I had to laugh at the SANS security tip for the day, “Don’t share your password-even with an assistant or close coworker“. It brought back some interesting memories.
For about 17 years I have provided onsite technical support for financial companies, healthcare facilities, government offices, law enforcement, and technology companies.
Many times we would be involved with system upgrades, software upgrades or trouble shooting and needed access to a computer where the user was not there.
Countless times over the years, helpful co-workers who, seeing that I was stuck at a login prompt approached and offered me the missing user’s password. No questions asked about who I was, or what I was doing.
Just, “Oh, Fred is out today, he keeps his password taped to the bottom of his chair next to the gum”. Or, “Joan keeps her passwords in a notebook in her top right drawer, next to the payroll data, I’ll get the key”. (Names changed to protect the innocent)
Okay, those were hypothetical examples, but the funniest I can remember that actually happened was in an Engineering department of a large manufacturing company. The user was out on vacation, but that didn’t stop the helpful co-workers. “Oh he uses this name and then just adds random numbers at the end”, said the engineer that sat in the same office.
“No”, another engineer said as he was walking by, “He does use that name, but he uses an incremental number afterwards, starting with one and increments it each time he has to change his password. He is at 10 now”.
“No I think he is at 8 now, another Engineer said as he walked into the office.” “No, that was a few months ago”, the second engineer said. “Just ask Mark, he would know…” So another engineer comes in and says, “thirteen, he was definitely at thirteen.”
It seemed like everyone in the area knew something about the missing user’s password. I was also amazed at how well sound seemed to travel in this department, as there were now four engineers standing in the little office.
I asked the user about this the next day when he was back from vacation. “Oh, I let everyone use my computer.” I had a replacement hard drive for the machine and asked if he had any data on the drive he needed saved. “Oh, goodness yes, I have a lot of CAD drawings I saved locally, important e-mails and also personal files on there…”
Most corporate security policies and regulations nowadays require you to keep your password confidential. But many users don’t. In the SANS tip of the day, a disgruntled worker who knew the password of another user deleted data from the PC before she quit.
I have also heard of cases where people walked away from PC’s while they were logged in and another user came along and used the computer to access restricted information.
What can be done to avoid these kinds of issues? Verify the authenticity of support personal before giving them your password. Do not share your password with co-workers, or place your password in obvious places, like a sticky note on your monitor or under your keyboard. Also, lock your workstation before you walk away from it even if you think you will only be gone for a short while.
On most Windows systems you can lock the system by hitting the Windows key and the “L” key at the same time. This will bring up a login box, but keep your programs running in the background. If this does not work on your system, log out of any confidential systems or sign off the system completely. Whichever procedures your company security policy recommends.