the pay-off from returning your staff’s messages promptly, everyone hates info security policies, and more

Over at Intuit QuickBase’s Fast Track blog today, I take a look at several interesting work-related stories in the news right now: the pay-off from returning employees’ messages promptly, the impact of unnecessary information security policies, and more. You can read it here.

{ 80 comments… read them below }

  1. Rebecca*

    #3 – Security policies. I so totally agree! Our RDP passwords have to be updated every 90 days, and we can’t reuse the password. Passwords and logins are different for many different items, so I have resorted to a written list at my desk, and every time something updates, which is staggered, I write it down. Not secure by any means, but if I miskey something too many times, I get locked out and have to wait for IT to unlock it.

    I wish we didn’t have to update so much, and for pete’s sake, even if someone did manage to get into this mess, it’s highly doubtful they’d be able to figure out how it works anyway.

    1. Charlotte Collins*

      An IT person once told me that the “unbreakable” super-long passwords often end up leading to lower security, because people are more likely to write them down and accidentally leave them where others can find them.

      1. Helka*

        Randall Munroe did a great thing on that! The “upper and lower case, at least one number and one special character” passwords are terrible. Sure, they’re harder for a human to guess, but not a machine.

            1. Susie*

              I did for the last month because I thought it was funny. But I generally do use a string of random words that is easy for me to remember.

              It freaks IT out when they see me log in to anything because all of my passwords are 20-30 characters long. But no one is hacking in through me.

        1. themmases*

          I love that one!

          Although I think it is possible to combine the two methods and get a password that isn’t hard to remember while still following all the rules. Just use a phrase, still using whatever substitutions make sense to you. I usually throw in some phonetic spellings/misspellings too so I’m not just using dictionary words with zeroes for O’s. That isn’t fooling anybody.

          I’ve also seen suggestions to include some short reference (for example, the first two letters) to the site name or purpose in the middle of a phrase you use everywhere, so you only have to remember one passphrase but your actual passwords will be unique.

          I hate special characters. I could swear I’ve used some sites that don’t allow them (or allow their own weird set of them), while others require them. Normally I can at least use my own rules to guess my password somewhere, but how am I supposed to remember what random set of special characters this software considers acceptable? It’s a recipe for having those passwords constantly reset or written down.

          1. cuppa*

            I have a program at work that requires a new password every 90 days, and has to have a special character, but only certain special characters work. They don’t tell you which ones work and which ones don’t, either. We only figured it out when my password with an asterisk didn’t work. (It let me set up the password, just wouldn’t take it once it was set up.) Oy vey.

          2. James M*

            I’ve been mulling over the idea of formalizing secure unforgettable passwords as a “Mad Lib” style web app. The idea is to string together words supplied by the user and provide context to cement them in the user’s memory.

            E.g: jot down an example of these 4 things before reading further:
            A number between 2 and 20.
            An adjective.
            An animal, plural.
            A famous place.

            Today’s Headline: a gang of <number> <adjective> <animal> riding lawnmowers caused panic as they raced through <famous place>.

            Your new password is “<number><Adjective><Famous Place><Animal>!”. E.g: “12ExpensiveVaticanOctopi!“. As a bonus, this scheme satisfies most anal “”security”” requirements and if you need to change it periodically, just increment the number.

            1. Helka*

              I’ve used old tabletop characters of mine to formulate memorable passwords before — things like ElvenSorceressLvl11 or HalfElfHatesElves!! It’s pretty fun, and has the benefit of being easier to remember than Tr0ubad0r1&

        2. A Teacher*

          I got the tip from someone on here a few years ago but I like the sentence with a number and special character at the end. So something like Iloveshopping1! and then when you have to change the password its just the number that’s changed. I would just make it more specific to myself.

            1. Mallory Janis Ian*

              Yeah, several of my university passwords have to be exactly 8 characters long, with a capital letter and a number. Oh, the passwords I could make if not for the exact-character-count requirement!

              1. Miles*

                I remember at my old university, the password requirements changed depending on what channel you used to change the password

          1. Miki*

            Yes to this one: if I can use the same password, and just change the number at the end, I sure am using it (time sheet password lets me do this), I just have to remember what number I am currently on (changes yearly)

        3. Miles*

          Just gonna throw this out there, the passphrase thing was a popular concept for a while but it was debunked within a month as soon as someone realized you could have the hacking computer prioritize phrases using multiple dictionary words & variations on those. I don’t recall the exact numbers but it’s in the ballpark of 4 words is about as secure as a 10 character password using random words & random characters respectively… but if you don’t have a randomizer choose your words, the security of your phrase drops off much quicker because there are only so many movie quotes people are likely to remember.

      2. AdAgencyChick*

        Totally. My husband works in IT and calls it “security theater.” He rants at least once a week about how lawyers who don’t know anything about how to ACTUALLY make a network secure, are the ones writing security policies.

      3. Miles*

        If I feel the need to write a password hint, I play word-association jeopardy, but with obscure enough things that even if I told people what it was, they would raise an eyebrow or two. All that “useless” trivia and those quotes from bad movies that you can’t seem to forget have a use now.

      4. Chinook*

        My personal favorite is that we require one 90 day changing password for most of our programs but than another gobbledygook password, issued by our support staff, to create requisitions and then a third password to verify that you are allowed to approve requisitions. You have to log in 3 times just to do one task and our support staff for that one particular program can’t understand why they keep getting emails asking them to approve the requisition in the background on their behalf. (This was all the result of rolling out an upgraded version of the program everyone used in the past without bothering to tell anyone how to use the new version with multiple passwords or telling them that their old links and old program were going to disapear. Fun times!)

        As for my password – I use a Japanese word that many anglos misspell when they hear plus a number. The IT guys say it is a pretty strong combo.

      1. Jerzy*

        My husband uses this for almost everything… which means the passwords of his that I used to know for accounts that I occasionally need access to are no longer useful.

        1. Kyrielle*

          We use 1Password, which can have multiple repositories and can synchronize thru DropBox to our phones. We each have our own file, and then we also have a shared file that we both know the password to, where shared logins go. It’s a great setup.

        2. Elysian*

          I use LastPass, and think its awesome. I occasionally print out a list of all the passwords it knows and stick it in the same place I stored my passport, birth certificate, etc in my house. I figure if the thief has already gotten to that place, I’m doomed anyway so it doesn’t matter. And then my husband always knows where to find my passwords if I get hit by a bus or whatever.

      2. Sadsack*

        I have considered this, but admit I haven’t done much research. I worry about my info in Last Pass being secure. Did you have any such concern?

        1. Ask a Manager* Post author

          Yes, definitely. But it’s their primary job to make sure that it’s secure, and I figure my info is better off there than any of the alternatives.

        2. Emily, admin extraordinaire*

          LastPass has been hacked a couple of times in the time I’ve been using them. Both times, the hackers did not gain access to any actual passwords (they may have accessed hashed passwords, but LastPass uses super duper encryption on them, so without the hash key the info was worthless). Also both times, LastPass alerted me in a timely manner and had me change my master password. Neither time have I experienced any issues with any of my sites being accessed or hacked (at least, not that I know of).

          I am not worried. My LastPass subscription is the best $12 I spend a year (they have a free version, but the subscription allows mobile access, which is crucial these days).

      3. Mike C.*

        Yeah, but the type of environment that requires that sort of security isn’t going to allow a single token authentication system.

        Really, if you need good security, you need to start using physical token+pin numbers or maybe fingerprint scanners that aren’t stupidly easy to fool. Remembering or storing passwords is terrible.

        The best part of course is that every system has a different scheme for usernames and passwords, and they don’t bother to tell you those rules (even though you can learn them by opening a new account!) when it comes time to login after a long time.

        1. Kyrielle*

          I haaaaaaaaaate fingerprint systems. Loathe.

          I have very dry hands with a tendency to not read well. At $OldJob, I routinely had to be fingerprinted, at a site with Livescan, and it was pretty much a guarantee that every other finger, or maybe every finger, would have to be redone 2-3 times if I didn’t use the oil. If I used the oil, then usually only one or two would have to be repeated at all, and sometimes only once.

          1. Chinook*

            “I have very dry hands with a tendency to not read well.”

            So it is not my imagination that touchscreens don’t respond to my touch? One of the reasons I have a blackberry is that it has a keyboard that always works when I touch it. It also has the best password protection I have come across: you can either enter a physical password or move a grid of numbers over a picture so that a certain number lines up in a certain place, and the grid is always different. If you happen to mess it up 5 times in a row, it then insists you type “blackberry” (to ensure you don’t accidentally wipe your device via butt dialing passcodes) and then gives you 5 more chances before wiping the device.

            Playing line the number on the dog’s forehead is the best part of my day and means I don’t access my phone unless I have some sense of mind to finger coordination.

        2. Elysian*

          “The best part of course is that every system has a different scheme for usernames and passwords, and they don’t bother to tell you those rules (even though you can learn them by opening a new account!) when it comes time to login after a long time.”

          I hate this!!! My cable company and my cell phone company both require some kind of verbal “pin” to confirm my account, and one is 5 letters max and the other is 6 letters max. I always have to ask “How many characters is it?” because I can never remember which is which, and they won’t tell me. In the end they let me through when I get frustrated and am like “Come on – It’s either ABCDE or ABCDE1 depending on how many letters you made me have.”

        3. AnonHere*

          Or they use a single authentication system until more than 75 million people’s data are breached, then panic and demand two factor authentication and take weeks to have it all setup correctly. Especially for remote workers.

          Not that my employer did that at all nooooooo.

        4. Elsajeni*

          We have one system that doesn’t even tell you the rules when you start a new account or change your password! That’s always fun. (Although at least that one does give you the full set of rules the first time you enter a new password that won’t work — I’ve also encountered systems where it only gives you one bit of information at a time, even if your attempted password breaks multiple rules, like: password – rejected, dictionary word. password123 – rejected, requires at least one capital letter. Password123 – rejected, requires at least one special character. WHY???)

      4. Al Lo*

        I love LastPass. And with the shared folder, I can pop all of our household accounts (Netflix, Amazon, whatever) into there so my husband doesn’t get frustrated by my big random passwords.

      5. stellanor*

        LastPass saved my bacon when one of my accounts was compromised and I went on a mass password changing spree. I can’t use it at work, though, due to *drumroll* infosec requirements, so my work password is actually probably the least secure because I have to be able to remember it (my bank passwords are all legitimately gibberish).

    2. TootsNYC*

      I have started simply changing every password whenever the most frequent one requires it. I have one scheme, and they’re all pegged to that scheme with whatever variation is system specific (12 characters instead of 8, etc.).

      So I keep a list of which programs have passwords, and what their requirements are. But I don’t have to write down my password itself.

      1. BadPlanning*

        Yes, at my job, we all have “password change day” as most people change all their passwords in one go since the minimum is 3 months. I keep a bookmarks folder with links to everything that I have to change.

    3. Meg Murry*

      Yes, this! Show me a place that makes you change your passwords frequently and has complicated rules about how many characters they can be and how many characters you have to change at a minimum from one password to another and I’ll show you a workplace where you can walk in and find passwords (and usually usernames) on a Post-It Note under a keyboard within 3 tries.

      I use LastPass for everything now – work, home, shared passwords with my husband and kids, random account numbers I need to keep track of like frequent flier member numbers – it’s great, and totally worth $12 a year to be able to access it on computers and my Android.

      For a good take on why most password rules are stupid, see xkcd #936 (link to follow).

      And why oh why is it the sites I care least about someone else accessing that have the most convoluted password rules? The site that I can’t get anything from except my mortgage statements? It has the most bizzare rules I’ve ever seen on passwords, and really can’t do anything but show you a statement (with the account numbers blacked out anyway). What is someone going to do, hack in and pay my mortgage for me? Yes please!

      1. Charlotte Collins*

        Some of that is because if there’s PII, PHI, or financial information, the company has to prove it’s meeting certain security standards (not passing audits is never a good thing).

      2. Charityb*

        You say that now, but how would you feel if a criminal regime like ISIS or North Korea got their hands on your mortgage and paid it off for you??? You would be devastated, right? I know I would be; I’d probably need several vacations to the Bahamas to get over it…

    4. Miss Fussy Britches*

      We, too, change every 90 days, so I have synched mine to change on the first day of each quarter. The required number is then the number of the quarter; we are in the 4th quarter of the calendar year now. This way I only have to change the main password once a year. For example, since we are in the 4th quarter of the year, it might be password04. Last quarter, it was password03.

    5. The password is what*

      I use a password protected Excel spreadsheet. I have over 100 passwords and account numbers that I need for my job. I can keep track of the user name, password, account number, security key, security questions, and an other information a particular website might require. When I have to update a password, I just update the sheet (which I normally need to access to remember the password in the first place). Yes, I still have to remember the password to my computer and to the sheet, but two compared to over 100 is much more reasonable.

      It’s not mobile, but I don’t need to access the websites outside of work. I also have a similar spreadsheet set up for my personal passwords. (Again not mobile, but I don’t use my phone to access anything other than my email account, which I can remember the password to.)

      1. Sonic*

        The password protection on Excel spreadsheets is pretty much worthless. Easily broken by dozens of programs available on the internet….but its free. You could consider using a ZIP program with a very long password. Its not totally safe either but better than Excel.

    6. Stan*

      Did anyone see the blog on HuffPo last year by Mauricio Estrella about using password changes to change your life? (link in the next comment) It seems kind of cheesy at first read, but I’ve found it a very useful from a password standpoint and a life goal standpoint. I have about two dozen logins that I have to use regularly at work. I spend about 15 minutes on the first day of each quarter changing all of the passwords to my current goal. It satisfies the most stringent password change requirements and I was able to work out a formula that satisfied all the other requirements.

        1. MommaTRex*

          Thank-you for sharing this. I’m going to try it; I’m sure this will work much better than my current convoluted passwords that secretly have swear words in them. It seems like my passwords always need to change when I’m in the very worst of moods!

  2. Elizabeth West*

    We have one password to get into everything, but you have to change it every so often and can’t reuse. But once we’re in the network, we still have to log into EVERYTHING. It’s kind of annoying, but it helps me learn my new password quickly because I have to type it 4362915616761648 times a day.

    1. Kyrielle*

      Yeah, I don’t love but don’t hate the systems I have to log in to with my network login after I’m already in the network. The 3-4 additional I have to know, though, are a little annoying.

      But I still love it because at $LastJob I had to have a personal-to-me login for every customer I supported for their VPN, and that…was a lot of customers and passwords. And completely reasonable that they all needed to be different, but argh.

      1. Elizabeth West*

        I have a little thing called A-Z Notebook from Bad Wolf Software at home; I keep all my passwords in it. It logs in with one password. Every so often, I make a backup document of it and encrypt it. My brother has the password to that in case I trip and fall in front of a bus.

  3. Helka*

    Ugh, I feel the information security thing so much. We’re a NBFI, which means that we’re dealing with a lot of sensitive data and info security is understandably a Really Big Deal, but some of our policies are just an enormous roadblock to productivity. “We’re not going to let you see full account numbers!” “But we need those for our function.” “Well if you need them that bad you can request them from your manager.” “For every single case we work?” “Well ok but you can’t print them out.” “But… we need to do that sometimes.” “Well then you should open up a screenprint of the letter you’re going to send, manually truncate the information, then print the screenprint and fax it.” “…. Are you for real?”

  4. LaraW*

    We use mnemonic devices for our passwords. Kind of a sentence based on what that thing is, and 1st letter from each word. Easy to remember and does not usually require being written down. Easy to add in numbers (to/2) or characters (S/$).

    1. AndersonDarling*

      Since our passwords change 4 times a year, I use passwords that have have seasonal keywords. So right now I have a autumn keyword + a character I associate with leaves + an number I associate with shorter days. Next I’ll use my winter password keys. It’s like Katie Brown-ing a crafty password.

  5. Brett*

    All those information security measures seem annoying… until you get hacked.

    We were nailed last year. Someone hacked our health insurance provider and used that information to hack our internal employee records.

    End result… over 40% of employees had their identity stolen. Many of them had their retirement and brokerage accounts emptied and wired out of the country (which means the money was lost for good and they had no way of getting the funds back since those accounts are not insured). Many more had new loans taken out in their names in foreign countries, which is a nightmare to clear up. Nearly everyone ended up flagged by ChexSystems, yet another nightmare to clear.

    1. VintageLydia USA*

      I think information security is a good thing, but complicated procedures/passwords WILL be circumvented by users whenever possible. There are a lot more back end security companies and government agencies can do that don’t make things difficult for users but they tend to be more expensive solutions. All the decision makers see are the dollar signs. They much rather pay for a cheaper system than an effective one. Most of the major hacks aren’t a result of someone getting a hold of someone else’s password, but exploiting flaws in the system.

    2. Miles*

      With the frequency various companies are getting hacked these days, it seems like the only way to be safe is to not give out your information.

    3. Elizabeth*

      Someone hacked our health insurance provider and used that information to hack our internal employee records.

      I bet I know which health insurance provider. They lost over 400M records and had to quit processing claims for a couple months. Then blamed care providers for delays.

    4. Violetta*

      Wait… how is the bank or whatever institution was managing their retirement/brokerage accts not in the least held responsible for not flagging any of that as suspicious activity? They’ll call you if your credit card is used in an unusual location but not if your entire life savings are wired there?

  6. Mike C.*

    So speaking of security and system access – apparently Twitter fired a bunch of people today and they only found out because they were unable locked out of their work accounts.

    Classy!

