Password Log Books: No Business Ethics or Lack of Security Education?

By | January 27, 2017

Last week I was visiting the stationery department of a bookstore chain and while looking for a Birthday Card a small booklet with a red faux leather cover caught my attention.

On the booklet was impressed LOGINS & PASSWORDS in uppercase gold characters.

I took the booklet from the shelf and opened it to better understand what it was. With my surprise I realized that the pages of the booklet were intended to store login and passwords for websites and online services.

This product, that might seems a cute little gadget to carry around in your bag, is – in my humble opinion – an extremely dangerous item.

Let me explain why. Imagine for a moment that Mr. Smith (a fictional person) buy this logbook and soon it start filling it all its logins and passwords let’s say from home router to online banking, from email to social accounts. A separate section was then filled with all his credit and debit cards, CVV included. Ok, that’s is done.

The inner pages of Logins and Passwords Index Book from Fabriano.

Now, Mr. Smith is happily carrying all credentials on his logbook that he bring always with him in his  hand bag. One morning Mr. Smith jump on a packed subway train heading to work. He did not realize that a Marc (a thief) is behind him looking for something to steal. Then Marc pull out a blade hidden in his hand, make a small cut in Mr. Smith bag and the Passwords Logbook fall in his hand. Marc quickly put the logbook in the pocket of his jacket and run out of the train at the next station.

Out on the street Marc is initially frustrated because he was expecting to steal a wallet with cash instead he only got a small booklet with some strange information written inside. It happens that just behind the block lived John, an hacker friend of Marc. In five minutes Marc rings the doorbell of John and after few minutes the two – using the credentials from the logbook – have already logged-in into Mr. Smith online banking and started transferring funds to other accounts and made shopping on several online outlet. In less than 20 minutes Marc and John dried up all credit available on Mr. Smith cards and cleaned up all funds in his bank account. All notifications sent to Mr. Smith email were quickly deleted by John.

Fabriano Logins and Passwords Index Books.

Because of the very noise morning traffic, Mr. Smith could not hear any of the notification messages hi got on him cellphone while he was walking to office. Only when he arrived at his desk and pulled out the smartphone from the bag he realized that someone steal his Passwords Logbook from his bag and that someone got all his money from his bank account and also used the credit he had on his Visa card. He only got few sms messages as the emails were deleted by John.

This story ends with Mr. Smith realizing that the purchase of the little cute Passwords Logbook was a huge mistake.

The Personal Internet Address & Password Logbook from Peter Pauper Press.

This is a pure fictional story but what I wrote can happen to anyone that uses any methods to store in plain-text logins and passwords of his accounts.

Now, something else come to my mind: it shall also be businesses responsibilities to put on the market products that do not potentially generate harms to its customers?

The Login and Passwords Logbook that I saw in the store it was made by Fabriano, a very old and extremely reputable Italian company and I honestly found difficult to believe that a serious business like them knows the real harm of the Logbook they produce and sell. I will try to write them a letter to see what they think of the matter.

Further online search on the subject opened a new world to me, in fact I found that there are hundreds of different types of Passwords Logbook for sale.

The american Peter Pauper Press has a full series of Logbooks for really all tastes and Barnes & Noble beats everyone with more than five-hundreds different models!

My opinion here is that you should never purchase any Logbook to store your accounts credentials.

What I can recommend is to delegate the delicate task of storing all your sensitive information to a specific Password Keeper Service (either in the cloud or desktop) that encrypt all your data and store them protected by a Master Password or even better by a 2FA (two factors authentication).

 

What do you think?

Related posts: