Where is the first place a burglar checks for a key when he's about to enter someone's home? That's right - under the mat or stone by the front door.
Where's the first place a cyber criminal looks for username and password when he wants to get access to a computer? That's right - on a Post-it Note or label on the computer keyboard or monitor. (If the movies are true, second place is probably in a slide-out return or drawer.)
But what if multiple people share a workstation? Easy. Check for the neatly typed spreadsheet that lists everyone's login credentials; choose someone you want to impersonate, and login. Presto!
Why bother with passwords at all?
This is a real picture and sadly, I see this kind of behavior all too often. I even wrote about this problem and proposed a solution four years ago in a post entitled, "Lower your standards; lower your stress".
Seriously folks, most network admins I know work very hard to secure the information assets of their organization. Yet, their efforts to protect these assets are undermined when people do stuff like this.
Network and computer security requires more than a digital audit. Training and on-site inspections are mandatory to prevent stuff like this from happening. Obviously, in this organization, it isn't happening.
As far as this photo, in the interest of security, I won't name the company where I took this picture. I will, however, send them a link to this blog post.
Discussion/Comments (5):
I think there is a correlation between lax end-user security practices and unregulated companies. Most of my clients fall under regulatory compliance and thus, remind end-users that writing down, posting, or keeping paper back-ups of passwords is dealt with severely up to full dismissal.
Whereas my other clients engage in practices that you illustrated beautifully here; albeit it the existence is quite disheartening.
Much of it I find is that they feel that they are small or not under the microscope and trust their employees, so they don't have to worry...then something happens and they are forever changed. Next step, adopting good security practices to avoid what just happened.
Posted at 03/09/2010 15:34:55 by Bill Malchisky
I'm sure that's true, Bill - regulated companies have the additional burden of legal enforcement/liability for how they treat company information. I guess I'm still surprised (although perhaps I shouldn't be) when people take such a lax approach to protecting information. In the example above, that computer us on a cart in a public space where employees and customers alike have access. Amazing.
Posted at 03/09/2010 17:59:38 by Eric Mack
A simple policy that requires changes to passwords on install and then every 90 days or whatever you like will also solve this.
But better than this are clients where everyone has the same password and then are never forced to change the default.
Posted at 03/09/2010 20:30:17 by Keith Brooks
I wonder how many people do this because of the restrictions/requirements of passwords. Passwords must be at between x and y characters long, with numbers and at least one capital letter. And it changes every 90 days. Who can remember that? Work is one of many passwords I need to know.
I think that it would be better to have less restrictions on the password itself than to have to use a sticky note, which I myself have done many times.
Posted at 03/22/2010 11:30:34 by Greg
Discussion for this entry is now closed.