Not intentionally, I hope – but the IT guy (or gal) is usually under a lot of pressure to fix something quickly so that the business of doing business can move on. And that can lead to shortcuts and encouraging bad habits.
When you call the IT guy, you’re the one who wants it done quickly; when he comes knocking with some sort of update or network issue, he’s pushing all the more to get you set up – because he has to repeat the same thing for all of your colleagues. Either way, whatever he is doing usually requires a password – one of your passwords.
He starts working with you standing behind him as you explain the problem over his shoulder. He moves aside to let you enter your password.
You BOTH know that the password is a secret – your secret.
You bend over the keyboard to enter the password as he pretends to be interested in some pictures on the wall of your cubical.
He resumes working with you standing behind him. There’s a little small talk. He looks up at you because he needs the password again.
You BOTH know that the password is not supposed to be shared.
You awkwardly enter the password, again.
You discover that standing behind him is boring and that you don’t want to chat with him anymore. You hope that it’ll be over soon. It doesn’t look like it: he needs the password again. You seize the opportunity and write your secret password on a post it note and tape it to the desk next to your keyboard. You leave your cubical in search of something better to do – like getting grilled by your manager about a missed deadline.
This ritual happens over and over in almost every company. It doesn’t matter whether you have an in-house IT team or outsource your IT support. The IT guys and gals have it tough: they’ve got a job to do and they know better than anyone the company password rules. Yet, they bend the rules so that you can get back to work and they can get to the next customer.
This is bad news for at least a couple of reasons. First, your password isn’t a secret anymore. The person to whom you’ve revealed your ‘princess1’ password has access not only to the specific account or application, but also has an idea of your password philosophy, which makes it a lot easier to crack other accounts. Second, and maybe even more important, is that this type of behavior reinforces the idea that passwords and security aren’t important. Somewhere, deep in your subconscious, you slowly start getting used to the idea that sharing passwords isn’t a big deal; you may start to reconsider whether it is even worth it to have different password for different accounts and websites, and pretty soon, you’re using ‘password’ as your password. It’s a slippery slope!
This is a call to IT guys – come on, make it hard on us! Don’t let us tell you our passwords. Make sure we know that that’s not acceptable.
PS Check out IT Crowd for a great look at life on the IT rung of the corporate ladder.