Skip to content

Security control on computer accounts

April 14, 2012

Password quality control - a must.

In a previous post I have been discussing the password change frenzy. Continuing on the subject, I’d like to discuss password quality control.

Illegal!

Some people clearly are shocked by the fact that in the old days at the university in Leuven, password cracking software was used to verify the quality of the passwords in our department. Every time I have told the story, people (especially IT-people) have taken me aside and whispered carefully in my ear: “you know, that’s illegal...”.

Well, that may well be, but I think it is a ‘must have’, not a ‘nice to have’. If there is legislation prohibiting that, then the legislation is wrong and should be changed!

Our cleaning ladies...

I’m a big fan of our cleaning staff. Not only do they perform the daunting task of cleaning up the mess we make every day, but they do it with such a passion and enthusiasm, that it makes me forget about the small setbacks I experience so now and then in my job. The cleaning staff, i.e. ladies only (which explains the passion and the enthusiasm, I guess), is very diverse. We have the silent and kind type, we have the ever ranting type, we even have the wise-type (think of Dilbert’s garbage man. Still, they all have in common: they take their job very serious, you can ask them anything and if you show them some respect, they return with the same respect and kindness. Very often, they manage to turn a mediocre day of mine into a really good one. ...check every night if I closed my window and locked my door.

Even if the cleaning lady does not clean my office, apart from emptying my trashcan, she still performs a set of standard tasks every night: she checks whether I closed my window, I switched off the lights and locked my door. If I forget to do any of those three things, next day, she will kindly remind me: “please Mr. Daems, you forgot to close your door last night. Please, make sure to lock it every night, if not, things might get stolen and maybe you will point at me for taking some things from you. I wouldn’t like that to happen.” Now, this I would never do. I trust our cleaning ladies to such a large extent, that I will never point at them if anything is stolen. However, she’s very right to alert me to be more cautious. Therefore, I thank her extensively if she - again - had to lock the door after me.

Honestly, I rarely forget to lock my door. Thanks to the cleaning lady.

Back to computer accounts

Now, wait... what has this nice story to do with security control on computer accounts? Everything. The reason my door is closed every night, is thanks to the cleaning lady who checks on me. I expect our IT department to be very much like the cleaning lady: to check on me how I’m doing with respect to security. Needless to mention that ‘asking to change my password every three months’ is not the right way. The cleaning lady also does not ask me to change my lock every three months.

Seriously, in the very same way that I am trusting the cleaning lady, I’m willing to trust the IT department in checking on me without browsing through my personal stuff or infringing my privacy. They have root (or admin in windoze terminology) access anyway, so why not take it a bit further and ask them to make sure that we pick good-quality passwords. The classical password-strength checkers are not sufficient. They are too easily fooled. I’d even like to take it a little bit further: why not ask them to alert us on strange file or database permissions (alas a lot of Microsoft Windows users are no longer aware that a thing as permisssions exists, let alone that they can be inappropriate).

Conclusion

IT departments should run industrial grade intrusion software and crack technology to check on our accounts, our databases and our data security. If there is legislation prohibiting that, then the legislation is wrong and should be changed! If we trust the cleaning lady, why don’t we trust IT? Posted in Opinions - Tagged IT, password, quality control, Security