Newly hired IT contractor will need remote network access, so this pilot fish uses the company’s intranet-based application to set it up for him. That includes coming up with a secret question and answer so the user can be authenticated when he calls the help desk. “But the system assumes the person filling out the request is also the one who’ll be using the access,” grumbles fish. “It asked me to come up with the question and answer, not the contractor. The result? His question is ‘Why is this an insecure process?’ and the answer is ‘Poor design.’”
Heh. That reminds me of a friend of mine. His company does a -- let's be kind here -- so-so job of consolidating passwords. So to be able to go through his day, he has to remember an intranet password, a shared calendar password, a windows network password, a unix network password, a cms password, a cvs repository password, an IT password and a few others.
It goes without saying that some of those passwords must be changed every month or so (which shouldn't be so bad if the system wasn't beginning to nag you about it 15 days in advance every friggin' time you unlock a machine, which happens twenty-something times a day).
Considering that all new passwords must conform to your usual, run-off-the-mill draconian rules (>= 8 chars, must have letters, numbers and at least one character no-one ever saw, and must not ressemble, sound like or have a similar taste to any previous password you ever used, in this life or any previous one), and considering that most sub-systems have the three-tries-and-hop-your-account's-locked policy in place, it's small wonder that everyone has to call IT sooner or later to have an account unlocked.
(it has to be mentioned here that the IT department is outsourced, each call to them is an hearty pull at the arm of the ka-ching! machine. it also has to be mentioned that the whole Minosian password architecture has been designed by them. Is the whole scheme hatched out of sinister cunning, or just plain old meanness? I'll let you decide)
Anyway, they decided not so long ago that to be able to reactivate a password on the phone, you'd have to answer a secret question of your choice. So what's the question he chose?
"Who is the patron Saint of superfluous passwords?"
I'll withold the answer, but I think it's not hard to figure out the gist of it.
As it is, my friend is gifted with a good memory and still has
to call IT for the first time. But he confided me that he's kinda looking toward it.
Re:Reminds me of...
Aristotle on 2006-08-24T11:44:41
Goodness gracious. I’d just write all my passwords down and keep them in my wallet.
Re:Reminds me of...
Yanick on 2006-08-24T12:53:40
Only problem being: to keep both money and password, it's not a wallet that is needed, but a briefcase.
But my friend found the solution: he keeps his passwords in his wallet, and stick his money bills to his monitor. He calls it security through surreality.
