Being reactionary – bad rules and good expectations

“Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin.”

“Sorry but your password must contain an uppercase letter, a number, a haiku, a gang sign, a hieroglyph, and the blood of a virgin.” (Click to embiggen)

I was reminded this week of the Dumbest Password Policy Ever™. I was working at a company that was a subsidiary of a large company that had a bunch of divisions and subsidiaries all over North America and was in turn a subsidiary of a multi-billion dollar international company. And one day we got an email in the form of a memo from the President of all the North American divisions informing us of the new updated employee manual and drawing our attention to the new password policy included in the handbook which everyone was expected to read and conform to immediately. So I downloaded the handbook and found that policy and read with both horror and amusement: every employee is required to write down their passwords for all company owned systems, and are to keep this hardcopy of their passwords hidden somewhere in their work area, and are to show their supervisors where that password list is, and the password list must be updated whenever a password is changed.

Which anyone who knows anything about security knows is the most insecure way to treat passwords.

My boss called everyone in our department together and said, “Do not write down your passwords! If we get audited, I will tell them that of course we comply with the policy and of course each of you showed me where your passwords are hidden, but darn, I seem to have forgotten.” Which is what every other manager in our division told their direct reports (And I suspect a whole lot of managers in all of the divisions).

I understand how a policy like that comes into being. Someone who was the only person with admin privileges on some important system in one of the other division was out sick or on vacation or maybe even had died and there was a great deal of trouble that wound up costing a lot of money (either just from all the time spent by a lot of people trying to fix the problem and/or other people not being able to do certain tasks for a while). The solution to that is not to make every single bit of proprietary information available to anyone who can sneak into an office and snoop for a while. The solution is to make sure every system always has multiple people with admin rights. As long as you have someone with admin rights who can reset other account passwords or give other people rights to access files or whatever that are only accessible ordinarily to the one employee who is unavailable, you can solve any of the other problems.

Right?

Trying to avoid repeating a mistake is a natural (and not unreasonable) reaction when something goes wrong. Unfortunately, in some circumstances involving certain sorts of people a very simple “solution” that is worse than the original problem is adopted.

I’ve been worrying about this a little bit because as part of the move we’ve been trying to make some changes in our behavior to avoid problems we kept having at the old place. Some are fairly east: don’t let dishes pile up in the sink; it’s all right to run the dishwasher when it isn’t completely full. Others are a little more difficult to stick to: take out the trash or recycle as soon as we notice it’s full.

Those are examples of things we kept meaning to change before. There were issues with the outside garbage and recycle bins at the old place that provided an excuse to put off dealing with the trash at certain parts of the week, but the real issue was procrastination and habit. Habits are reinforced by all sorts of things, for example, getting used to seeing dishes piled in that sink. So maybe the change in visual cues will help us develop a new habit.

Some of the new ways of doing things are because of issues we didn’t realize were happening until we packed up. We discovered all sorts of unexpected things lurking in the back of closets, or the back parts of shelves we couldn’t see easily, or behind furniture that was seldom moved.

But I also recognize that slavishly adhering to rules without regard to unintended consequences can create worse problems. So I’ve been trying to think of this as merely establishing new norms: not strict rules, just expectations.

And maybe that’s the secret: don’t be inflexible!

Advertisements

Tags: , ,

About fontfolly

I've loved reading for as long as I can remember. I write fantasy, science fiction, mystery, and nonfiction. I publish an anthropomorphic sci-fi/space opera literary fanzine. I attend and work on the staff for several anthropormorphics, anime, and science fiction conventions. I live in Seattle with my wonderful husband, still completely amazed that he puts up with me at all.

5 responses to “Being reactionary – bad rules and good expectations”

  1. cdwoodbury says :

    I know this isn’t the main point, but I just got done replacing a “replace every 90 days, minimum eight chararachters, Min one Upper case., Min one lower., Min one special char, Min one Number, can’t be one of four previous, can’t have four chars that were the same as the previous(!)” password just yesterday. So away went “StickiedToMyScreen1!” Which was the one that replaced “IHateUrReqs!!111”

    • fontfolly says :

      I will neither confirm nor deny that when forced to change a password on a system with new rules that we weren’t told in advance may have eventually resulted in the password “GodDamnIt-!LetMeIn2ThisSystem!”

  2. amusedreams says :

    Piggybacking on CD’s comment, I’ve found my own forced password changes get decidedly vulgar when enforced unexpectedly. It’s easy replacing (some) vowels with numbers and leaving out spaces. I told the bank to do something very anatomically impossible a few changes back.

    • fontfolly says :

      And I will also neither confirm nor deny that during my last stint with the Advance Development Group that I wound up setting a series of passwords that had to be changed on a really frequent basis to “FuckYou0!” “FuckYou1!” and so on…

Trackbacks / Pingbacks

  1. Friday Links (keep it in the family edition) | Font Folly - July 21, 2017

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: