Hacker News new | past | comments | ask | show | jobs | submit login

Oh yeah. Yeeeears ago, I was contracting for a telecom provider, and as a contractor, the process for getting logins to all the stuff I needed access to was onerous in some cases, nonexistent in others. So the employee who was sponsoring my presence in the building just said I could share his login. "The password is Apr1999!, if you happen to be the first one to log in when it expires, just change it to May1999! and so on, alright?"

It satisfied the uppercase, lowercase, number, symbol, and non-reuse criteria perfectly, while having precisely zero security.

Come to find out, something like a dozen different contractors were all sharing this one guy's login. He was the only reason anything got done in the whole region. The "system", such as it was, worked, but it made a mockery of corporate IT.

A few months into the project, that employee gave his notice and quit. Went to work for the competitor across the street; we'd bump into each other at the diner and stuff. But they couldn't just turn off his login -- his manager understood that all the contractors were using it, so they just left it active, and whoever got the expiry prompt would dutifully update the password every month...

If you make the system secure but unusable, the users will find a way to make it usable but insecure.

But changing the password every month doesn’t make it any more secure.

Passwords don’t really have an expiration date if they are secure (as in long enough and not reused) in the first place.

>but it made a mockery of corporate IT.

Isn't corporate IT recursively defined as being a mockery of corporate IT?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact