[Retric]

No offence, but if your not going to fire people when you find their password written down then there going to write their password down. Written policies are practically irrelevant it's enforced policies people pay attention to.

One example of security. Someone (A) giving a breafing has someone (B) grabs at it so they can read the document. At which point (A) pulls his sidearm and threatens (B). Later (A) is given an intense debriefing to verify that he was willing to shoot (B) and simply wanted to clarify the situation vs being unwilling to shoot (B). (B) was later told he was lucky not to have been shot.

[tsotha]

It doesn't matter if you fire people. You're not going to catch the vast majority of them, and they know it.

[dllthomas]

From what you said earlier you can catch 70% of them pretty easy.

[tsotha]

Sure, if you go through all their stuff. And then what? Do we fire 70% of our staff?

[dllthomas]

Well, you could. Whether you should depends on the context, including importance of security, importance of institutional stability, other available mechanisms for punishment, &c...

But honestly, I mostly just thought the inconsistency between your two figures was amusing.

[tsotha]

The inconsistency is a result of the fact that that number came from a one-time, expensive, intrusive audit that necessarily covered a subset of all our people. Even then we didn't go through anyone's wallet where I would expect to find at least that many.

After that the password policy was substantially relaxed so people could remember them more easily, and dire warnings were issued about writing them (and safe combinations) down. I moved on to a new job shortly after, so I'm not sure how much those warnings were taken to heart.

[dllthomas]

Well, wallet is a much better place than desk drawer.

https://www.schneier.com/blog/archives/2005/06/write_down_yo...

Still may or may not be acceptable, depending on context.