Windows

Five tips for preventing user screw-ups

You can make your own job easier -- and help your users stay productive -- by preempting some common mistakes. Jack Wallen outlines several good ways to keep your users out of trouble.

Let's face it, every one screws up. From the uppermost IT manager to the most inexperienced end user, no one is immune from making mistakes. But there are certainly ways of preventing some of them from happening. Here are some of the best measures you can take to keep your users from fubaring their systems.

1: Schedule tasks

You wouldn't believe how much scheduling various tasks can help prevent issues. The tasks you should definitely schedule are:

  • Virus definition updates
  • Virus scans
  • Malware definition updates
  • Malware scans
  • Defragmenting
  • Disk cleanup
  • Data backup

And just to be on the paranoid side, you should schedule all end users to change their password every 30 days. Scheduling these tasks eliminates the risk of users overlooking them and leaving their PCs vulnerable to various issues.

2: Keep a tight rein on permissions

Unless you can think of a solid reason to make an end user a local administrator, don't. I understand this can be a real hassle in certain situations. And particular applications might require local admin rights just to run. But unless it is absolutely necessary... it is not at all necessary. The less your end users CAN do, the less they WILL do. The biggest issue with this setup is that you will come off with some serious control issues. But in the interest of cost cutting and/or sanity saving, keeping your end users from running tasks that should be run by an administrator can be a big help. Be warned: This will cause you a lot of running to and from offices entering admin credentials. To that end, make sure you can remote into those end-user machines quickly.

3: Preempt password resets

This one might seem overly elementary, and you will certainly think that it is not your responsibility. However... Keep an encrypted spreadsheet (or encrypted text file) with updated user passwords. Why? Your users ARE going to forget their passwords. You can count on it. Instead of your having to go back to the Active Directory user manager and reset their passwords, just keep an updated file with all the passwords in it. That way, all you have to do is a quick lookup. Just remember to encrypt that file so only you can see it.

4: Don't sacrifice security for usability

As annoying as Windows 7's UAC is, it is not without purpose. In fact, that annoying feature is an integral part of the Windows 7 security mechanism. Many people disable UAC to get around that bothersome popup. That might be fine on an admin's machine (not a server, of course). But with end users, who will be trying to download and install the strangest, must unsafe tools imaginable, you do not want this happening without some warnings being passed to them. With Windows Vista, UAC was nothing more than a serious annoyance. Windows 7 has gone a long way to actually make the UAC useful. So do not disable this feature.

5: Provide some basic training

Don't just throw your end users to the wolves without a little preparation. You can teach them a few simple things that will help you in the long run. For example, most techs take for granted what does what on a computer. But how many times have you told users to open up a browser, and they had no idea what you were talking about? Teach them what a browser is, what office tools to do what, what Outlook can do, what keyboard shortcuts are, etc. And don't even presume to think that an end user knows what it means to safely turn off a computer. You tell some users to shut down their computer and they will simply reach for that power button. And just like that, you have possible data loss on your hands. Make sure all of your end users know the proper way to shut off their machine. This is especially true for your mobile users.

Additional resources

Wow, five quick and easy tips to help you help your end users from screwing up. Of course, these five tips won't completely prevent end users from messing up your machines. But the more steps you have taken on the front end, the better your chances of averting quite a few typical mistakes.

Here's some further reading on the subject of avoiding preventable problems:

10 dumb things users do that can mess up their computers

The 10 most important things to teach your users

10 habits of superstitious users

10 common user questions - and some analogies that help clear things up

Providing the right kind of help

More preemptive measures?

What do you do to prevent user issues? Do you have a checklist of items you go through with each new user? Share your ideas and thoughts with your fellow TechRepublic members.


Check out Five Tips... the newsletter

Get a concise roundup of solutions and techniques that will make your IT job go more smoothly. TechRepublic's Five Tips newsletter, delivered every Tuesday, gives you instant access to the information you need. Automatically sign up today.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

125 comments
yechuri
yechuri

.. I am appalled to see a suggestion like #3. Anyone still practicing this, cannot hope to continue in IT admin job. This article must have been written with an intention to flare up and increase page views. Sorry, I could not stop myself in joining the melee...

george.jenkins
george.jenkins

The only problem we have is trying to find a way to elevate permissions so users can install local/home-based printers they use. Also, our staff go to fires where a make-shift LAN is created with an IP-based printer. With restricted access, how do users install these types of printers without Administrator interaction? Also, #3 is just silly. Use ADUC to reset passwords, never try to remember other staffs passwords or have a physical list, it'll only get you (or your company) into trouble. If you do that, you might as well keep a list of all their Social Security Numbers too.

terry.sanderson
terry.sanderson

Point 1 says "you should schedule all end users to change their password every 30 days." Wow, I thought, that's going to generate a lot of helpdesk calls. Then point 3 says "Keep an encrypted spreadsheet (or encrypted text file) with updated user passwords." Never, Never, Never. If you have users' passwords, you can masquerade as them. How Big Brother. Jack Wallen should be looking for a new job after writing this drivel. TerryS.

vthokiejjw
vthokiejjw

This is such a bad idea... I cannot even begin to describe it.

rasilon
rasilon

WHile it's a noble idea to educate folks about passwords, etc., it just doesn't work, in my experience. I've presented at group meetings, talekd to individuals and passed numerous articles on how to create secure passwords and remember them. I still see folks who changetheir password by changing a number at the end. Teh only way to assure secure passwords is a combination of software/GPO enforced rules and enforcement of consequences when they don't follow the rules.

Who Am I Really
Who Am I Really

problem with scheduling virus scans: imagine this: the user is working on a 27.2GB BD video project and that blasted McCrapAfee scheduled scan goes off 2 seconds after the user decides to save the project so now instead of it taking 16 - 25 minutes to save, it's going to take 12 hours while the scan rips off 80% of the system resources and thrashes the HDD between the scanner opening files and the project being saved - I ran a manual scan Once on a system with 6 Huge nearly filled SATA-II HDDs and it took all night and part of the morning to complete, and rendered the system almost useless while it was scanning scheduling anything huge will only cause problems and IT complaints our policy, is IT does the regular maintenance work Manually, on days when the office is closed, and during regular office hours only if a workstation or server etc. isn't working properly

mcswan454
mcswan454

Actually, Jack, I take it back. You KNEW what kind of thread this would start when you wrote this. There is NO WAY you could be in IT/IS and NOT know the firestorm such a post would create.... I'll remember to check my Tech Sanity at the door from here on, cause the baiting? Well, I know better than that. You have a unanimous following asking you to not do what we ALL KNOW we shouldn't do. And you knew this. Hell, I even took issue with some folks here. Very well done, Sir. I do not usually rise to the bait. Good post. I won't fall for it again. (edited: It is a damn shame we don't have serious tech articles here anymore, rather than flame-baiting, so we get page view counts. Friend of mine asked, "why don't YOU blog?". I've nothing of import to say... I roll my sleeves up and do.) M.

mikifinaz1
mikifinaz1

All this security stuff is fine and good, but! One thing that over rides this like trying to spit into a fire hose is the GUI. In every damn version of every OS the makers, to satisfy their need to change things, moves the GUI around. Yah, I know it is supposed to be a better idea (not). I will wager that millions of hours of wasted labor and security issues arise from the fact that the user can't find the damn controls. The real changes like making the OS run faster, leaner and on less expensive hardware are given lip service for rotating three dimensional widgets. I wish companies could back charge Microsoft, Mac etc. for the wasted time and problems caused by this. I feel like an actor in the "Pink Panther" having to fight a hidden assailant every time I boot a new system. I am not a geek I don't have wet dreams about computer stuff, I use computers to do a job and it really chaps my lips when they move everything around, BECUASE IT MAKES MY JOB HARDER! And, I don't think I am the only one who things this. How would you like it if every time you left your home someone came in and moved everthing around inside changed the location of the door and changed the locks?

BrianMWatson
BrianMWatson

I think everyone one else has already covered it well enough. As an experienced IT Manager I would never allow my staff to have access to anyone else's account credentials.

