| « Installing PHP 5.3 On Ubuntu | Moving On » |
Shortly after my lunch I saw the following tweet from David Pogue, technology columnist for the The New York Times.
Given Pogue’s large following, I was disappointed by the advice he gave.
A secure password on a laptop isn’t to keep semi-trusted people off of it. It’s to keep it protected in the event that the hard drive is lost. Arguably, the drive could be removed and read without booting it, removing all password protection, but a good password combined with disk encryption can help protect data from theft.
Pogue argues that he doesn’t need a password for security, but any information that is stored on file servers or worse, in his keychain, is accessible with that simple password he is using. Failing to have a secure password not only places his data at risk, but the data of those he might know or work with.
Even if gaining physical access (e.g. finding the computer or stealing it) would grant a person a huge advantage, this is not an excuse to make the password so incredibly simple. And for one of the most well-known technology columnists to suggest otherwise to his 444,666 followers is negligent, bordering on criminal.
Brandon Savage is the author of Mastering Object Oriented PHP and Practical Design Patterns in PHP
Posted on 6/14/2009 at 8:18 pm
Keith Casey (@CaseySoftware) wrote at 6/14/2009 9:28 pm:
Amazing.
Even when I use my laptop for music when we have people over, I log into a separate locked down guest account. It’s not that I don’t trust my friends and family – though maybe I shouldn’t ;) – it’s that I have sensitive information for a variety of customers, people, and organizations in my possession.
Not using a password would be a flagrant disregard to the NDA’s I have in place… and may be actionable if something leaked.
Seynaeve (@seynaeve) wrote at 6/15/2009 2:36 am:
Accuracy: To access a machine via intenet, it must be protected by password. Therefore, not having a password is a light security over against piracy
Brandon Savage (@brandonsavage) wrote at 6/15/2009 5:42 am:
While I wish I could say you’re right, I think that you’re naive if you see having no password as any security.
There’s a belief that a Windows machine (and perhaps others) are safer online without passwords; this is categorically untrue. This viewpoint ignores hundreds of attacks against open ports and running services, not to mention it fails to address the biggest security flaw laptops have: their portability.
A laptop password doesn’t exist to protect the laptop online, though that helps. It exists to protect the laptop from being accessed if physically stolen. Combined with good disk encryption, unlocked by the password, the user can be reasonably confident about the laptop’s security.
| « Installing PHP 5.3 On Ubuntu | Moving On » |