Password policy

After my experiences today I’m reconsidering the way I look at password policies. I had to go around and install the new drivers for that Canon copier/printer today on about 15 machines. The install involved installing the Canon LPR port, installing the print driver, restarting, and then entering the Department ID information for the print job accounting functions. So I would sit down at a PC, run the installers, and ask the user to enter their password when the PC restarted. Most of them would just tell me what the password was instead of getting up from where they had settled to type it. A couple of these folks had to get up and type it in because they couldn’t remember it. Typing it in had become such a routine that they couldn’t tell you what it was, but they could type it. That told me two things:

1) I’m obviously not making them expire often enough. (I already knew that, but since there are no direct internet-facing PC’s, everything sits behind another company’s whole network infrastructure, and it’s a small enough environment that I can keep a pretty close eye on things, I have been more lax than I would be in any other situation. I don’t make them change it as often as most of you probably do with your users.)

2. You could never use social engineering to get these people’s passwords. They can’t tell you what they are! Maybe there’s something to be said for letting people type in the same password for long periods of time, making it such a routine that they can’t give it to anyone else. 🙂

Follow these topics: Uncategorized