JonathanPDX
JonathanPDX

3: Preempt password resets 4: Don?t sacrifice security for usability Talk about contradictions. It's OK for the administrator to be lazy with security but not the users? Puh-lease! Our end users are the money-makers. We are there to SUPPORT them. So what if it takes a little time to reset a password or help them with a problem. That's our job. If someone needs some training, make sure they get it. It's cheaper in the long run. We give all our users admin rights on their PCs with the understanding that if they do screw it up, it will be re-imaged - with no guarantee their personal data will be saved. Train users from the start to understand the need for security and WHY things are done as they are, and they are usually understandable about it. Let them know that if they end up causing a breach in security by going around it in some manner, it's their butt on the line. Document the training they've had, give them a copy of the rules, and have them sign an agreement stipulating they've read and understood those rules. If a power user balks at some rule or requirement, pass it up the chain of command and let the higher-ups make a decision (and DOCUMENT that you've done so!) CYA!

jstep
jstep

I'm completely blown away by #3. That was like the second thing I learned about working in IT. Don't "know" user passwords. The first thing was "reboot".

chthao
chthao

Wow, I hope Jack take all these comments to heart. If the reasons everyone is giving isn't good enough, consider that there could be legal reasons. In addition to that, limit your liability unless you want to be cross-examined everytime one of your employees screws up. Now you're a potential suspect.

JJFitz
JJFitz

#1 Schedule all users to change their password every 30 days? I think 90 days is sufficient. They already hate the 90 day rule. There would be a mutiny if I shortened it to 30. #2 I absolutely agree. No one outside of IT should have local admin rights on a computer that can connect to a network. There was a lot of grumbling at first but my Help Desk tickets were greatly reduced after I implemented that policy back in 1999. There have been a few instances when applications seemed to require admin priviledges to run but we have often found that tweaking the registry eliminated the need. Advice: Tell the application developer how you removed the admin requirement. They are usually grateful. #3 Keep a log of their passwords? No way. Passwords can be used as electronic signatures in some applications. Users are paranoid enough in thinking that we can log in as them. I wouldn't want them to think we can approve or reject their electronic purchase requests. Users sometimes try to tell us their passwords "just in case they forget them". Why they think I will remember 500+ user passwords and they can't remember one is beyond me. To help us with password issues, we use an app (NetPro) that notifies us if a user is having difficulty with their password ( Alert on 3 unsuccessful login attempts) and we call them to ask if they need help. Usually, it's a numlock issue. The same app logs in all password resets and changes for full accountability. #5 I agree. Training is big. Unfortunately, the ones who make the most mistakes are the ones who think that they don't need any training. ugh

jmarkovic32
jmarkovic32

At the end of #1 you mentioned an every 30 day password reset and #3 you mentioned the absolute stupid idea of keeping a list of user passwords. My first issue with these is how do I find out the passwords for 100 users? By asking them all? Secondly, this means I have to update 100 passwords in #3 every 30 days. Finally, I can argue that requiring a user to change their password every month can be LESS secure because users will always try to make their lives a little easier by writing them down somewhere. These were two GLARINGLY DUMB mistakes in an otherwise excellent article.

timothy.coe.sr
timothy.coe.sr

I agree with keeping things simple. Users can be dumb if not ouright stupid. Never assume that they know what "we" take for granted. With regards to passwords. If you tell them their password they will never learn any responsibility. These people are paid to do a job. Doing a job requires using tools. One of the tools is the password. Telling them the password only makes them lazy. Teach accountability!

dscott
dscott

#1. Every 30 days? 90 will suffice if your business requires it. Given the layered idea of IT defenses, you don't need to change them more often. #3. Bad idea, especially for legal reasons. If the password is written down, someone else can get. Case thrown out of court. #5. Your best point. Training always takes back seat to everything, even though it is very important. Train your users how to use the tools they have been provided.

jmoney64
jmoney64

When you deal with knowledge workers (in my day we called them Gold-Collar workers), allowing them to control their machine as local admin is completely defensible. By definition, they know what they are doing and understand the risks in most cases. By definition, Gold-Collar workers will try out and build many of their own tools. They need to be given absolute freedom on their own machines.

