I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.
If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.
If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.
I mean, you’re comparing very different scenarios.
If one account gets broken into and their password hashing was crap, the attacker can try the email/password combo with other services and can stumble onto another one you use.
If someone has access to your sticky note they have all your accounts.
I don’t think I’d call either of them better.
Of course, all this assumes no second auth factor.
If someone has access to your sticky note they’re already in your house, and that’s a bigger issue IMO… even from an itsec perspective, once the attacker has physical access to guarantee safety is difficult.
But seriously, there’s a guy in your house.
My house is not a prison… yes, other people come over. There’s the occasional party, handymen doing work, neighbors, parents of kids from school, kids sleeping over, and so on. It doesn’t have to be the ninjas breaking in.
If you don’t casually keep wads of cash in the open around the house you probably shouldn’t have logins on a post-it either. But to be fair the kind of person that does the latter does the former too.
If I know they are there then I either supervise visitors or trust them to not rummage/take my stuff. If that is your issue then keep your postit in a drawer; most people don’t keep their yubikeys in a securely bolted safe either.
Just shift the password descriptions a few spots compared to the passwords, then you’ll get email about failed logins as a canary.