Path: utzoo!attcan!uunet!lll-winken!ames!ncar!tank!mimsy!haven!adm!smoke!gwyn
From: gwyn@smoke.BRL.MIL (Doug Gwyn )
Newsgroups: comp.unix.wizards
Subject: Re: Password security - Another idea
Message-ID: <9326@smoke.BRL.MIL>
Date: 10 Jan 89 03:22:50 GMT
References: <228@sea375.UUCP> <4497@xenna.Encore.COM> <6634@killer.DALLAS.TX.US> <674@ihnet.ATT.COM> <8705@bloom-beacon.MIT.EDU>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 19

In article <8705@bloom-beacon.MIT.EDU> jik@athena.mit.edu (Jonathan I. Kamens) writes:
>How long do you think it's going to be before someone surreptitiously
>glances over my shoulder when I take it out to look at it and
>therefore gets my password?

As you mentioned, but apparently didn't take seriously, they are likely
to watch you type your password, which is easier than peeking at the paper.

I don't think having to refer to the paper is appreciably less secure
than having to enter the password.  The problem lies in GUARDING the
paper.  For example, do you burn or shred it when discarding it?
Worse yet, many users write the password on their deskpad calendars
or pull-out shelves, for "convenience".  That make the password
available to anyone who wanders by while the desk is unattended.
No matter how much you tell users not to do this, so long as the
password is one they cannot easily remember sooner or later some
of them are going to compromise it this way.  Your personal use of
paper in your wallet is not the worst security problem in such an
environment.