[ab_c]

I feel sorry for this dev as I've seen people do a lot of cluelessly dumb shit over the years when it comes to security.

For example, I worked in a place which hires co-op students and every year there'd be at least one university-educated student who --after being told not to-- would put their nondescript FOB security key card in their wallet. In the event they lose their wallet, any stranger can google the name found on their drivers license to find out information about them, their friends, or their place of employment.

Then there are the countless startups where the boss has decided they don't need to worry about security so their communal password is "password" and they keep their user database in plain text. Nobody takes security seriously until it blows up. And that tends to be the common attitude from business management: worry about it when it's a problem.

[fiddlerwoaroof]

This example isn't particularly good: I'm much more likely to lose a random keycard in my pocket than my wallet so, although having the keycard in my wallet might make it easier to figure out what door it opens, it also makes it much less likely that I'd lose my keycard in the first place.

[bcaa7f3a8bbc]

> I'm much more likely to lose a random keycard

On this example, I don't think it's a problem as well. First, the keycard has a PIN. After 3 failed attempts, it would either self-destruct the private key or lock itself down until a secret recovery code is provided. Second, private keys on keycards that are reported as lost can be revoked immediately.

[vl]

>after being told not to-- would put their nondescript FOB security key card in their wallet.

But what specifically are they supposed to do with the security key card? What mode of securing and transportation do you envision?

[rightbyte]

The same thing that we are supposed to do when we need to make up a new password every 3 months. Absolutely not add 1 to it and call it a day.