diff --git a/content/notes/04-authentication-authorisation-passwords.md b/content/notes/04-authentication-authorisation-passwords.md
index 70a9c165d..4727765bf 100644
--- a/content/notes/04-authentication-authorisation-passwords.md
+++ b/content/notes/04-authentication-authorisation-passwords.md
@@ -41,4 +41,12 @@ tags:
 - one is useless without the other
 - many security vulnerabilities are caused by inexperienced/incompetent programmer creating systems that only have one or the other
 - authenticaion without authorisation can lead to *path traversal* flaws
-- authorisation without authenticaion is the equivalent of blindly trusting your users.
\ No newline at end of file
+	- changing the url path to find admin sites
+- authorisation without authenticaion is the equivalent of blindly trusting your users.
+
+# Passwords
+- not good
+- lots of bad advice
+- we are lazy
+- "safe" passwords are difficult to enter on touch screen devies
+- to many accouts
\ No newline at end of file