Passwords can create serious headaches for anyone using a protected application. Users have to remember passwords; support personnel must reckon with them when addressing incidents. In a recent article, Pat Vickers outlined reasons why support personnel should avoid asking users for their passwords. According to a current TechRepublic discussion, members’ experiences show that passwords are regarded with either too much confidentiality or too much flippancy. Here’s a selection of several password horror stories from TechRepublic members.
The writing’s on the wall
When member Jeff Dray worked for a major telecommunications company in the United Kingdom, he witnessed a potentially disastrous breach in password security.
Dray noticed that in one of the downtown offices, someone had posted all user identifications and passwords on a dry-erase board that could be read from the street. “These were the IDs for the confidential billing system which gave access to personal account information.”
A “witch hunt” ensued, and the guilty personnel were dully chastised. However, when he passed the office several weeks later, “the new IDs and passwords were clearly visible from the pub across the road! All I needed was the dial-up number, and I could have wreaked havoc.”
Although the passwords weren’t being broadcasted to pedestrians at BrianCunningham’s former organization, they were found written on pieces of paper that users tucked under their keyboards. At night, a cleaning person was accessing machines at the administrative assistants’ workstations and downloading pornography.
As a result, when Cunningham finds passwords jotted down on Post-It notes, he sends an e-mail to the guilty person, his or her supervisor, his own boss, and Human Resources—all from the guilty party’s account.
“I also lay a copy of our company security policy on the user’s desk with the portion about being reprimanded in writing highlighted.”
When documentation is necessary
The dangers of too many people having access to passwords are apparent. However, Tim Uckotter offers an anecdote with an entirely different password dilemma.
In Uckotter’s organization, a senior manager had protected all of his important files with passwords. Sadly, the man had a massive heart attack and died in the company’s lobby.
“No one in the building knew his password nor was it securely filed away in our safe. That oversight, not knowing his password, was financially damaging.”
Member bimps’ experience reaffirms the need for proper password documentation. When bimps started working for a regional police force, users faced a time-consuming process if they forgot their passwords or were locked out of their accounts. The officers had to wait for hours before a password was reset. A lot of the process involved sending faxes back and forth in order to obtain official signatures confirming the password change. Had their passwords been securely documented somewhere in the office, the officers wouldn't have been forced to go through this long process of recovering or changing their passwords.
“They needed to book in arrested individuals and were unable to perform their jobs. Worse, they looked foolish in front of these people.”
Do you have any password horror stories? How do passwords affect your ability to provide efficient technical support? Join the discussion and share your password war stories, concerns, or advice.