JPabroad
JPabroad

Wow!!!! This coming from a Linux user/promoter. He's either been away from the Windows OS too long or just simply inept. Or you could argue that it's a bit suspicious. Either way, this advise is to be spurned to say the least.

lmassey
lmassey

WOW. I have been a member of TR for a long time and am shocked to see such advice on this forum. First of all, we do not have access to user passwords, nor do we want it. It is very quick and easy to reset a password, which we have to do from time to time. We have a voluntary IT audit each year, and if the auditors heard that we were keeping an Excel file with passwords in it, they would go crazy. It's so wrong for so many reasons I just can't believe it was advised here. I hope that any new IT admins who don't know better read all the comments so they won't actually do this. The security and liability risks are so huge ... I'm just floored. I agree with the poster who said he'll avoid blogs by this author, as his credibility just nosedived (and did so again when he came on and restated it was a good idea in some cases). It's never a good idea and it's never OK to do this, period!

mike.codding
mike.codding

This blog highlights my concerns over blogging: lack of editorial oversight. I find it amazing that a 'publication' like TR would actually publish such content. The best part of this blog is the additional resources links at the end. TR should pay responders for their comments. These additional posts are the real content of any such technical article.

Gerbilferrit
Gerbilferrit

..infact they should turn it up from the default security setting as this has been proven er, bypassable for want of a better word. I'm an admin, always run as standard user and understand my users experience from what i chuck at them a hell of a lot better than the IT guy who thinks his own policies shouldn't effect him.

Kevj
Kevj

Simply install the app in a separate folder with change permission. That eliminates the need to give a user admin rights. I rarely give a user admin rights.

laurencemeveritt
laurencemeveritt

Sorry Jack, but the next time I see a blog attributed to you, I'm going to ignore it. Safer than reading something as stupid as knowing other people's passwords - the guys here have pointed out, quite rightly, why this is bad practise. Also, this brings down for me, the reputation of Tech Republic. Can someone please edit these blogs?

paul.burden
paul.burden

Seriously? Wow! That is the stupidest thing I've read on 5 Things ever, ever. To recommend that an admin should have user passwords is just downright ridiculous. 1 - How would we get the passwords in the firstplace? 2 - Wouldn't having said passwords open us up to tampering accusations? 3 - In many industries, the financial industry being the one that comes to mind, having anyone's password that is not your own would be a HUGE security breach, a sackable and possibly illegal offence. 4 - It really is not a big deal to reset a password. Jack, total fail.

damerval
damerval

This list is obviously put together by someone who has no experience either as a network admin or as a user. First, #3 is obviously very "last decade". The only option available to current windows network OS admins to resolve the "Er, what was my password again?" issue is to reset it. There is no "finding out what it is". In government correctional environments or healthcare situations, it's downright illegal. I'm not a Novell specialist, but I would expect it to be the same. Only a user knows their password. Ever. Period. Second, #2 should be "Draw up a list of risks and threats and determine the best course of action based on the matrix between the two". My experience in "keeping a tight rein on permissions" is that it generates user frustration 100% of the time, due to the fact that network admins aren't all-knowing and that it is very difficult, except in cases where there is only one or two applications in use, to know all the permissions needed by the users. So "keeping a tight rein on permissions" becomes just another way of saying "make yourself necessary in an obnoxiously artificial way by wielding the now thoroughly tired "it's for security" argument, which doesn't fool anyone anymore. Before you go throwing off stupid "tips" that sound like they make sense but are really quite inane, I'd suggest doing a little homework. Or, more to the point, giving folks tips on how to do their homework. Keeping users productive safely is not an art. It's a skill, one that involves study and careful decision-making. There is no "one size fits all" policy for dealing with user mistakes. Every case is different, depending on the frequency and potential consequences of the mistakes. My recommendations would be: 0) Accept that user mistakes are a fact of life and that therein lies your job security, not in mindless policies and petty power trips. 1) Automate where possible (and document what you automated) - that was the only worthwhile tip on the original list 2) Study the risks and the threats. Design a solution tailored to the results of your study. 3) Put your users first. They own the data and the network, not you. We're in the service industry, people. If they don't get their work done better and faster thanks to us, we might as well go fishing. If we actually slow them down, they might as well go fishing. 4) Sometimes the smartest way to prevent user mistakes is to automate fixing them. Provide an easy way for users to reset their own password, or delegate the ability to reset a password to a chosen team. If they can fix their mistake by clicking on a link and maybe providing some identifying info, you can go home and sleep well after a job well done. If they have to call someone - rethink your design. If they fail to use a flow as designed, redesign it. Put up a wizard. Set up an email notice. None of those things are hard. 5) Last, but most decidedly not least: Put up a simple, easy to use incident reporting system, and set it up so three competent people get an email the minute something is reported. Make sure the incident reporting system can be used by a 6-year old. Test it out by making your manager log one. Once you have that up and running and tested, LEAVE IT ALONE. Don't try to make it do anything else than facilitate and speed up communications between the users and your teams. There will be a few recalcitrants that want to use the phone. Let them. Encourage them gently to use the online system until everyone is on it. then sit back, and mine the gold from that database of issues. Draw up your list accordingly. It's the best tip I can give.

