The Glory of Post-It Notes
Post-It Notes are wonderful things. Remind yourself of that person to call, that phone number you need, or the report the boss needs done by tomorrow. When your Outlook isn’t enough, post-its are there. And they attach so nicely to your computer monitor. Indeed, they’re an absolutely ideal place to write down the passwords that the IT department makes you change every three months.
You’re shocked, just shocked. No one in your organization writes down passwords in places that every one including the lunch delivery guy can see them. And no one ever shares their passwords with colleagues. But believe it or not, I see it all the time. Which brings me to a recent conversation I had with an outside auditor.
My client has grown dramatically and for the first time, a major national firm is auditing the books. As my team has a lot responsibility for their financial system, I’ve been answering lots of questions. There are, thankfully, no major issues as the system works pretty well. (Can you hear the sound of my patting myself on the back?). Still, it’s the first time this client has had to answer these questions. While some of them do make a lot of sense, others make little.
For example, the auditors want to know how often we make people change passwords and how complex they have to be. According to them, this is best practice. That’s not news to me. I’ve been through this before and know that auditors like nothing more then passwords that change regularly. The problem is that users really hate passwords that change regularly and that are overly complex. The auditors seem reasonable and aren’t going to make us change anything. Yet.
Now, I’m all about security and limiting access to system resources. I just don’t think that complex passwords that are the answer. Indeed most people who deal with security know that user assigned passwords are an ineffective way to keep a system secure.* Of course, more secure methods to control access often cost more money. So, because companies don’t want to spend more money, they hide behind this “best practice” which accomplishes little. And which results in a lot of post-it notes on computer monitors. Present company excluded.
* If you want a good book on the subject, check out Secrets and Lies: Digital Security in a Networked World by Bruce Schneir.
Post a comment