top of page

šŸ” Password vs. šŸ—’ļø Post-it: Two false paths in comparing password security

  • Writer: Daniel Eberhorn
    Daniel Eberhorn
  • 1 day ago
  • 4 min read
Flat-style digital illustration comparing two password storage methods. On the left, a secure yellow padlock with a password field containing masked characters. On the right, a yellow sticky note with handwritten text: 'password' and '123456'. A bold 'VS' appears in the center. The background is a plain dark brown texture.

Image generated by OpenAI's DALLĀ·E


A while ago, I stumbled across a provocative post on LinkedIn that read, "No password is no less secure than a password on a post-it stuck to the keyboard." This statement sparked heated discussions in the comments - was this justified?

Is it really the case that both are equally unsafe? Or are there scenarios in which one of the two options offers at least a hint of security?


A seemingly absurd comparison that nevertheless shows what everyday insecurities in IT and password security look like and how important it is to consider even seemingly trivial questions from the perspective of modern cyber security.



No password: Absolute openness


A passwordless system means anyone with physical or remote access can gain complete control. This is especially critical in shared or networked environments.


Why is "no password" problematic?


  • No protection against unauthorized access: Without a password, there is no authentication barrier. Anyone with physical access can immediately log in, change configurations, or exfiltrate data.

  • Increased attack surface through networks: Systems without access protection and with open network ports (RDP, SMB, SSH, etc.) provide entry points for automated attacks, especially in poorly segmented networks.

  • No traceability: Actions cannot be assigned to specific users. From a logging, compliance, and forensics perspective, this is fatal because accountability is lacking.

  • Risk with malware and automated scripts: Malware that does not need to bypass any authentication mechanism can become active immediately.


A system without a password is therefore not only insecure ā€“ it negates fundamental principles of information security: confidentiality, integrity and availability .



Password on the keyboard: protection or false security?


A written down password may seem like a caricature of modern security measures - but unlike "no password," it offers at least rudimentary protection. Nevertheless, this method also carries significant risks.


Advantages:

  • Basic protection against remote access: In contrast to an open system, a password represents at least one hurdle for network-based attackers.

  • Possibility of limiting rights: If the note only provides access to an account with limited rights (e.g. standard user), the risk can be limited locally.


Disadvantages:

  • Easy physical access: Anyone in the room ā€“ including guests, suppliers, or cleaning staff ā€“ can read and use the password.

  • Lack of security awareness: Visible passwords signal a lack of training and are often an indicator of further vulnerabilities.

  • Potential reproduction: A photographed or written password can be reused in any way.


Conclusion: The note offers protection against remote attacks, but can be bypassed just as easily with physical access as a missing password. It remains a workaround ā€”but not a valid security mechanism.



Guest accounts: nostalgia or a viable option?


Windows used to offer a classic "guest account" (username: Guest), which was disabled by default and had minimal permissions. However, since Windows 10 Build 10159, this account has been officially removed. Even if enabled via command line,


net user Gast /active:yes

Today you only get a standard user ā€“ without the original restrictions.


What options exist today?

  • Restricted local user accounts: These can be set up manually and are granted only minimal rights. It is recommended to further harden them with software restriction policies or AppLocker.

  • Kiosk mode (Assigned Access): Windows allows you to define a single authorized program using this mode ā€“ ideal for information terminals or guest devices.

  • Temporary cloud-based accounts: In Azure AD environments, you can create temporary users with an expiration date ā€“ for example, for partners or interns.


Evaluation of these alternatives:

  • Limited rights: Whether local or cloud-based, these accounts prevent changes to system configurations or installations.

  • Temporary use: Ideal for situations with changing users, such as meeting rooms, training PCs, or hotdesks.

  • Hardening necessary: Even restricted accounts can be targeted by privilege escalation. Without additional measures, they are not automatically secure.


Conclusion: The classic guest account is history. Modern alternative solutions are available, but they require a conscious security concept.



Comparison table: Security practices in check

criterion

No password

Sticky notes

Guest/Limited Account

Remote protection

none

available

depending on configuration

Physical security

no

very low

moderate (depending on access control)

Traceability

not possible

partially possible

given (logging, event viewer, etc.)

Recommendation

absolutely avoid

only in an emergency

conditionally suitable to recommended


Conclusion: The lesser of two evils is not enough in password security


From a cybersecurity expert's perspective, neither foregoing a password nor visibly posting one can be considered a responsible security measure. Both options symbolize a negligent approach to access controlā€”one of the most fundamental pillars of IT security. While the missing password is like an invitation to break in, the sticky note is at best a flimsy door with an open handle.


A locally restricted account ā€“ with well-thought-out permissions allocation, a disabled command line, disabled network interfaces, and enabled event logging ā€“ already represents significant progress. If this configuration is supplemented by measures such as multi-factor authentication (MFA) or smart card login , an appropriate level of protection can be achieved even for temporary access.


For example, temporary Azure AD accounts with expiration dates , local users with restrictive software policies , or kiosk mode for terminal devices can ensure that guests or changing users have access, but that this access is strictly controlled and time-limited. The use of FIDO2/WebAuthn , especially in Zero Trust architectures, also reliably prevents credential reuse or phishing attempts ā€“ even if a password is compromised.


Another practical example: In a corporate training environment, sticky notes with passwords were previously stuck to the monitors. Today, the same organization uses automatically reset, time-limited user profiles that are activated via a self-service portal with a one-time SMS verification. The result: no more liability risk, complete traceability, and no more IT cleaning up afterward.



Conclusion


The security of temporary access does not depend on the medium (paper or digital), but on the combination of technical implementation, organizational processes, and awareness of security risks . Those who persist in the debate about "no password vs. sticky notes" quickly lose sight of modern, contemporary, and, above all, future-proof solutions ā€“ solutions that not only address current threat scenarios, but are also scalable, auditable, and can be integrated into a long-term security strategy.


Because one thing remains clear: Cyber security does not begin with technology ā€“ but with the decision to take responsibility for secure systems.

Logo of SecurityWho - A fingerprint and the slogon IT-Security made simple

Contact me

via LinkedIN

© Daniel Eberhorn - SecurityWho

Imprint
Privacy
bottom of page