Woman Keeps Passwords Taped To Her Computer Monitor - IT Department Upset

<snip>

Before she begins work each morning, Kate Prior must enter eight computer passwords. Each must contain at least eight characters, and most require letters and numbers. Every three months, she must change them all.

How does the 28-year-old monitor of drug trials remember her passwords? Easy: They're written on a blue Post-It note affixed to her computer.

Ms. Prior knows that her display threatens to undermine the very security that passwords are supposed to promote. "The IT people yell at me," she says, referring to her company's information-technology staff. But she prefers the occasional scolding to the alternative: forgetting a password, guessing incorrectly three times, and then having to call for help.

Security experts have long recommended that computer users choose hard-to-break passwords and change them frequently in order to frustrate hackers. Now, those recommendations are being newly forced on millions of U.S. workers in the name of preventing financial fraud under the Sarbanes-Oxley corporate-reform act.

The law, enacted in 2002 in the wake of accounting scandals at Enron Corp. and elsewhere, created an oversight body for audit firms, stiffened penalties for fraud, and required auditors to certify that firms have adopted adequate "internal controls" to prevent fraud.

No matter that Sarbanes-Oxley doesn't actually require changing passwords: In the name of those "internal controls," auditors and consultants are prodding companies to require that employees pick tougher passwords, and change them more frequently.

http://online.wsj.com/article_email/0,,SB110255403000595158-Idjf4NhlaV3o5urbXmGaK6Am4,00.html

I've actually seen this in the places I work...people actually displaying their passwords on their monitors. I mean, for Christ's sake. If nothing else, put them in your desk drawer. NOT out in plain sight.

I'm a system programmer...in the IT field. This is a VERY important issue.

Now, where's my desk?
That's for ME to know....

I need a password to sign the box on, a password for Email, a password for the work order scheduling system, a password for the Purchasing system software...And these all have to be changed every 30 days...And we get hacked regularly. Heard about a NEW break-in this past week. Last huge one happened over Thanksgiving...

Then there's all the passwords for the "unauthorized" places I go to...

in Wales. They took the teenager to the station, where they left him alone in a detective's office. There was a computer and a piece of paper in the top drawer with the password to the online system written on it.

Stupidity indeed.

to select a hard-to-hack password of at least six or maybe even eight numbers and letters, a different one for each site, and change frequently. No advice on how we're supposed to remember them. I've gone to using a standard meaningful to me password that contains numbers and letters. Of course, if anyone ever figures it out, they can access most of my personal sites.

And some places assign a password to you.

I think it's silly to have your passwords literally in front of you when you're working on the puter. Since most office people have a drawer that they can lock, it would probably be more efficient to put an index card in that drawer, tape it down, and then lock the drawer when you're not there.

Pretty much ditto for the home computer as well. I live alone, and no one has access to my home computer (which is also protected online with firewalls and AV) but having to enter in the XP password at the beginning is a pain in the ass. One of my very close friends is the only one with my passwords, just in case anything ever happened to me.

amongst other things.

when I managed a medical database. I had to change passwords to the Department of Health website every three months. But I just kept two passwords and changed them back-and-forth every month. Actually, I just reversed them every other time. If one password was Joe578, the next time it was 578Joe. :D

It's only going to get more and more tight.

Still, I wouldn't be surprised.

I can not re-use a password for at least 2 years.

I only need to know a handful. They all have the same root, and are modified by a couple of numbers.

Cheers
Drifter

I actually agree with her, and I HATE when people do that, but this needs to be addressed.

They store your passwords in the PC, and once you log-in to the computer you are qutomatically logged in to all of the others.

It works wuite well for large companies that have numerous sytems.

productivity.

Guess how I remember them? When it's time to change one, it becomes the last e-mail password, the other one becomes the Novell password, etc...

I know, but you try keeping track! And I use these databases EVERY day.

So, when my Windows password needs changing, I change the others to match. Notes are still useful--behind the ID card that I must wear is a good place. The holder even has room for lunch money!

I do a bit of password resetting for departmental applications. Friendliness is they key--never make the user feel like a doofus.

to secure a system. Passwords have gotten out of hand, and eventually even if you trade them around and you have to have a new password each time, it gets crazy. I actually don't know why they don't have one password to enter one portal. It's just bad management to make people go through all this. I have about 10 passwords on various systems. I try to make them the same on various systems but some expire at 60 days, some expire at 90 days. This is a nutty system!

I just counted for the sake of brevity -- I have over 30 passwords, and that's business related not personal. I'm the CFO in a small business so I have a couple dozen passwords for banks, insurance companies, purchasing, fedex, ups...

On top of that, I am also the only one onsite with administrative access to the network -- so I have server, adminstrator, user, superuser, offsite remote, email, firewall, network switch X 3...

I have 2 passwords that I need to login and retrieve my email (3 if from home), and keep everything else in plaintext in my outlook mailbox. Not the best security, but at least it is fairly well protected (certainly better than a post-it).

8 passwords? fuck that

1 password
1 keydrive/smartcard
1 thumbprint

And then the rest of my passwords are kept in the keychain. AES is military grade encryption, so they are plenty secure (often more secure than what I'm logging into).

If all else fails, I have an encrypted text file I keep an additional passwords in so I don't forget them.

The Keychain rules.

Lab DCS, Lab Routers, Lab Ethernet Switches, Vendor Defaults for Adtran, Cisco, CAC etc.,, 10 company software applications developed internally, Progressive, Comcast, Aetna Insurance, Metasolv, Sprint PCS, IDB PayStatements, my own computer, DU and others!

No sympathy....

After years you should be able to figure it out..Use the same login password for some apps, different for others, and swap them around whenever you have change PWD....

Maybe she should be flipping burgers instead...

have better things to do with our available bandwidth than remember a million everychanging passwords. I have one password for everything. Compromise the system? Maybe. If you don't want the system compromised come up with a user friendly way of protecting it. Until then, workers will devise ways of making life easier at the expense of system security. Computers were supposed to make life easier, not make us their slaves.

people in other buildings type their passwords into their computers (in theory).

There was a court case in NYC where one brokerage firm had set up a camera on a tripod that was zoomed in on the screen of a competitors computer across the street. They could see the commodities trades the guy was setting up and what his bid/ask spreads were (it is like seeing the other guys hand in a poker game). The judge in effect ruled that it isn't invasion if you have your monitors and keyboards where they can be seen from outside of the building.

Just remember your logon password, and keep the rest in a text file you can copy and paste from. If you put it in your startup group, you can even have it open at logon!

I had a guy once write his password in black marker on the plastic part of his monitor.

I have four or five passwords that all have to be changed monthly. I keep them written on a post-it note locked in my drawer. No way I am every going to be able to remember them all.

Only 8 characters? AlphaNumeric only? What type of bullshit is this? At worse, it would take me less than five minutes to crack ALL those passwords, and that is using the hard way. Nice little program I made, goes through all Permutations possible. Slow me down a little bit, people, a little advice, when they say 8 characters minimum, please make it 16+ instead. Also, unless they are totally stupid and don't accept odd characters use all the ODD characters you can, at the very least these any of these @#$%^&*_+=*¡¢£¤¥¦§¨©ª«¬®¯°±²³´¶·. And of course, most importantly, MAKE THE PASSWORD RANDOM, and DON'T store it on the computer unencrypted and make sure it uses 256 bit cipher at least.