5 ways your employees sidestep data security policies

A good employee finds ways to overcome roadblocks and get the job done. But in the case of enterprise data security policy, good employees may be your biggest threat. In fact, a recent Dell survey found that nearly seventy percent of IT professionals believe employee workarounds are the greatest risk to their organizations’ security.

We’ve all been there: juggling numerous log-in credentials, following tedious document transfer policies, struggling with subpar app functionality—all the while knowing there’s a better way. Data security policies have a knack for getting in the way of getting the job done. Dell also found that ninety-one percent of workers feel their work productivity is negatively impacted by IT’s network security tools. So what are some of the most common workarounds used by imaginative, driven but often password-fatigued employees?

Easy-to-remember passwords. The average person today has twenty-five personal and professional digital access points. Changing those twenty-five passwords every ninety days, as recommended, results in creating and recalling 125 passwords each year. It’s no wonder people use easy-to-remember passwords; and unfortunate that simple passwords negate much of the security benefit of password-based authentication. One 2015 study found that seventy-three percent of online accounts are guarded by duplicated passwords—that is, the same key unlocks many different doors. Another study found that even those who try to be clever by using unique passwords are unlikely to beat the hackers: 1 in 2 passwords follow one of thirteen predictable (read: hackable) patterns. And finally, to skirt the password-reset problem altogether, some savvy users simply call their help desk to claim a forgotten password. The IT-driven reset often overrides the regular password reset requirements, meaning employees can continually recycle the same password. Thanks to this workaround, TeleSign found that 1 in 2 people are using passwords that are at least five years old.

Tricking the session time-out. Most systems and applications have automatic session time-out features, based on a defined idle period. But many organizations take this data security feature a step further, using proximity detectors that time out a user’s session as soon as they step out of range. However, many users “beat” this security feature by placing a piece of tape on the detector, or by placing a cup over the detector. When they do step away from their desks, their devices remain completely unsecured and vulnerable.

Transferring documents outside the secure network. The mobile workforce demands anytime-anywhere access to their documents and data. Most organizations have strict protocols on accessing data through secure network connections, such as a virtual personal network (VPN). But many mobile workers aim to streamline their productivity by circumventing these protocols: emailing sensitive documents to themselves, storing files in a personal Dropbox account or other public cloud, and even taking photos/screenshots with a smartphone and texting these images.

Intentionally disabling security features. One of the most popular workarounds is also the most straightforward. Where possible, users will simply turn off data security features that hinder their productivity. This is especially true for BYOD workplaces, where employees have greater control over the features, functionalities and settings of their endpoint devices.

The Post-It Note Pandemic. The most common workaround is also very simple. A survey by Meldium found that most people record their passwords somewhere—whether in a spreadsheet containing all their log-in credentials, on their smartphones, or on a piece of paper, such as a trusty Post-It Note™—likely affixed to the very device it is intended to secure.

So, what’s an IT administrator to do with all these well-intentioned, hard-working, security-risk-takers? Most experts agree that communication is key. IT security policies should avoid edicts without explanation, leaving the end user with productivity loss and no apparent upside. Instead, many organizations are implementing more rigorous security awareness training for all employees, showing them specifically how security protocols protect against data leakage, data breaches and other threats, highlighting how workarounds put data (and their jobs) at risk, and keeping data security top-of-mind with regular communications and meetings with staff.

Download the executive brief, Protecting Data in the Age of Employee Churn, to learn more about how endpoint backup can mitigate the risks associated with insider threat.

Code42 Employee Churn 2


40 responses to “5 ways your employees sidestep data security policies

  1. The article left out a few things I need to address. First off toward the end you referenced that some of these IT security policies have no apparent upside. Well there is a gigantic upside of getting to keep your job and not get fired. Secondly you kept referring to put activity loss productivity loss productivity loss. Unless you were in HR or marketing you as an employee have zero need for any social media of any kind. Social media only serves to distract you from the job that you are being paid to do. Which most likely has absolutely nothing to do with communicating with family and friends on Facebook and Twitter and other sites like that. And unless also you are in either marketing or HR or in the video or audio industry of some sort radio you also have zero need for sites with audio and video streaming like YouTube or Netflix or Hulu or Pandora or IHeartRadio, you have 0 need for any of that. If there’s a productivity loss its in your employees getting distracted in anything that takes their attention away from the task at hand and or the job that they were hired to do. Socialize on your own time.

    1. The often used IT policy requirement to change passwords frequently is idiotic. How does someone remember a merry-go-round of dozens of passwords that are constantly changing? Out come the post-it notes! Most IT policies create more issues than they solve. The most blatant hole in such a policy is the inability to reuse prior passwords, which means your friendly IT department keeps records of your pw history. Not too smart guys.

      1. They don’t store your passwords, they store your password hashes, which is a large difference. They need to store your existing password hash anyway. I agree that passwords are a pain, but there are better methods of balancing this.
        1. Implementing SSO well, this means yes, you need to change you password every X days, but it now applies to everything.
        2. No longer using passwords. HORRAY Two factor authentication!
        3. For admins who generally need to work with hundreds of passwords, use some sort of privilege access software that generates temporary passwords.
        4. Requiring ridiculous passwords policies (i.e. 14+ characters, symbols letters, numbers) was meant to deal with brute when an attacker is able to steal the password hashes. It was reasonable advice 15 years ago, but now in the days of video cards to break passwords and rainbow tables it no longer useful as an attacker can iterate all known passwords in under a day anyway. Relaxing requirements or encouraging users to user a pass phrase (HorseBatteryStaple) and ensuring all remote services implement a lockout policy after X number of tries are far more valuable then crazy password policies.

      2. In the early 1990s, I was a Unix system administrator, and there were about sixty machines, each with a different superuser password. There was simply no way I would have been able to memorize them all. So, on the system I used most often, I had a list, encrypted, and buried in a system directory under a misleading name.

        At another company some years later, we had a distributed password file — see yppasswd for how it was done. One Friday, I had set up a large server, but the application software would not be available until the next week. So I downloaded a password cracking program from the internet and ran it against the password file over the weekend. Of the approximately 650 passwords, the password cracker got over 400. Much of that Monday morning was spent in a meeting on password security.

      3. I have been in IT for..ever.. Anyways, I agree with the 90 day policy being “a bad thing”. More than 15 years ago I argued that policy should not be put in place. I told them if they did, “passwords will be documented within 12″ of the keyboard”. This many years later it is sadly still true. As to the password history, well those are encrypted, and IT cannot view them… But I agree that sucks too. What I have started to do is create passwords that I can remember, like “Sun41Shine!” and add whatever the platform/website is in it so I can remember it and it is unique. So for Facebook, “Sun41Shine!FB” It is still a challenge and I have not found anything helpful that would prevent the sticky note yet, still looking.

    2. Ways I have used social media to do my job:
      1. Reach out to colleagues for a particular problem I have. I have met a lot of people in my line of work over the years and generally if you ask them a quick question they are happy to respond knowing you will one day do the same.
      2. Youtube… are you kidding me? Do you know how many tutorials are out there that are very useful? Again.. I have used those to learn how to do something that I then apply to my job.
      3. Radio – While I don’t listen to radio at work. There are people that work better with background music. Everyone is different, and that needs to be acknowledged. We are not robots that all function the same.
      4. Looking for people to hire.

      Point is, IT is not there to tell users what to do, it is there to meet the needs of the user and security’s role is to figure out how to meet the needs of the user in a secure fashion. This type of we’re IT, we know better actively hurts organizations and the security of organizations as users begin to start rogue IT operations to get around the IT organization who thinks their only job is to control users. Security is a balance.

      1. I can’t tell you how often we hear the phrase, “Security is a balance,” around these parts. I’ve also heard IT leaders say things like, “You can lead a horse to water, but you can’t make him drink.” As if to say, IT and InfoSec have all the answers and end users are too dim to partake. There are definitely different camps in your industry, some say NO, some say YES, and some say let’s do this thing together.

