Saying it's the biggest hole of all is a bit of a hyperbole, I was just quoting a professor I used to have, but I still think it's very high on the list. Most other things can be accounted for, a competent IT security worker can defend a server against automated attacks with some effort. Setting some rules to stop people from using passwords like "password" isn't difficult to stop smarter attacks.
But if someone writes down their information the security that IT can provide doesn't matter much anymore. It switches the focus of protection from the IT department to the user; now one of the easiest avenues of attack is just to get that password. If someone leaves their password on their desk, someone with access to the building can just walk in and take it. All they need to do is find one. Excessively frequent mandated password changes only increases the chances of it happening.
Sure for your day to day employee this doesn't matter but in high value situations it's a real risk. I'm pretty sure no one cares if you write down your personal passwords in your own home, I'm talking about in business situations.
Yeah, it's definitely a bigger risk in a business environment. With that context in place, I'd agree that it's important to physically secure passwords. But how much that matters also depends on the physical security posture of the whole building, your floor, your area, etc. Generally speaking though, averaging out the entire internet population, I would argue that writing down your password is way less dangerous than using a weak one.
146
u/Skeik Mar 08 '16
Let's also not forget that bullshit rules like these lead to the biggest security hole of all, when someone writes down their password.