Ofcom Do Security
Jon Ribbens
jon+ukcrypto at unequivocal.co.uk
Fri Aug 6 11:28:49 BST 2010
On Fri, Aug 06, 2010 at 08:23:13AM +0100, Francis Davey wrote:
> On 6 August 2010 08:00, Ian Batten <igb at batten.eu.org> wrote:
> > The end result is that their elaborate password "security" is reduced to the
> > password on my email account, which they cannot know the strength of,
> > because I am resettting for every purchase. I've complained, but they
> > haven't had the courtesy to do more than forward it to their developers.
> > Guidelines for systems handling sensitive personal data or protectively
> > marked material are I think less stringent. It's a classic case of letting
> > the geeks play at security without actually thinking about usability issues.
>
> This was (roughly) the casus belli that caused me to give up my career
> as a sysadmin.
>
> A new boss had appeared in the firm - the "deployment manager" - but
> we weren't quite ready to deploy so he was bored and had nothing to
> do. He was given my team to manage and managed to do considerable
> damage in his short career.
>
> One day he breezed in and said "right, we are going to have a password
> system that resets everyone's password on the first of each month and
> that will store all previous passwords and prevent you from re-using
> any". He absolutely could not see any problem with this.
Well this matches my suspicion, contrary to what Ian assumes above,
that most of the time that such stupid anti-security policies exist
they have come from management and not from the "geeks".
More information about the ukcrypto
mailing list