#38Posted: 2012.04.27 10:54 | Report
When I worked for a para-military company, we quickly learned that reusing password was good only in the programmers' heads.
People would do the IMPOSSIBLE to circumvent it.
1) In the beginning they would just add a "1" after the password.
2) Requiring certain characters, they just added their birth year at the end of the password.
3) Requiring a minimum length, they just copy pasted their own name twice.
4) Reusing the passwords they just added incremental numbers or a combo of the above or the month of the changed password.
When we made filters to screw them up on the above, they started writing the passwords on Post It attached to their monitors.
When we involved their bosses to force them stop doing that, all went suddenly quiet for 2-3 months.
We could not believe we had won against the End Users.
We could not be fartest from the truth, in fact.
A parent company team of inspectors came for a routine control and guess what did they find?
The end users ALL opened the same Excel sheet one of them originally created. That Excel sheet had the full user names and passwords of the 1200 employees, all in clear of course.
So, instead of better security, we achieve an huge piece of sh!t.
Heads fell, reprimands were made, everything settled down.
2 more months of utter silence and guess what, one morning I randomly pass close to an End User and my eyes and my ********* fell to the floor together.
They - the End Users - somehow created an MS Access forms "application" including the passwords (in clear of course!!!) of every employee, for multiple applications AND with search engine to make it easier to find and copy / paste them!