m.masson
m.masson

I'm concerned about you wanting users to change password every 30 days? That is just asking for users to write down their passwords.

MrEddie
MrEddie

After reading all these posts, my sense is that most IT pros are decent people who don't understand that we live in an indecent world. It is noble to say you don't want to have access to a users "private" stuff but guess what? That stuff could include child porn or terrorist plans and a company has a right and a responsibility to monitor for these. Ofc the main reason for passwords is hackers, who are like parasites on the body of liberty. For these there will be an ultimate solution; biometrics & GPS trackers. Once these become ubiquitous, passwords will no longer be necessary. To log into a system, it will scan your fingerprints or your face and then check a GPS locator that will tell the computer that you are where it thinks you are. Owellian? Yes. Necessary? Sadly, also yes.

tbmay
tbmay

...if you're the big network admin, you can masquerade as them anyway. The righteous indignation over that comment is based on a red herring. Having a list of passwords is a bad idea. But not for the reasons most are stating.

DWalker88001
DWalker88001

I still don't see the reason that every company wants users to change passwords. If they are NEVER given out by the user to anyone else, and if they are not used on other sites, then a strong, never-changing password is just as safe as a strong, changing password. Think of the universe of strong passwords and a bad guy searching that universe to try to crack someone's password. If it takes 20 years to search the whole universe of passwords, then moving the target around doesn't provide any practical benefit.

laurencemeveritt
laurencemeveritt

jmoney64, Sorry, but I am a Gold-Collar worker, by your definition and I am also an administrator of my own Company PC, but that is because I am an Administrator of my company and other companies' PCs. In my experience, when we give Administrator Permissions to non-Administrator-type Gold-Collar workers, they break them and then go, "Oh, sorry, I broke it. Can you please fix it again?" and then I (or someone like me) has to fix it (not simply just re-image the PC), which can be costly. It is always best practise to give the user the permissions that they need, but not carte blanche, as they will invariably generally break the machine. Also, they may even install software which puts the company into fiscal/legal liability in the form of licensing (and that might come back to the admin, too).

nicorac
nicorac

Why resetting password takes more time than reading it out from a file? Reset ----- 1- User phones saying he forgot password 2- Logon to server 3- Open MMC 4- Find user 5- Reset password, force change at next logon and tell him the new one. Read from file -------------- 1- User phones saying he forgot password 2- Logon to PC 3- Decrypt and open file 4- Find user 5- Read his password and tell him in clear on the wire. It seems to me the lists takes the same time.

tbmay
tbmay

...you were a bit tough on the op. MANY article on tr are written in a very simplistic, appeal to non-tech management, self-promotion sort of way. (Hey...we all have to self promote...some of us just don't do it here.) I've worked in large businesses with regulatory issues and the smallest businesses out there as an independent. The large business IT people have the advantage of having corporate policies to fall back on. Some of my small business clients have influential employees who started pushing back when I told them they should not tape passwords to monitors. You are correct. There is no one-size fits all and it is a living process in which experience is the best teacher. In my current situation, I have to pick my battles and use gentle persuasion. I have a few things I simply won't compromise on but by and large, when you work for yourself and support small businesses, you can't take a "my way or the highway" approach.

mike.codding
mike.codding

One additional consideration: Skill levels vary, even among admins. Much of my 'admin' activity is actually creating scripts and VBA macros to simplify and automate user tasks. Creating training documents provides consistency and thoroughness for each user, but don't expect all users to absorb 100% of the content.

cdean
cdean

and the users write down their own passwords, then we won't need to keep that encrypted spreadsheet as is suggested. Not very secure, but hey, I don't think security was in mind when some of these tips were written!

adekunlejob
adekunlejob

I agreed with the #2 very well, but disagree with #3 for security reasons.

paul.burden
paul.burden

You've got this round the wrong way. The point isn't that admins don't want access to users private files, which we don't. Files can be viewed and monitored by the IT dept without having your password, even if it's stored in a folder named "Super Secret Private Personal Files" on the local disk of your laptop. The actual point is that we don't want to know the password so we can't be accused of impersonating the user.

