In a recent thread in the Reddit community r/sysadmin, an anonymous IT pro made a pretty frightening confession: their manager keeps a paper list of all employee passwords, treating the IT pro to a brutal day of writing reports and dealing with HR.
Reddit is considered the “front page of the internet,” and whether you’re after cutting-edge cat memes or useful insights on password security, there’s something for you in the 11,464 active Reddit communities as of this writing. IT pros have taken to Reddit in droves to discuss the latest trends, solve problems with the help of outside perspectives, and, in the case described above, commune over this problematic individual freely accessing the accounts of others.
Considering that the latest information security research indicates that 63 percent of data breaches involve weak, default, or stolen passwords, it’s pretty frightening stuff. And as it turns out, when you put security pros and other IT enthusiasts behind Reddit’s layer of anonymity to discuss an incident, brilliance ensues. The following exchanges on password security are definitely raw and unfiltered, but still worth the read.
While the idea of 42 employee passwords floating around an office on a piece of physical paper is cringe-worthy, Redditors immediately identified that storage wasn’t the real issue—at least not from IT’s perspective.
336 upvotes don’t lie, and the community members backed user Jordo_99 when he identified that “someone in the company is able to operate a computer under the identity of multiple people … [and] the fact that these identities handle 6–7 figure transactions makes it incredibly dangerous too.”
The nightmare in this situation is the sheer lack of accountability. Whether the manager had actually used any of the stored credentials wasn’t the issue—it was the fact that every transaction taken by his team would (and should) be subject to scrutiny. The danger of this situation is why no person, IT admins included, should ever be exempt from some form of accountability.
2. Password security is not about trust
One user vented that it was difficult to get people outside of the profession to understand that passwords, or some form of account security, are paramount to a digital identity. As they pointed out, “It really has nothing to do with trust. Not that kind of trust, anyway.”
Password management is now identity management. Regardless of how many or how few regulatory requirements your organization is subject to, shared passwords immediately equal identity confusion. While the user conceded they were “preaching to the choir,” their frustration could highlight a real challenge for IT pros: the importance of communicating to end users that sharing passwords is a lot more complex than constituting a trust issue.
3. Reward reporters
Several Redditors expressed some serious concern that the whistle-blower who reported the password-storing manager would be socially punished, and encouraged a reward for their report. While the anonymous poster clarified that they would be rewarded, one Redditor pointed out that, “Not knowing about this could easily have cost the company millions. Considering the COO is already a part of this exchange, I’d personally consider this something worth recognition in the high 4-digits.”
As it turns out, the Redditor was on to something. Research indicates that actions to change employee behavior can reduce the risk of a security breach by 45–70 percent. However, security awareness training doesn’t always work, and social pressures to do right by a “loved” manager can speak louder than company policies. Fiscal rewards for reporting might not be the right answer for everyone, but it’s certainly one way to encourage password security compliance.
4. 5up3rM@N isn’t a good password
A debate ensued about how unsophisticated users may still think that “5up3rM@N” is adequate password in 2016. While it’s certainly a stronger barrier than many default passwords (see: the prevalence of “password” itself), one user highlighted why passwords that meet basic criteria aren’t always sufficient.
Just because a password meets the bare minimum of numbers or special characters doesn’t mean it’s infallible. In fact, as one Redditor wrote, even a decent password “should not be re-used among important accounts, and should not go permanently unchanged when it’s an admin-level account or account with purchasing power.” At many organizations, there are still miles to go before end users can really understand the difference between a decent password and truly secure password practices.
5. IT failed, too
While there’s no question that this is a story of a manager blatantly disregarding company policy, there was some IT failure here, too. As the original poster admitted, their previous system of two-factor authentication consisted of “their desk phone being called” and the manager answering it. This IT department would spend the days after the security incident changing the policy to incorporate true two-factor authentication for security, which included employee-owned mobile devices, and possibly “a [public key infrastructure], physical smartcard, [or] a secret PIN.”
Even IT can fall into the trust trap, as it turns out. For organizations where biometric sensors aren’t an option, plenty of options remain for improved security beyond a system that’s easily cracked by rule-breakers.
Passwords are more than just a string of letters, numbers, and special characters that meet minimum criteria. They’re the gate between your end users and your IT infrastructure. Like any system, it can be broken. You may not be as unlucky as the IT system admin who posted on Reddit about their worst Friday ever, many lessons can be learned from their story.