Why don't banks like root on Android? - eviltoast
  • lemmyvore@feddit.nl
    link
    fedilink
    English
    arrow-up
    8
    ·
    7 months ago

    I mean, you’re comparing very different scenarios.

    If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.

    If someone has access to your sticky note they have all your accounts.

    I don’t think I’d call either of them better.

    Of course, all this assumes no second auth factor.

    • nevemsenki@lemmy.world
      link
      fedilink
      arrow-up
      4
      ·
      7 months ago

      If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.

      But seriously, there’s a guy in your house.

      • lemmyvore@feddit.nl
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        7 months ago

        But seriously, there’s a guy in your house.

        My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.

        If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.

        • nevemsenki@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          7 months ago

          If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.

    • PriorityMotif@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      7 months ago

      Just shift the password descriptions a few spots compared to the passwords, then you’ll get email about failed logins as a canary.