"It's asking a great deal that things should appeal to your reason as well as your sense of the aesthetic." W. Somerset Maugham, 'Of Human Bondage', 1915 English dramatist & novelist (1874 - 1965)
"Who knows what form the forward momentum of life will take in the time ahead or what use it will make of our anguished searching. The most that any one of us can seem to do is fashion something--an object or ourselves--and drop it into the confusion, make an offering of it, so to speak, to the life force."
Ernest Becker, The Denial of Death

Monday, December 29, 2008

Computer Passwords

I'm not in IT. I was an English Major who went to a computer votech school in order to change careers and leveraged that into what amounts to basically liaison positions between sales/marketing and IT.

I've worked in SFA (Sales Force Automation--providing computerized solutions to field sales forces) since 1999. So for this commentary, I've worked with remote users and have, obviously, used a office based computer for the same amount of time.

Currently, our field users log into our corporate portal but they are not a part of our domain through MS Active Directory. Meaning, they aren't recognized on our network, they log on using a product called OnDemand from Aventail. For those non-techies, don't worry about all this. My point will come soon enough. As such, we set our remote users with their log on password when we first give them their computer and then we never ask them to change it again.

[There are a number of reasons why we at the home office want to control the passwords and know it at any given time--anyone involved in SFA support will know why.]

At the home office, IT requires me to change my password every 90 days. This appears to be a standard IT password security process. However, anyone that works on-site Help Desk support knows exactly what happens when you ask the end user to change passwords so many times: they write the new password down and stick it under their keyboard. And of course, anyone wanting to inappropriately access another's computer, knows where to look for the password. (At least our IT dept allows us to choose our own password with few restrictions, but I have accessed other company websites where our password had to include one digit and one symbol-who the hell is going to remember that as they change it every 60 days? Of course I'm going to write it down and leave it in an easily accessible area.)

2009, it appears, will require us to have the remote field users become part of the domain. This has benefits (we won't go into), however, we are trying to negotiate with IT to not force the field into the 90 password change. Aside from the headaches it causes our support efforts, you know exactly what the field (primarily sales people) will do: write down the new password on a sticky note and leave it in the computer case (as these are mobile computers, small laptops, PDAs, etc...) for easy access to anyone wishing to access the network.

So, my point here is, that the standard industry practice of changing passwords every X days for security purposes is unrealistic and, in fact, less secure. It's a standard practice that is followed simply because it has become a standard practice. It's a check box on the list of things "to follow."

Think about all the passwords you have to have on the Internet, then having to change one at work every X days and remember that as well?

Not going to happen.


Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)