      2. IT generally absolutely needs to be an enabler rather than police. But IT security is different.

        The role of IT security in an organisation is the same as the health and safety or any other legal compliance role. IT security is tasked with “make sure the organisation isn’t put at risk by doing anything stupid/illegal”, and in that role, they absolutely have to be empowered to enforce certain things – where it is necessary.

        It would not be acceptable for an employee to say “but I need to light this fire in my office because it’s too cold” for obvious reasons – some of the stupid behaviour that IT security needs to prevent are just as bad. Just because someone can go online to fine instructions for how to start a fire by running two pencils together and thus get around the rule saying you can’t do it does not make it right. If an employee breaks such rules putting the organisation or other individuals at risk, the organisations disciplinary procedures will be used.

        Organisations and individuals that don’t get that need to be the primary focus of IT security as that culture and awareness issue, and the recognition that compliance is a serious disciplinary issue needs to be addressed before any other security policies have any chance of working.

        1. (Note – this isn’t a defence of the suggestion to ban social media or video or sound – those are nothing to do with security except in very rare cases where they may be. My comments relate only to the comment “IT security is a balance” – it is, but sometimes that balance needs to be absolute compliance with policies because they are there for good reason. It is right for organisations to challenge those reasons to keep constraints to a minimum, but individuals need to follow them. If they have problems, they need to escalate it for policies to be reviewed and not ignore them/work around them)

    3. What a load of tosh Mike from IT.

      Many people need access to video and audio clips for example teachers trying to show students learning resources or experiments online. An administrator trying to work out how to do something new in Excel etc.
      I can tell you work for IT as that is a rather absolute statement, it hinders productivity and learning.

      Perhaps IT departments could assist by using one of the password managers that help ease the need to remember 100s of logins?

      Whilst I agree most people don’t need access to social media, I usually find IT staff are one of the worst culprits for this. Instead teach people like adults and most will respond accordingly. I have never logged into social media at work on a work device yet I am free to do so if I wanted.

    4. Glad your not my boss. If your not getting your job done its a time management issue on the employees part, If your employee’s are getting “distracted”, then the work is not engaging and mundane, that falls to management to manage the workforce effectively. Its not Facebook’s fault, so why would it need to be blocked. Most people are responsible adults and carry out their jobs effectively (which is why they get to keep them). You going to get rid of vending machines and what not too?, because “you have 0 need for any of that.”

    5. You sound like my company’s IT dictator Mordak who stole my speakers but wouldn’t own up to it. All work and no play pizzes off the employees.

      1. I have a set of head phone and a plug in Blueray player that use at lunch to watch episodes of TV shows I have purchased on DVD/Blueray. This solves several issues: 1) headphone – doesn’t bother anyone else, 2) Blueray player – doesn’t use network resources, 3) times my lunch break – when the episode is done so is lunch. All of my personal devices have labels on them stating that they are my personal property. Should any of them “Go missing”, I have the purchase date, price, and identification available to file a stolen property report with the police. The IT people know all of this. They don’t bother me, I don’t bother them.

    6. To Mike from IT:

      Wow! Spoken like a true “IT Nazi”. No video or audio? Seriously? You’ve just proven how little you know about the corporate IT security issue. Security is NOT why IT departments take away streaming audio and video. Its all about the bandwidth folks! The sad thing is, there is that small minority that will spend their time watching online TV and streaming music and You Tube. But, the majority ADULTS simply need it to do their job. Ever heard of online training you meathead? Especially in the corporate world, I can’t remember the last time I actually had to attend a “real live and in person” training class. Its all online data streaming now (via video streaming). And Lord knows we have to be “trained” in everything from “Corporate IT Security” to “Sexual Harassment training”. When we now live in this culture that supports an avowed Socialist for president (at a rate of about 45%) we now are reaping the benefits of a “secret” socialist that has been our president for over 7 years now. Sorry, I can take care of myself. I don’t need my government or company to treat me like I am a child. GROW UP!

    7. You are completely wrong about social media and YouTube. I am an engineer and our company implemented these restrictions. A significant portion of industrial equipment manufacturers post technical videos about their equipment on YouTube. As far as social media goes my company hosts Chatter for employees and LinkedIn is a useful means of staying in touch with associates in a rapidly changing world. Limited maybe but 0 no.

    8. You are working in too many absolutes there. I’ve never worked in HR or Marketing but most role have required me to access YouTube, social media sites and the need to use streamed video and audio. Maybe you give binary opinions because you work in IT. ?

    9. Having been the netsec watchdog in several large corporations i have experience in this arena as you do.

      Your thinking is stuck in the 80s. It and itsec exists ONLY to serve theneeds of the workers and management. Management with input from it, hr and the workers sets policy. It should not judge the users or second guess management.

      It is arrogant and behind the times for you to blanket deny social media, streaming audio/video and other modern services. These services were used for business reasons going back to the arpanet days and their legitimate use has grown exponentially since. It proffesionals tend to use these services far more than any other segment and tend to bypass security the most.

      Within sbc i had to call more it people to the carpet for security violations and onappropriate use than all other segments combined and considering that it only consisted of less than 1% of the users. I have NEVER had to repremand a non it person for using tor, private vpn services or porn, yet it was at least once a week within it. Whenever i hear an it professional talk about draconian policies i have found rampant violations within it as these services are NECESSARY to do their jobs. Management is also a significant violater. The only significant widespread violation that i found among the ordinary users was the use of the preloaded games in windows and since it was it that imaged those workstations i blame them for not removing the productivity sucking apps.

      I set up stations in cafeterias and breakrooms outside our firewalls so that employees could access personal social media, email and entertainment sites (restricted by opendns) and this greatly reduced the temptation.

      Music streaming for employees that weren’t required to be on the phone was encouraged (it was a cheap way to improve both morale and productivity) only if it was with headphones and through it provided software that would suspend when a call came in.

      It departments were often the fox watching the henhouse.

      Also ldap services and either ace or kerberos authentication can easily solve the multiple password situation and the need for strong passwords.

    10. Your presumptions are key indicators of why people dislike the IT department and consider its efforts and rules counter-productive.
      First, no-one gets paid a red nickel for IT compliance. Being a rock-star conformist doesn’t show up on employee evaluations, customers don’t give awards to departments that accomplished nothing but not leaking sensitive information and some gestapo with a lanyard browbeating someone over a jump drive doesn’t clear obstacles.
      Second, and pay attention to this, you have gone mad with power. Your job is to keep the network running and the data secure, not to decide what people need to get their jobs done. One of the things that is most annoying about IT staff-especially new, enthusiastic security zealots, is that they think they know something about anything other than IT. You’re not the productivity police, or the morality-enforcement. You don’t know how to do Class-A surfacing in CATIA or character rigging in Maya and neither does the project director-that’s why your company hired someone besides you to do it-part of being a professional is being given room and freedom to figure things out on your own.
      Let’s start with your claim of zero neccesity for social media, does that include your Stack-Exchange account that you use to obtain peer support for trouble-shooting active-direoctory issues, does it include Technet, does it include the documentation for most of the software you own that is now delivered over the internet?
      And do you know to a certainty that not one person working as a computer professional would ever need Twitter or YouTube? Anyone who’s attempted to achieve any degree of expertise should be familiar with the need and benefits of YouTube for training, tips and tricks and examples. And Twitter? No use at all for it? Not even the monthly Training Podcast for Blender that I subscribe to where users can ask questions that are answered on-air, through guess what? Do you work in a white room with no windows and external sources of information?
      Do you even know what the task at hand is to which you are the sole blithe judge of peoples commitment?
      An engineer opens a piping model in Solidworks 2011 normally. They open it in 2012 and it produces Red X’s all up and down the tree? Do you know what the problem is and uninstall 2012 and reload 2011 for all 30 of your engineers (I’ll even throw you a bone that you know how to make an administrative image and do an Active Directory push?)
      Go ahead, figure it out without using the SolidWorks discussion forums, the software resellers YouTube page or the monthly SolidWorks support issues bulletin delivered in Blog form.
      Go ahead, take all the time you need.

      -cuz if that’s your answer, you screwed your engineering department.
      Solidworks is not backward compatible so files saved in 2012 won’t open in 2011. On top of that, the algorithms for generating sweep geometry were updated in 2012 because 2011 would allow sweeps to build that contained cusps and singularities. Don’t know what those are an don’t care, well when the machine shop sends an angry supervisor up to your floor carrying a gouged part that broke an end-mill are you going to even know that you were accountable? NO, you’re going to wave your hand at the engineers and go, “wouldn’t have happened if they had done their jobs instead of screwing around on social media websites.”

  2. Thanks for your feedback. You’ve made a great point about the criticality of data security policies. The thing about social media is a lot of companies are using it to build relationships with their customers. They are sharing media in YouTube, sharing content in Facebook and particularly Linked In, they’re using Twitter to reach decision makers who never (ever) pick up their desk phones (because it’s almost ALWAYS a vendor). It’s frustrating that so many employees use social media for other reasons during work hours–happy hour, fishing trip, wedding planning, photo sharing and other non-work related activities. Do you think it could be lack of accountability and training? Our CSO just wrote this article for Data Privacy Day–which is today! http://code42it.wpengine.com/improving-data-privacy-one-employee-at-a-time/ Thanks again, Mike.

  3. What a Crok ..None of those time consuming Password protocols’ stops Hackers, it just slows the work down for those of us that don’t understand advanced computer programming.

  4. Why hasn’t fingerprint technology taken off for PCs in a corporate environment? It seems like this would be a great option. I work in a hospital environment and besides the PCs, there are several other software logins we have to change every 30 days. It’s the biggest complaint I’ve had, working at a hospital. A lot of passwords written under keyboards here. Yeah, I throw them away.

    1. Fingerprint has a number of problems, fingerprints can be easily lifted off of devices. The other major problem is there isn’t an easy way to do network authentication using fingerprint authentication. Smart cards, or one time devices (the devices that change numbers every minute or with the press of the button) work a lot better.

  5. One thing I have always found is that security often is too quick to blame the “dumb” end user. While, I do believe the user shares responsibly I have seen far too many times where security doesn’t understand the end user requirements and is completely unwilling to work with users to figure out how they can meet those in a secure manner. For example, intentionally disabling security features. Why are they doing it.. are you sure it isn’t because they literally can’t get their job done because you blocked some sort of key functionality? Too often when a user runs into a problem with a security device, security is too quick to immediately say no without even listening to why the user needs access to something. This then causes users to no longer go through security and try to circumvent the security department which then ends up being far worst of a situation. Security needs to work better with users and stop acting like they are the only thing that matters. Until Security isn’t seen as an adversarial department to the users of the organization this will continue to be an issue.

    1. You’re kind of stealing our thunder, Daniel. We’ve got a webinar coming up where Gartner analyst Jeffrey Wheatman talks about what everybody wants: IT wants to keep the lights on, InfoSec wants to avoid breach and disaster, and the rest of the business wants to get their jobs done. Wheatman says organizations face increasing pressure to ensure security policies and rules are not only communicated and understood, but practiced. But achieving harmony of purpose isn’t simple when employees resist change that threatens their productivity. All that said, Wheatman (and our guy, Dave Payne) suggest that these former adversaries are beginning to harmonize.

  6. The one about storing ids and passwords in a spreadsheet. Yes, I do that … but the spreadsheet itself is encrypted and password protected. There used to be a keyring device that effectively did the same thing – it stored 20-odd passwords and you needed a single, master password to access them.

  7. Doesn’t someone make a device that stores passwords on a key chain sized electronic display? That way a person could just carry all their passwords around on their keychain like they do their car keys and house keys.

    1. Yup. They’re key fob password generators.

      You enter a pin/password on your PC that tells the password server that you are going to request a one-time password that gets you access to secure parts of you company’s network. You press the button on your fob, and it uses the time stamp on the device and its serial number to create a hash input to a pseudo-random number generator on the device. You enter the one-time password, and the PW server creates a list of potential PW hits based on it’s internal clock and the serial number of your device. It uses the same seed to lookup the PW on the same pseudo-random number generator, and creates a list of potential matches given differences in the clock input (with lower and uppercase letters, plus numbers and symbols, you have a potential for roughly 80 characters to the 6th power (6-digit password), there are roughly 262 TRILLION random 6-digit passwords). If the PW you enter is on the list of potential PWs the server has based on potential time-stamps and the serial number, it grants you keys to the kingdom.

      An additional level of security can be added by only accepting log-ins from specific IP addresses (or range of addresses), and/or specific MAC addresses (your PC on your company’s network/VPN), and 262 trillion potential passwords, and they’re pretty sure you are who you say you are…

  8. I’ve never understood why corporate data is anywhere close to the internet. This is privileged information, not something that is supposed to be secured from intrusion.
    Get your data off the internet and onto secure, private systems.
    The complaint is it takes too long to transfer it to different work sites when needed. No, it doesn’t. Build an intranet far removed from the internet and the problem is solved. You may be able to send files across the internet on a short burst, even if that burst is 2 hours, but it should never reside there.
    If five remote offices need the same data ten seconds after the home office posts it, something is seriously wrong.

  9. One security hole I’ve seen too often is an unlocked BIOS. Take a live Linux USB, boot from said USB, and I can see everything, and do just about anything.

    1. Ding! Ding! Ding! Vincent, the most secure Server I had was Linux-based! Forgot my log in creds and haven’t been able to get in since 2006!
      I believe you, btw.

  10. When the data breach at OPM occurred, it wasn’t because a user was careless with his/her password. The perpetrator got in behind the firewall somehow and then data-mined to his/her hearts content. All the complicated passwords and contructions hoisted upon users by IT is merely an irritating byproduct of someone failing to understand the true nature of the IT threat.

  11. Robroy, the OPM breach happened because OPM used the cheapest provider possible to store employees personal data; namely the Department of interior’s server farm. This is the site location where you find out about visiting hours at the park. Once they owned those servers, they were easily able (with admin credentials gleaned from the web server), full access to OPMs network. The only reason they even discovered it was because a vendor ran a live scan demo on the network and said “uh..I think you might want to take a look at this”. That by itself was a big no-no, but they got lucky. People only want security around when something happens, an incident response or an accreditation, the rest of the time, we’re a nuisance or a ” mission preventor”. And we get the blame when your data is compromised, or cryptransom locks all of your files. Es, the average user is stupid and will try to get the money from the Nigerian prince, will try to get the Viagra without a prescription, etc..etc

  12. This is just an idea not sure it it could work, I am not an IT person rather a Horse standing in front of the water… Thinking what in the world is this I am in front of.

    How about something like a SD type card nothing that transmits or receives as those can be discovered using various methods.

    You insert this device and a random encrypted key is placed on it. Nothing else is on it. It can only be used with the same exact computer that placed this key on it. So even if let’s say I find one lost in Starbucks and took it home or hooked it to my laptop… I would be told this is an encrypted device, or that it is locked.

    Even if I manage to get into the the information, I I would uncover is a key… I would not know where this key goes to, and even if I manage to figure out where it went to… Good luck knowing the exact connection point to insert it into in order to get to more data.

    To make it worth employees not to leave these wherever, make it clear that if they are lost the employee will be paying $50 dollars for the first time, and $100 for each time after.

    A lanyard without company name all over it can be one way to keep these from being left places. Or a key ring friendly device could be used people don’t tend to leave there keys behind.

    Real security will begin when hardware makers start making devices that auto encrypt with different methods, that give much better control over the I/O ports and things like that from the boot cycle up.

    Again I am not an IT person, I am that Horse that was brought to this strange wet stuff that I am not sure what to do with.

    Now this idea might not be the most ideal, but you in the IT field take it run with it, and maybe discover a method that does allow me to know this is water you can drink it…

    But, no one ever stopped to think, when pulling me to the water… Is this horse even thirsty? I won’t drink if I am not thirsty. Keep that in mind next time you bring a horse to water.