Mark A. Lewis
Mark A. Lewis

It is true that eventually companies will use such technologies as biometrics and GPS tracking, but passwords will still be needed unless several biometrics technologies are used at the same time. Problems will arise because biometrics methods will not work with the user with no fingers, those with no eyes, or someone with a bandaged/changed face. It may sound morbid, but they are problems.

bott
bott

Yes as admin you can gain access to the users account and masquerade as them to some degree, However doing this will also leave behind additional digital fingerprints that will point back to you, Such as you resetting their password to gain access, System logging mysteryously deactivated by admin moments before the user logging in... Having a list of passwords allows you to commit a more perfect crime that is less likley to be traces to anyone other than the user. Then of course there is the further issue of what happens when someone else gains access to the List? if you are updating this list every 30 days for every user it is highly likley that it will be sitting on your screen at some point for a casual passer by to observe. Given the simple passwords a lot of users like to use it is entirley possible that they could memorise one or 2 at a glance, What happens then? and how are you going to prove it wasnt you? after all you are the keeper of the list. No I dont believe the indignation over point 3 is a red herring, I think it is a dangerous idea to keep lists of user passwords and I think the rest of the admins here are right in asking that point 3 in the article be removed or amended for clarity (mabey the author meant something different to our interpretation.)

wfs1946
wfs1946

... so many times in my time as an Admin, when I ask a user to login for me because of not knowing their password, I've been able to gain their password just by watching them type it in. If I can get their password that way, how many others can get it the same way? If the user isn't careful when typing their password and make it visible to anyone standing around or walking by, it makes a lot of sense to force a change. We here force a change every 65 days, I'm for making it 20 - 30 days for a forced change. It make more sense to me because I have found out that the shorter time between passwords the less the users forget them because they don't have to try to remember them for so long before the next change. I don't care for writing passwords down but, if a user needs to do that in order to remember their password then they should place it in a more secure location than on their monitor. I've had some place it on the underside of their desktop, or in their Day-Runner or in some other less accessible location.

JJFitz
JJFitz

users only log in to your network through secure computers but how do you ensure that? People often use unsecured WiFi or someone else's computer to access their company's network. There are plenty of WiFi hacks, malware and keyloggers out in the wild that could collect user passwords. An expiring password at least reduces the risk of unauthorized access. In addition, many companies are required to periodically change passwords per Federal regulations.

wfs1946
wfs1946

I would never keep a list of passwords, for one thing just getting every user to give you their password would take more time than all the password resets put together. Secondly, security is job one. This is why companies like Novell and others removed the ability for admins to even see user passwords to begin with. I will take a password reset any day over keeping a list.

jc@dshs
jc@dshs

As a relative newbie in IT network management with just the 10 years of experience and being fairly isolated in a school where I am "THE" IT guy I was happily patting myself on the back having read the original post - and objected to part 3, as nearly everyone else has. However, your post has opened my eyes just a wee bit more and shown me the next level/step in the process of learning my job. "Asinine" may have been a bit strong but certainly grabbed my attention and made me read your excellent post. I now have one or two more planks to add to my structure. Again, many thanks.

damerval
damerval

It's true. It was one of those late-early moments around the midnight hour when you sense that your brain is going "If I have to think one more join through I'll just throw the monitor out the window" and I was too rough. I apologize sincerely. You did touch on a sensitive spot - the "don't sacrifice security for usability". Not that it's a bad idea on its face. But it needs to be taken with a healthy pinch of salt. In my line of business you get a lot of things done in the name of Lady Security without any real homework being done, and not only is it counter-productive in that your security measures are so cumbersome people seek ways to circumvent them just to get their work done, but they distract from the real threats and risks out there. One of those things like the word "appropriate" that are wielded by a lot of people as a smokescreen over a general lack of thinking things through. My approach is opposite. I would say "don't sacrifice usability for security". When you put security first in your thinking process, you force users to rethink how they do things. When you put users first, you are only forcing yourself to do the same. It's the path of least resistance. And the path of least user mistakes. Sorry again for my grouchiness. :)

tbmay
tbmay

...the business in question IF....and that's big....you have the checks and balances in place that has multiple eyes on the system's administration, the righteous indignation makes more sense. I have worked in regulated environments where that's the case. However, I would submit that more businesses don't have that situation than do. Especially smaller ones. Even larger ones are very likely under some serious delusions about just how safe they are. Only the most clueless crooked admins wouldn't be aware of whether they could get away with that or not. And if your company is like piles of them I've been in, a list isn't needed. The users tape them to monitors and gripe when you tell them not to. The one thing your point has going for it is most crooks really are dumb as dirt. My brother, who is in law enforcement, tells me if 99% of the criminals weren't as stupid as a rock, they would never catch them. No. UNFORTUNATELY it is a red herring in most instances. I'm fighting to change that day-by-day though. Your second point is exactly why it's REALLY a bad idea.

santeewelding
santeewelding

The author, in my experience of his work, meant exactly what he said. Exactitude is one thing he has going for him (without which he would be mauled). The exactitude, however, is frequently from the hip, without apparent deep and reflective thought, and done for the moment. The moment, sooner or later, will catch up.

JJFitz
JJFitz

If you do not have any mobile workers at your company and nobody works from anywhere else but on their own company issued and secured computer then maybe a relaxed password policy would work for you. I would still argue that an expiring password policy is appropriate for the 1 billion mobile workers worldwide (http://www.ciozone.com/index.php/Mobile-and-Wireless/IDC-Mobile-Workers-Will-Pass-1-Billion-in-2010.html). (None of whom must work at your company.) As to your argument regarding the frequency of changing your password; Important business decisions like data security should be based on a risk analysis. Ask yourself: ?What do my mobile workers have access to? ?How sensitive is that data? ?How will mobile workers connect to the company data? ?How likely are we to detect a security breach? ?What are the State and Federal requirements regarding data security for my business? (Yeah, they are important if you plan to stay in business.) ?What are the costs associated as we raise the bar on data access security? ?What is the user experience as we raise the bar on data access security? etc. Based on the answer to these questions, one can come up with a reasonable password policy.

DWalker88001
DWalker88001

Yes, expiring passwords would theoretically somewhat "reduce the risk" of a password that was compromized by a keylogger or a Wifi sniffer, but in that case, every 30 days is WAY too long. If you capture a password, and you're a bad guy, won't you use the password immediately? We need to force password changes every 20 seconds, then, not every 30 days. I never sign on to MY work system through WiFi or through anyone else's computer, and I am reasonably certain there is no keylogger. (I have completely rebuilt my computer a couple of times in the last couple of years.) And no one at my company logs on to their own account through anyone else's computer; they are probably not aware that this is possible. Everyone has their own computer. And, just because Federal regulations require something doesn't mean that there's a good reason for it -- things get embedded into regulations that still have no rational reason for happening.

tbmay
tbmay

I mostly agree. However, sometimes users really need to rethink what they're doing. Take my example. It was not hypothetical. I have several names of people on the top of my head that are responsible for sensitive data and have desks in high-traffic areas that tape their passwords to their monitors. In one particular place, I simply said that was a risky practice and the lady immediately started telling me how she just can't remember passwords. In other words, she had no intention of changing. Yes, I've broached the subject with her boss, not being critical, just explaining that it would be a good idea for employees not to do that, and they would rather not deal with it. I've even described exactly how this could turn into something very bad on their exact network, given their exact way of doing business. They listen but you can tell by their expressions they just really don't want to deal with it. IT and users are both often responsible for failed relationships. Obviously, as a guy who's been in the business for years, I'm inclined to see IT's point of view first but I've learned to look at it other ways. In my consultancy, I make sure my security concerns are real, unless regulatory issues make us have to address some "remote chance" type issues. Unfortunately, I get some push-back by some folks no matter how real it is.

Editor's Picks