One for minnehaha B.

[rivka]

The clinic where I work two days a week refuses to give me login privileges to their network. Their rationale: I'm a contractor. Only employees may access the network, for security reasons. Okay.

We're not talking electronic patient charts. But I need to be able to check my e-mail from the clinic, and use the shared clinic computers to write up reports. Big signs over each computer require employees to log off when they're done. So without a login, I can't even access MS Word.

"You'll have to get someone to log in for you each time," the clinic director told me. Okay. So that's what I do.

The other day, one of the clinic employees came by as I was typing away and asked me, "Are you still using the computer as me?"

"No," I said. "I have to get someone to log me in each time."

"Well, I don't mind if you want to be me."

"I can't just log in as you," I explained. "I would need to know your password."

So she told it to me.

"Your password is the same as your login?" I asked.

"Yeah." She seemed surprised that I was surprised. "I think just about everybody's is."

So far I've confirmed that for the two other employees I've checked. This is the system, remember, where allowing official access to a contractor of three years' duration would be an unacceptable security breach. I believe that this is what's known as straining at a security gnat and swallowing a security camel.

Comments

[roadnotes.livejournal.com]

That's impressive. (We had the same password for everyone and every computer in the office for about four years; only people who checked their email from home had passwords to the mail system; and only finance and HR had passwords for (some of) their files. I argued about this for years. Now we have a system where not only does everyone have a password, but no one has access to anyone else's default directory. And most of administration haven't mastered the concept of saving finished documents to the general directory. We do a lot of retyping in emergencies.)

[riarambles.livejournal.com]

I was pleasantly surprised when given login privileges at the hospital I now occasionally work at. They require the password to have uppercase letters AND lowercase letters AND numbers AND be changed every three months. It refused my password suggestions at first because I only had lowercase letters in them.

That clinic you describe... scary.

[supergee.livejournal.com]

There are two kinds of password: the ones that make sense, so they can be stolen, and the ones that don't make sense, so you have to write them down and they can be stolen.

[rmjwell.livejournal.com]

Wow.

Just wow.

Even Some Big Company, not know for its speed in adapting to new technologies, has a better grasp on password security than this.

Well, for some of the logins.

[papersky.livejournal.com]

There's the third option of ones that make sense to you but not to anyone else.

Say you had a pet iguana called Bosie, and it was the second iguana you'd had. You could have a password that was BosieGee2, (Gee, in this example being part of your surname) you have upper and lower case, and numerals, and you're not going to forget it either. It's also rather unlikely that people would hit on it in three tries. And if Bosie's real name is Boscastle IV, you probably call him lots of other pet names too, so you have years of options -- and if you run out, you can always get another iguana.

[therealjae.livejournal.com]

*blink*

Okay, that's *really* scary. Are you going to point this out to someone, or just take advantage of it?

-J

[wcg.livejournal.com]

I think I've told you the story of the door with an electronic code lock on it that a General Officer had reprogrammed so that the access code was 1-2-3-4-5, haven't I? He kept forgetting the code and having to call the security officer to let him in the building. I have it on pretty reliable authority that his network password was his user name too.

[supergee.livejournal.com]

I've managed to do one of those too.

[jenett]

Quite scary, yep.

My work (which does not involve anything particularly confidential: ok, technically, access to circulation records, but that's about it, and only when stuff's actually checked out to someone.)

Anyway, we have an automated thing that makes us change our passwords every 2 months or so, and where we can't reuse passwords until we've gone through 6 others (I think.) This produces grumpiness, but better security.

At work, I usually pick a theme and stick with it for the year - I was doing Tolkein-based stuff for a year (Entish, minastirith), or I've done ballad titles (twacorbies, for example), or types of musical forms. Makes it easier for me to remember what my password is, without being something terribly easy for people to guess.

For more secure stuff (root network stuff at home, etc.) I do the 'first letter of each word in a phrase, with some numeric substitutions' sorts of variants.

[trinker.livejournal.com]

I believe that this is what's known as straining at a security gnat and swallowing a security camel.

Dingdingding!

[geminigirl]

That's clever.

I went to chemistry formulas for a while, which are a good string of letters and numbers, and can even have non-numeric characters if required.

I worked for one place where our passwords were supposed to be the name of the organization. Everyone had the same password-I could have been anyone.

[sashajwolf.livejournal.com]

They require the password to have uppercase letters AND lowercase letters AND numbers AND be changed every three months. It refused my password suggestions at first because I only had lowercase letters in them.

That's how it works in our firm, too.

[kightp.livejournal.com]

I'm fond of making up my own acronyms, with some l33t-style number-for-letter substitutions, to create passwords.

One of my old favorites (no longer in use on any account) was

PaAp1tA

for "Passwords Are A Pain In the Ass."

[flyfreeizzie.livejournal.com]

I believe that this is what's known as straining at a security gnat and swallowing a security camel.

wow... its amusing... yet, Not!

[writingortyping.livejournal.com]

I'm fond of the substitute-a-number-for-a-letter trick, especially for those that have to change every X days.

Frex: I once had a cat named Benjamin. 1st iteration of password was B3njamin, second was Benj4min, third was Benjam1n. Whatever numbers look most like the letters they stand in for - makes it easier to remember that way (for me, at least - YMMV).

[minnehaha.livejournal.com]

Writing down passwords is fine. Write them down on a small piece of paper. You already know how to secure small pieces of paper. Put that small piece of paper in your wallet with all of your other valuable small pieces of paper.

The era of rememberable and secure passwords is over. Write them down.

B

[klwalton.livejournal.com]

It's something like tripping over the dollar bills to pick up the pennies. But not. Or something. But, gah.

I'm still trying to twist my brain around, "We won't give you a login, but you're welcome to have someone else log you in and then you'll have all the access you would have had had we given you a login but we won't give you a login 'cause you're not an employee so you'll just have to be logged in but not as *you*."

Er?

[mishalak.livejournal.com]

Ah the old delima. Like how they were after me to secure our terminals and rather than making more work for myself I didn't point out that all the same information was avalible over on the depcon system to print out all the statements.

demons of stupidity

[jinian.livejournal.com]

I obviously can't wish a real security disaster upon the clinic, but could some benevolent deity strike them with a bolt of enlightenment, please?

[minnehaha.livejournal.com]

Where did you say you worked, again?

K.

[lerryn.livejournal.com]

Sounds like one I used to use : 3 passwords in a row were rejected by a security program, so I typed in P@$$w0rd. This was accepted :)

[the-siobhan.livejournal.com]

At the blood bank we have no fewer than three seperate computer passwords - for the network, for the blood inventory software, and for the hemophiliac products inventory software.

Each password has to be a combination of capitals, numbers and lower case letters. You can't use the same password for all three because each one has different requirements for number of digits and capitals, and each one has to be a different length. The computer will refuse any password that looks too much like a real word.

And all three change every three months.

But they don't want you to write them down. *rolls eyes*