P8ssw0rd m@dn355

Can't things be linked up a bit better?

As a child my mother used to tell me that if my head hadn’t been attached to my body, I would have forgotten it most of the time.  As I’ve grown older my memory has not improved one jot; I still regularly forget things to add to the shopping list, dates and events as well as forgetting to take the rubbish out.

Our ICT department do not appear to be sympathetic to my plight however.  Recently a brand new layer or two of ‘security’ has been forced upon us.  There was nothing demanding that this happen, but some ICT people decided that it could be done, therefore it should be, and to hell with the consequences and impact it has on the rest of the staff.

Let me take you through a typical log-in routine.  After switching on a PC I have to input my username and password.  This password is forced to change every 30 days, and follows these rules:

  • Can’t be a password that’s been one of your last 24 versions
  • Must contain upper case
  • Must contain lower case
  • Must contain a special character (i.e. non-letter)
  • Must contain a number

I then get taken to my profile, and have to log in to each of the shared drives I want access to.  Each of these has a different username and password.  Should I need to update our website (part of my normal role) I’ll need another username and password for each one.  I also have to log on to my phone line, requiring yet another password.

If I am using a laptop I need to first enter a different password to get I to boot up, then input my username and password again.  If I’ve not used that particular password before I need to call IT and via a call and response system enter a 64 digit code before getting access.  Of course I then need to log into shared drives and websites as above.

Before I can talk to ICT to get this done however I also have to give them a verification code to prove that I am who I say I am.  Even if I’m calling from an internal line and they will be able to see the screen and account I am logged in under, I still need to give this code before they will speak with me.

I’ve also got a separate code to access my blackberry, and have separate codes for each of the different systems I use such as access to our various databases.  And these are just the ones that I can remember off the top of my head.

Don’t get me wrong here; I appreciate the need for security around certain information and the need to be sure that the bad guys can’t get in, but if this continues to travel along this path it wont be long before the good guys can’t get in either.  Whenever I happen to forget which of the myriad passwords is required I end up sounding like a criminal who is chancing their arm in the hope of getting past lax systems.

It’s not just the passwords that are causing trouble either.  Each time a major security layer is added it seems to wipe out all of the special settings on all laptops.  This has resulted in a large chunk of software suddenly ceasing to function and requiring ICT to dedicate time to fixing all of them as the problems are found.  As the encryption software prevents people from logging on remotely they can’t even do this easily, meaning that the laptop has to be physically taken over to them before it can be looked at.

IT is complicated stuff.  It doesn’t all come from the same place, and often the bridges to link it all together are ropey at best.  But I refuse to believe that there is not a simpler, smarter way of us keeping our data safe.  I’ve seen people simply printing off lists of their passwords as they can’t remember them all, and most of our laptops have the passwords brazenly stuck onto them.

I want to be able to log on to my computer using one username and one password, and then have everything else read this automatically.  I want to not be required to release my entire personal data before I can ask someone to change my mouse speed from warp 9 down to something the human eye can track.  And I want whatever security policy is put into place to actually be in place for longer than one of Jordan’s marriages.

Is this so hard?


Explore posts in the same categories: We love the Council

Tags: , , , , , , , , ,

You can comment below, or link to this permanent URL from your own site.

10 Comments on “P8ssw0rd m@dn355”

  1. Andy Bold Says:

    Oh. Wow. Seriously Wow. And ouch.

    IT really does not have to be that hard. It sounds like what has happened is something like this:

    * Poorly documented access to restricted material results in that material being viewed by somebody who should not have seen it.

    * IT Manager gets a toasting.

    * Somebody with half an understanding of information security decides that “separate passwords” for everything is a good thing. They wilfully ignore the inconvenience caused to the end user because somebody’s ass got covered. They also ignore the fact that “too many passwords” is a very short path to “It’s written on the post-it note under my keyboard.”

    * Some external auditor, with no understanding of how this /could/ be handled better, signs off on it being a jolly good idea.

    * The “process” becomes institutionalised, and nobody now takes accountability for it. “Sorry, the auditors said it had to be this way” and “But your IT people created this process because you asked for it.”

    For bonus points, I’m guessing that your IT is also outsourced, hence the onerous ID process.

    What could have happened?

    * Single sign-on to all resources.

    * Improved logging of access.

    * Better process to authorise access to shared resources.

    * Regular reviews of those access control lists to ensure that everybody who was granted access still needs that access. (The more critical the data, the more regular the review.)

    If you do manage to find somebody internally who wants to get this fixed then I’d be more than happy to help.

  2. Roger White Says:

    The good news? Your ICT department will be getting a 5-star rating in their security audits! That’s it.

  3. benlowndes Says:

    It’s when you start calling your kids things like ‘P8ssw0rd m@dn355’ to help you remember your passwords that you really need to start worrying.

  4. John Says:

    Re SingleSign On, we used to have that until the cuts happened. The IT budget was reduced, SSO was one of the licences not renewed. I doubt there is any way of proving it, but I expect out IT spend more in staff time in a month sorting out people who have forgotten the password to a system they only use once or twice a month than the cost of the yearly licence.

  5. Roger White Says:

    Bit late in the day but I thought I’d plug my 101 uses…of a Post-it note at http://bit.ly/hHsS9J. No. 2’s the one you want, on the best way to store your IT password. Any other ideas for printable uses of Post-it notes v. welcome.

  6. […] staff and swipe our cards through three entrances, and of course that’s before we even get on to IT security and the all joy that particular activity […]

  7. […] March we had a look at the increasing complexity of the password setting regime in local authorities and pondered whether a battle between civil servants and local government […]

  8. […] systems which are incompatible with each other, each requiring a different and constantly changing password, and each deemed by at least on different senior officer to be ‘essential’ and not able […]

  9. […] things somewhat more mundane such as our propensity for demanding constantly changing and complex passwords for our multiple systems.  We’ve attacked intranets and proposed i-pads for councillors, and […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: