Not intentionally, I hope – but the IT guy (or gal) is usually under a lot of pressure to fix something quickly so that the business of doing business can move on. And that can lead to shortcuts and encouraging bad habits.
When you call the IT guy, you’re the one who wants it done quickly; when he comes knocking with some sort of update or network issue, he’s pushing all the more to get you set up – because he has to repeat the same thing for all of your colleagues. Either way, whatever he is doing usually requires a password – one of your passwords.
He starts working with you standing behind him as you explain the problem over his shoulder. He moves aside to let you enter your password.
You BOTH know that the password is a secret – your secret.
You bend over the keyboard to enter the password as he pretends to be interested in some pictures on the wall of your cubical.
He resumes working with you standing behind him. There’s a little small talk. He looks up at you because he needs the password again.
You BOTH know that the password is not supposed to be shared.
You awkwardly enter the password, again.
You discover that standing behind him is boring and that you don’t want to chat with him anymore. You hope that it’ll be over soon. It doesn’t look like it: he needs the password again. You seize the opportunity and write your secret password on a post it note and tape it to the desk next to your keyboard. You leave your cubical in search of something better to do – like getting grilled by your manager about a missed deadline.
This ritual happens over and over in almost every company. It doesn’t matter whether you have an in-house IT team or outsource your IT support. The IT guys and gals have it tough: they’ve got a job to do and they know better than anyone the company password rules. Yet, they bend the rules so that you can get back to work and they can get to the next customer.
This is bad news for at least a couple of reasons. First, your password isn’t a secret anymore. The person to whom you’ve revealed your ‘princess1’ password has access not only to the specific account or application, but also has an idea of your password philosophy, which makes it a lot easier to crack other accounts. Second, and maybe even more important, is that this type of behavior reinforces the idea that passwords and security aren’t important. Somewhere, deep in your subconscious, you slowly start getting used to the idea that sharing passwords isn’t a big deal; you may start to reconsider whether it is even worth it to have different password for different accounts and websites, and pretty soon, you’re using ‘password’ as your password. It’s a slippery slope!
This is a call to IT guys – come on, make it hard on us! Don’t let us tell you our passwords. Make sure we know that that’s not acceptable.
Peter L
PS Check out IT Crowd for a great look at life on the IT rung of the corporate ladder.
[...] When it comes to passwords, is your IT guy one of the bad guys … [...]
Right on Peter!
While I understand that the IT people are busy and it’s easier to to get things done faster if they have access to everyone’s password, the hard truth is that is it can’t be that way as it’s a huge breach in security. At the end of last year, we fired our IT guy for that very reason. In January, we hired our new IT person and, in the interview, we shared with her why the previous individual was asked to leave. Not only do we have our security back, we’ve got a very efficient and effective IT operation as well.
Thanks!
Mike
I don’t think I’ve ever heard of anyone being let go for something like this. Your company is tough! I understand that the IT folks are doing to help the users get back to work quickly, but it’s bound to lead to problems in the long run. The person you fired had all those passwords – did the company make sure that all the employees changed their passwords after they let him go?
I’ve had a couple of offline comments from IT folks, who said that this was more of the ‘help desk’ type support issue than IT. I wouldn’t disagree, but the point is that the people who should know better should be the ones taking a stand against this type of loose password control. I understand that they are doing it to help the users, but in the long run, it’s bound to lead problems.
DON’T LET US DO IT!
Of course, the very scenario you described happens to all of us! When IT arrives, I feel silly hanging around so I write the password(s) on a post-it note with the idea of changing it as soon as IT is done with the work. I do change it, but usually use the same “formula” again and again. I try to be clever about it, but I am sure that it wouldn’t be too hard for someone to figure my password out once they’ve seen my “root” word. I think that part of the “formula” problem is the corporate requirement to change passwords every 30 days – who has a memory that good?
This can be one of the most important intelligences I ever learnt today, I’m speaking about this piece of your post “… password. It’s a slippery slope!This is a call to IT guys – come on, make it hard on us!…” this is it, you just pinpointed it down buddy.