SoylentNews is people
SoylentNews
Nick and Margaret: The Trouble with Our Trains is a BBC Two show featuring Nick Hewer and Margaret Mountford, who explore "the sorry state of the British rail network."
The dynamic duo's travels took them to the Wessex Integrated Control Centre, located above the platform entrances at London Waterloo railway station, manned 24 hours a day by teams of controllers from both South West Trains and Network Rail.
[The] documentary revealed more than it planned this week, exposing the passwords used at a rail control centre.
The article features a frame of the video which shows the complex login credentials taped to an LCD panel of a Windows XP terminal.
One might wonder if overstrict password policy brought this about, except obviously a strict password policy would not allow the password that is stickied to the monitor..
(Score: 2, Insightful) by Anonymous Coward on Tuesday May 05 2015, @07:39AM
Bruce Schneier recommends writing down your password and putting it in your wallet. NOT on the monitor or under the keyboard, though.
As he says, when you write down a password on a piece of paper, it becomes a valuable piece of paper. And we have hundreds of years of experience storing valuable pieces of paper: In your wallet.
(Score: 0) by Anonymous Coward on Tuesday May 05 2015, @08:44AM
The fact that pickpockets can survive on their "profession" doesn't tell me that on average we are very good in securing those valuable pieces of paper.
Indeed, I know of people who still think the back pocket of their trousers is a safe place to store the wallet.
(Score: 2) by Hartree on Wednesday May 06 2015, @03:28AM
It depends on the situation. One of the reasons I said I didn't know the answer is it's going to vary depending on what you're trying to protect.
Examples: If a particular password gets exposed, someone could authorize about $500 worth of purchases at my job. This is probably a pretty good one to keep in the wallet, as it requires other info to use, and isn't easy to convert into profit without a major physical access scam (i.e. picking up the purchased goods from someone who knows me by sight. Not likely to work).
However, the main DBA password for a credit card processing would not be a good candidate for this. Why? Because it's a massively larger target of a type that might well be targeted by social engineering combined with burglary or targeted pickpocketing of the administrator (probably an inside job to boot).
So, it has to be tailored to the situation. The problem is, that the usual means, password checkers and regular changes aren't combined with the training of users to store the passwords in an appropriate way. And, of course, if you tell someone to write the password down and they lose it, you're probably liable in the eyes of management. As I said, these aren't technical problems, but human problems. The technical solutions are not effective for security, but are effective at solving another human problem: Keeping managers and others from getting into trouble when there is a breach. i.e. "I never told them to write the password down! It's not my fault."