|
Over the years, I've run many courses on computer and network security, and that is one of the most frequent questions I get asked. Each time, I have to do a little mental count to 10 before I give them a very calm and helpful answer (after all, these cretins pay my fees).
Companies spend large amounts of money on security hardware and software in the vain hope that some of it will make their data secure, yet the best way to get someone's username and password is still to ask them. During one session, I spent about forty minutes going through password security, ensuring that people knew that no reputable person or company would ask for their password over the phone or by email, so they must never give it out. They must also never give passwords to colleagues, because that made it impossible to maintain an audit of computer use (one of the client's legal compliance requirements). I went on and on about how there was never ever a single occasion when an employee would be required to give anyone their password. At the end, I turned to a random person in the front row and asked, "what's your Windows password." He told me immediately.
No court in the land would have convicted me...
|