• lemmyvore@feddit.nl
      link
      fedilink
      English
      arrow-up
      8
      ·
      9 months ago

      I mean, you’re comparing very different scenarios.

      If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.

      If someone has access to your sticky note they have all your accounts.

      I don’t think I’d call either of them better.

      Of course, all this assumes no second auth factor.

      • nevemsenki@lemmy.world
        link
        fedilink
        arrow-up
        4
        ·
        9 months ago

        If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.

        But seriously, there’s a guy in your house.

        • lemmyvore@feddit.nl
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          9 months ago

          But seriously, there’s a guy in your house.

          My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.

          If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.

          • nevemsenki@lemmy.world
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.

      • PriorityMotif@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        9 months ago

        Just shift the password descriptions a few spots compared to the passwords, then you’ll get email about failed logins as a canary.