Two-Mask-Tony has famously decreed that if one mask is good, two masks
is better. I figured out where he got the notion: from software
security people.My password to remotely log into the work computer is the same password
as I use to log into the various software programs on the work server.
What’s the point of every program having a password if they’re all the
same? Since I know the password to get into the computer itself, I know
the password for everything else, too.It’s as if they expect to thwart some cartoon villain tapping on my
keyboard. “Dammit, I made it through the first nine passwords, but now
I can’t get into the timesheet system to report my hours for payroll.
Curses, foiled again!”Joe Doakes
I’ve cracked wise about this in the recent past.
It’s easy to design “perfect” safety: wear ten masks, and never leave the house!
The costs of that approach never seem to enter these peoples’ thinking.
Perhaps because it costs them nothing.
Perhaps the government should provide everyone a hazmat suit.
FREE, of course.
I believe the correct reference is to Tony “Two Masks” Fauci.
JD, having one password for everything would be considered a pretty big problem security-wise. If/when someone gets one login, they get them all. Also, it makes for a lot of work if/when you do (need to) change a password, because now they all have to change. You would be better off having a variety of passwords that you write down in a notebook or something.
I have seen pocket sized books that you can keep your login information written down in. In fact, I have one. Obviously, I write everything in pencil, because I change them all every 45 – 50 days, which was drilled into me while I was in IT security. It’s getting harder and harder to come up with new ones. Those random password generators, seem to be somewhat suspect, especially after four friends had accounts hacked after using one.
I go through this comedy routine with the IT people all the time. It never gets old.
“Your password must be at least 10 characters including at least one digit and one special purpose key, but cannot contain whole words and should not be anything related to you such as birthday or street address.”
“So, you want me to select a completely meaningless string of symbols? How will I remember it?”
“Just memorize it.”
“And a different one for each software program?”
“Yes.”
“Not going to happen. I’ll just write them down on a Post-It under my keyboard.”
JD (and boss), yes, what you describe is actually another pretty big problem security-wise. Making people change their passwords as often as four weeks (although six seems typical) is dumb. Especially when they put conditions like “cannot contain whole words” or that you can’t re-use (ie, re-cycle) old passwords. The control freaks that run IT are simply unable to fathom that highly and pointlessly secure passwords will inevitably be found on a Post-It note somewhere in the cube/office.
I do know that many banks and other financial entities are now moving towards 2-factor authentication (ie, they call/text you to get a PIN). In these cases, they don’t expire passwords because it’s only used to invoke the text/call. Heck, even Social Security uses 2-factor.
jdm,
Once again, from my IT security stint, I use two factor authentication on several of my accounts. If it’s offered, I use it, especially on financial accounts. I belong to the joint corporate IT and FBI cybercrime task force organization, which has used tfa for years. Social Security also uses it.