[Discuss] A Little OT: The Password Post-It
Chris O'Connell
omegahalo at gmail.com
Wed Apr 18 11:45:45 EDT 2012
Greetings All,
I've noticed that some of my users have been writing their passwords on
post-its and leaving them all over the place. Our office has a Written
Information Security Policy that each user signed, stating that passwords
are not to be written down and stored in plain site. Management at my
company isn't interested in disciplining anyone regarding these violations.
As some of my users are in their late 70s and late 80s, I kind of
understand the need to write passwords down. However, some of my other
users are just plain dumb and complain all day about how many passwords
they have to remember and how hard their lives are as a result. One
particularly whiny person can't remember the four digit alarm code that she
uses every day to get into our building. As a result she has written it on
the back of her business card and leaves it in her cell phone case.
I've come to realize that making things "more secure" is actually making
the our information systems less secure. Further, adding levels of
security is making the computer using experience at my organization more
challenging for the already technically challenged. For example, enabling
password complexity requirements just makes things harder for people to
remember. The result is more passwords written on post-its.
I think we, as IT professionals, have to acknowledge that not all of our
users are as savvy we are. Not everyone is going to be capable of keeping
their passwords straight.
Perhaps the solution is to make things easier for our end users. I'm
thinking now that I should install a single-sign-on software on all
workstations. Once a user logs in they will never have to enter a password
again (after the initial setup at least). On it's face, this may seem like
a terrible solution. I'm thinking though that this might actually make
things more secure as users will not be confused by multiple passwords.
Hopefully, this will result in less post-it-passwords.
I can then thoroughly secure the workstations by deploying Bitlocker and
forcing the screens to lock after a certain period of inactivity. By
securing the workstation I'm not noticeably inconveniencing users. This is
a bit of give-and take, but a possible win-win.
I'm wondering if anyone else has had similar troubles in the past. Any
creative solutions? I've recommended terminating at least on person here,
but I think my boss thought I was kidding ;-)
--
Chris O'Connell
http://outlookoutbox.blogspot.com
More information about the Discuss
mailing list