  7. Brett*

    So, looking at “No more forever projects”, I am wondering how this works for maintenance tasks. Do you just chop them down into small projects and make new ones as you finish old ones?

    As an example, say your team has a task of updating the list of addresses used by 911. This task never really gets done; there will always be new addresses every day and more address corrections than you can finish in a day (so that the correction list pretty much constantly grows over time).
    Do you just create a new project for a set time frame, finish that one, and then immediately start a new one?

    1. Mallory Janis Ian*

      I was trying to imagine “no more forever projects” in the context of a university setting, as well. So, for example, we finish up the honors banquet seating chart or the commencement line-up and pretend that whether or not to do it again next spring is a delightful choice that we get to make?

      1. Chinook*

        “So, for example, we finish up the honors banquet seating chart or the commencement line-up and pretend that whether or not to do it again next spring is a delightful choice that we get to make?”

        I think it is something that needs to be reevaluated each year to make sure it is something you should be doing. The commencement line up may be a no brainer to be repeated but you may end up looking back and realizing that the honours banquet would work fine with a seating chart only for the head table. I honestly think every routine project/activity should be evaluated when completed so that you could look at lessons learned and whether or not there is value to it.

        1. Mallory Janis Ian*

          You’re right. We do tend to think of all our annually-occurring events as set in stone to be repeated again and again each year. I, for one, would love to see the honors banquet as not even a sit-down dinner, but more of a stage event followed by a reception with heavy hors d’ouevres.

    2. Chinook*

      “So, looking at “No more forever projects”, I am wondering how this works for maintenance tasks”

      I can see it as re-evaluating if those maintenance tasks are truly required maybe once a year. I did this with my volunteer group when I became president – I told them every activity we do has the potential to be cancelled if we don’t have the volunteers or, when we debrief after, if the effort and/or money it costs isn’t worth the result and I didn’t care if it was how we always did it. There were a few clutched pearls but it was incredibly freeing to be able to tell the rummage sale organizer that she had the power to cancel it if she didn’t get the help she needed. Turned out that that threat was enough to have people start stepping up because it was important to them. giving your people the power to say no means that you are also giving them the power to prioritize other things that may have been shoved to the side because they are too busy.

      1. Beezus*

        That, and making sure you have the process streamlined, documented, and cross-trained, so you can give it away or get help, if necessary. Design it assuming that someone else will have to do it someday. There’s something about being the Only One Who Knows something that’s kind of a burden and weighs you down. Making it shareable is freeing. A side benefit that I’ve noticed, is that I’m far less likely to design a difficult, convoluted process when I’m thinking about someone else having to do it someday, than when I am designing it for myself – I am waaaay less likely to set someone else up to fail.

      2. Anon for this*

        Or reevaluating who does it or how it’s done. Maybe it’s something that absolutely has to be done, but it makes sense to have someone else do it or to change the way it’s done.

  8. Holly*

    With our new, beefed up internet security measures, every other website is blocked, which is super fun when you’re looking up stock images for a major presentation for one of your leaders and the only way to actually get to an image is to unplug the computer from the network entirely. Also, Alison, sometimes AAM is blocked if the keyword “job search” appears somewhere. Which I guess kind of makes sense, but made me laugh and wonder if I’m on a list somewhere now.

  9. Karina Jameson*

    This is timely. I just got this text from my husband:
    “I love our IT department. I can shop for a rental car, I can purchase a rental car, but I cannot print the voucher because that’s considered ‘shopping.'”

    It is my experience that most IT departments are full of control freaks that try to prevent people from getting work done. They will block the most insane things, like they’re the damn police.

    1. Nashira*

      That’s more likely to be upper management’s fault than IT’s. Yes, IT implements, but they’re usually quite happy to agree that something’s bull poop even though they can’t change it.

    2. Elle the new fed*

      Are you sure it’s IT making those decisions or rather some higher up who thinks that should be blocked? I’ve found its not usually the IT dept.

  10. Vera*

    I have weekly meetings with my employees, and find that it is really helpful to make sure we’re aligned on priorities. I just hope they feel the same.

  11. Slippy*

    Well I see a great deal of complaining about password policies so here are some solutions.
    #1 Encourage your organization to move to 2-factor authentication.
    #2 After you do #1 transition to single sign-on.
    That should help ease the pain. However the irony is that while users complaining about password policies make a lot of noise; they usually have only themselves to blame due to the propensity for people to pick easily guessable (read that idiotic) passwords. For reference please google “top 10 most common passwords 2014”.

Comments are closed.