Writing a password on a sticky note is a terrible idea. If this seems to make sense for the most seasoned of technology, many French people nevertheless continue to do so. Proof of this is that we must continue to hammer home these elements of pedagogy, which are essential for everyone to acquire the right reflexes.
It is one of these recommendations which sometimes serve to perceive the abyssal chasm between the good practices to be followed in terms of computer security and reality. This is what typically provokes the series of advice just shared by the National Information Systems Security Agency (Anssi), whose mission is to protect the State and certain operators of vital importance in the face of threats. cyber.
This Friday, October 1, she published several suggestions for improving the security of her passwords. There are of course the usual observations, which we keep hearing from year to year: you have to use a password per department. Each password must also be long and strong enough. They should not be shared with others either.
All of these recommendations are relevant, as is the one that suggests that it is fashionable to also change the passwords that are set by default (you know, the famous “0000” or “admin”) so as not to not make it easier for any digital thugs. On the other hand, but the Anssi does not mention it, it is not very relevant to change your passwords regularly.
But in this Prévert-style inventory of good practices, one piece of advice in particular is striking, because one could believe – and even hope – that in 2021, after years of discourse on what to do and what not to do in terms of security, that it has been integrated. And yet, this year again, the Anssi must remember that writing a password on a post-it ” creates a significant risk “.
Yes, it’s stupid to write a password on a post-it
Obviously, Anssi is very much in its role as the nation’s cyber bodyguard, pointing out that, of course, leaving your passwords lying around in plain view in plain view is certainly one of the worst possible ideas. You might as well leave your car keys, open the door and go. Or the keys to your home in plain sight.
The problem is not that Anssi is rehashing advice that would make any cybersecurity specialist shudder. It is to say that this behavior still exists and that it is obviously still very widely shared. Statistics in this area vary from one survey to another and from one year to another, but, as the articles in Silicon or Developez point out, we are very far from a marginal phenomenon (between 30% and 50%).
However, the unfortunate miscellaneous facts with post-its that appear for example on television or in media published on social networks exist and show how much it is a mistake. Le Point recalled, for example, in 2015 that TV5Monde’s passwords were broadcast in the middle of 1 p.m. The military experienced a similar concern, with a tweet showing an overly talkative image.
And the password problem on a post-it doesn’t just trigger a screen interposed. In a open space at work, there can be a lot of people moving around: colleges of course, but also visitors, clients or service providers. At home too, even if we could argue that there is less traffic. And it is not because they are close to him that he will do anything anyway.
So of course there is now strong authentication taking hold that keeps the account pretty much secure, even if the password is compromised. This device requires the entry of a second code, this time temporary. It is usually collected on his smartphone, since it has been previously associated with the account. Thus, to hack it, it would be necessary to cross two barriers.
Strong authentication can certainly make up for negligence occurring with the password written down, but this remains an exposed situation – in any case more than the scenario where the password remained secret. Some might argue that it’s hard to remember all of your passwords – and it’s true; it is very difficult to memorize them, while making them long, complex and unique.
What if I can’t remember my passwords?
That’s why password managers exist, like LastPass, KeePass or Dashlane. They serve as a safe to save you the hassle of keeping everything in mind – you just have to remember the master password, which unlocks the manager. We can guess here: this password must therefore be strengthened as much as possible and be totally unique. We understand why.
This strategy is not perfect either. None are absolutely. This software has bugs and flaws, just like any program; it is possible to imagine special attacks (although we can discuss the feasibility of some of them). But compared to a notebook filled with passwords on a table? Or a post-it near the screen? The benefit-risk balance is not the same.
Anssi’s recommendations take place within the framework of Cybermoi / s. This is an operation to raise public awareness of good practices to protect their digital life. The themes may change from year to year. But what is sad is to think that the recommendation about the post-it notes will still be valid in 2022 for the next cybermoi / s.