  13. On a different note, I work at a State facility where IT is like the “Great Oz”. No one had ever seen one, until 2012. Everything was dictated via email, in a stern, “monotone-like”, almost aloof fashion by a faceless Administrator that left one feeling like your workstation had Aspergers. Like strangers in a strange land, yet interactions with rank and file employees were awkward and usually any IT questions asked of them were met with contempt or a blank stare…like a “are you an effing idiot? Why would you ask me how to “make your mouse move slower”? Then an, “Awww Jeez…do I really have to do this?” kinda look. Listen, I’m no IT person at work, but I was surprised that most websites were blocked, even my professional practice group and access to my Union was blocked. What really got me was I couldn’t log on to Newegg(R)!* So, I Googled** where I wanted to go and chose “cached” and was online, np. Well, this was unexpected and I called IT right away. I also recommended that they not sent out mass emails to all employees, telling them (essentially) when “maintenance” was to occur, because the firewall would be down in our particular work area.***
    “Okay”, click…That was my answer.
    Then, one day, my boss at the time wanted to hook up her State issued laptop to the network. I helped her out, taking a CAT5 cable that was lying around and hooking her computer up in her office. I called IT to make sure everything was cool and the girl said, “I know you. You are the guy trying to get behind our firewall.”
    “Oh, no. Haha, when I actually DID get through I called you guys right away. I check every now and then to see if you guys have solved the issue.”****
    “Well, the Special Investigator was asking about you. You were trying to retrieve your State email to your home computer.”
    “Oh, no I just called IT and asked if I could do that..that was it, honest.”*****
    “What do need, now?”
    I told her about hooking up my bosses State laptop to the unused network port in her office.
    “We’re coming down there.”
    Within 5 min this electric cart cruised up and this 400-lb dude with BCG’s****** on, accompanied by a much smaller, but spookily hyper-intelligent looking female weighing about 60lbs. No eye contact. They went and unplugged my bosses laptop from the network port,took out THEIR CAT5 cable and switched it out in place of the spare I had gotten earlier…they left, but not without looking at me and then each other and shaking their heads.
    Next day I tried to get my email at work and couldn’t log on. A training instructor happened to be in the office that day and said he would help me “solve whatever problem you’re having”. After mashing the keys for a few minutes and getting progressively more anxious and shaking his head he stopped and looked at me and said, “You do not exist.”*******

    *On my lunch break.

    **Maybe not on my lunch break.

    ***Completely accidental.

    ****Absolute lie.

    *****Another flat-out lie.

    ******Birth-control glasses.

    *******THAT is NOT a lie.

  14. The more secure a password the less secure it is. When IT or management make the login process so hard that workers can’t remember it what do they expect. The user will need to write it down somewhere.

  15. No commercial IT department uses a password manager app?

    I use AgileBits 1Password, which is cross-platform, features a military-grade encrypted database, now comes in a Teams version and gives choices for storing the encrypted database in Dropbox, iCloud or a folder of your choosing for storage and syncing. [I use it to keep my phone and several computers’ passwords all in sync.]

    The password generator in the app has a highly-configurable generator to meet formula requirements from websites, etc. The app on an iDevice is locked by password and can be configured to use Apple’s Touch ID, and still has a time-out where you have a master password set for the app to get into it if the app is unused for a configurable length of time. There are browser extensions for using 1Password to fill in passwords in browser login fields securely (again, also configurable). Any employee saving passwords could use their BYOD and use 1Password for storage.

    Bottom line: I have two master passwords for my phone and my computers; everything else, which includes well over a thousand lengthy, random passwords, is in 1Password. I work in healthcare, and my need to know personal passwords there is usually well under three passwords, so it’s usually not hard for me to remember. (Some of the facilities I’ve worked at always required a master login password that included either DOB or SSN, which is appallingly, mind-boggingly stupid.)

    There are password manager apps, including my favorite as mentioned above. So why is this an issue? As an added plus, 1Password’s tech support is world-class, usually responding in less than a couple of hours and always solving any small issues I’ve had. I’ve used the app for over five years.

Leave a Reply

Your email address will not be published. Required fields are marked *

*