IT Knowledge Exchange

Register

Forgot Password

Site FAQ

Advertisement

Home > IT Blogs > Security Corner > Why Bother Giving Password Advice?

>>VIEW ALL POSTS

Security Corner

May 12 2010 1:22AM GMT

Why Bother Giving Password Advice?

Posted by: Ken Harthun

Opinion, Password, Security, security awareness, Security Faux Pas

I’m miffed. I went to visit one of my clients yesterday – one that I’ve carefully educated in password selection and security – and saw a sticky note on the wall with all his passwords written down on it. I asked him why. He just went on and told me that it was just too much trouble to think about mnemonics, password encoding systems, etc. I said that at least he could put that sticky note on the bottom of his keyboard where it was less obvious. He said it didn’t matter; whomever wanted his passwords would find them there anyway.

I won’t tell you this client’s profession; if I did, you’d be shocked. Let’s just say that a member of the cleaning crew could use information obtained through illegal use of my client’s passwords to do some real damage. And don’t think that a determined hacker would find it beneath him- or herself to take a job as a custodian if there was profit in the offing.

Why bother? Well, here’s the thing: I have all of my advice in writing in the form of emails with training materials attached to them. If my client ever gets hacked, I’m not liable for the consequences of any breach. I told them so. If they chose to ignore my advice, so be it. I did my job.

But I’m still miffed; I thought my opinion was valued.

What would you think?

Comment

RSS Feed

Comment on this Post

Leave a comment:

Yogi | May 12, 2010 5:49 AM (GMT)

It won’t register until someone steals his wallet and swipes his credit card for as much as they can get. Then your client will be angry and upset at THAT security breach. For some people (OK, probably most people), a security breach doesn’t seem to really sink in until it hits “close to home”. In other words, personal. And no matter how much we may advise them, people will generally tend to do what is easier and/or faster. And it doesn’t necessarily mean that your opinion wasn’t valued. Whether they follow it or not, they now have the knowledge to increase their security if they so desire (which it sounds like they won’t).

I usually liken those scenarios to those where parents leave money out in the open when their kids’ friends come visit just to see if they can trust the teenagers who come into their house. If the money is untouched, the kids are allowed back; if the money is gone, they don’t get invited back.

Labnuke99 | May 12, 2010 1:26 PM (GMT)

Here’s an option for your client. [A href="http://itknowledgeexchange.techtarget.com/it-trenches/a-password-reminder-to-carry-with-you"]PasswordCard[/A]. Maybe he could remember a symbol and a color – he could even just write down the symbol and remember the color.Not foolproof by any means, but better than full password being written on a sheet of paper.

The Geek | May 12, 2010 3:02 PM (GMT)

Labnuke, thanks for your comment and the link. That’s a very handy tool and I’m going to show it to him when we meet today. In fact, I’m going to put you on the blogroll and post a mention to your article over at Ask the Geek.

Yogi, you’re so right. I just tend to get frustrated at times. Thanks for your comment!

Cheers!
Ken

DavidScott | May 13, 2010 5:04 PM (GMT)

Ken: Great post and good points. I’ve also had security advice discounted, even in paying environments. They’ll learn (the hard way). Here’s a “workaround” for the password-challenged – I don’t endorse it particularly, and just tell people about it anecdotally (as there is a liability). The trick is to create a “dummy” Contact in MS-Outlook (or similar e-mail system), and simply put passwords in the notes section of the Contact. It’s true, of course, that if anyone breaches your e-mail account in that circumstance, they’d corral all of your passwords – but at least the passwords are in a password protected zone (MS-Outlook, or some other contact/e-mail system), AND, a person breaching would have to be perusing ALL of your Contacts in order to stumble on the password cache – very unlikely, as they’re motivation would likely be to breach the e-mail, and read that.

Of course – for the truly hapless – they COULD forget their e-mail password…

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags