. "We're still figuring out how to secure passwords," he said, "but we've had centuries to get very very good at securing pieces of paper."
@SwiftOnSecurity not a security expert but I can tell you that if someone finds out my Steam password after I have written it down I have far bigger issues, like a stranger in my home uninvited.
Besides at least as a Swede literally everything that is truly important (banks or anything involving money) is 2FA automatically since banks refuse to do transactions without it.
@SwiftOnSecurity especially when you factor in how easily you could use this to give yourself HINTS to the password that are completely useless to anyone else.
somehow, windows 8 got this right where nobody else even tries. "haha this idiot wrote down her password. Wait what does 'mel +3 slinkpar' mean"
@SwiftOnSecurity Anyone over the age of say about sixty needs one of these and needs to habitually use it. Eventually people start having memory problems and if you're not systematic about this stuff in advance your life adds "can't log into anything" to whatever age related medical issues you've got going on. It also becomes a sort of digital will if you die suddenly. I have a client base of mostly retirees and highly recommend password stationary books over programmatic password managers.
@SwiftOnSecurity@cstross I understood <profoundly> how futile and trivial most of the average secure password-keeping measures were the day I first heard the term "rubberhose cryptography".
@SwiftOnSecurity a Less oft stated place this comes up: when my partner got sick with cancer and then died of it... one of the things he did was to hand me custodial control of his online accounts so I could handle things he was no longer coordinated enough for due to illness, and notification postings after his death. Because he kept a book like this, rather than a cancer patient struggling with memory, the process was to grant me formal permission and physically hand me the book.
@SwiftOnSecurity@ariadne the problem I see with password books: it won't tell if passwords are reused. That's something I'm struggling to teach. In practice, everyone I know to use those generates 2-3 "good" passwords, and reuses one of them on every site.
@SwiftOnSecurity THIS! If someone broke into my house the fact they MIGHT find the password card is pretty low on things I would be fkn worried about at that moment.
@SwiftOnSecurity When I was an executive, I was ok with password books as long as they were kept with the person or secured in a lockable cabinet. I was also never a fan of a policy that you cannot enforce properly. Generally speaking, I'd eliminate those policies or alter them to an enforceable state with my team.
@SwiftOnSecurity I used to work at a greeting card company whose target market was older folks. Older folks who were often in long term care and thus acutely aware of their mortality. A written password organizer like this was a gift for their families when the time came.