Protecting your password

I'd disagree with you JamieP. The responsibility of securing your IT data is yours. With that comes the creation and safeguarding of a secure password.
IT Professionals will from time to time, need access to your IT assets for maintenance purposes. I agree that it should be in their work ethics not to take advantage of their position. So if they are privy to any user's password, they should pro-actively urge the user to change the password immediately. I waged a war on this issue for 2 years before managing to change my IT department's policy to agree to the above.

At the end of the day, it's my laptop, or desktop. It's my data in it. So the responsibility of securing it with a password and in turn securing the integrity and privacy of the password, is mine as well. It's my house. If I lock it, give the keys to the burglar, I can't blame the police.

People need to safeguard their passwords, and IT support need to urge users to update their passwords the moment their work is done.

As IT professionals it is easy for us to say "the job of securing data is your own", we work in the industry and its our jobs!! But realistically, how many users don’t know the first thing about IT security, and securing their data, and will use the easiest password they can get away with.

Re-reading my last post, I think the point I wanted to make came across wrong, I think to better convey my point my last line should have read;

“Password security policies should be lead and enforced by the IT Department”

e.g. if your running an AD based network, and the GP that controls your password criteria is weak, and allows someone to use something like “hello” as a password. When there is a breach, the buck should stop with IT, rather than the user who set their password to hello!

I also feel that if someone in IT needs a users password to access their system, then there is something wrong with the way that system is setup! For two reasons;
1) Why would a users account have permissions to do something that would require a call to IT?
2) Why cant the IT users account access the system?

And if for whatever reason, the IT support person needs to use the users account, I would suggest changing the users password into something generic – “P@ssw0rd!23” - IT support then using that password, and then the user changing it back, or to something different, after the work is finished! This way, it removes the risk of the user having the same password for multiple systems.

Hi JamieP
I would agree with you when you say it is the IT professional's job to make data secure. But an IT professional can't be held responsible for each and every individual user. I am saying this not because I am an IT professional but I am an user. I would add this bit where I strongly belief that it is however, the IT professional's responsibility is to educate the user on how to create strong passwords, and create effective group policies to avoid really weak security (e.g. 'dog' or 'cat' as passwords..trust me I have come across them as well!!!)

I have been on both sides of the fence, as an IT professional providing services to a batch of users, and being the user myself. I have seen both sides of the story and went about making IT policies so that both parties could benefit from them. IT professionals are bound to provide as with a certain level of service, and us users have a responsibility to help them achieve that. Here's some of the stuff I had come up with :

Sermons for Users:
1) Change your password on a weekly or monthly basis
2) Don't leave your screen unlocked when you are away from your desk, lock it. it only takes a combinations of 3 keys!!!
3) Avoid giving your password away. If unavoidable. once the purpose has been served, change it immediately.
4) Backup your data regularly. Ask an IT professional to help you do that as well.
5) Don't use your desktop like a folder by dumping all your files on it. The folder called 'My Documents' is there for a purpose!!!
6) Don't use your company laptop or desktop to surf sites which run the risk of virus attack and worms.
7) Don't watch online videos or download movies while at work. The company laptop/desktop was not given to you for that. The company network is not to be used for such things. ........
The list goes on

Sermons for IT professionals:
1) Send a weekly and monthly broadcast to all users to change their passwords
2) Create a strict policy to only except strong passwords
3) Do regular backups of all centralised data and roaming profiles.
4) Block all social networking websites like Facebook and Twitter etc, specially websites like Youtube which have video content, and also block instant messaging systems.
5) Run proxy reports on users for download usage. If there is someone using a lot of download bandwidth, cross reference sites he/she is visiting. If you think the sites have nothing to do with work, then bring it to the notice of his/her line manager.
6) Ensure all IT assets being used are up to date and in working condition......
And this list went on as well.

You see, I went about sorting out both the parties on either side of the fence. But I would still argue that data security belongs to the owner of the data.

you make some very good points

we have just recruited a new information manager where i work (your not him are you....) and hes reviewing alot of the password procedures at our work - luckly its outside of my remit, i only deal with things that have a CLI and deal with transmitting packets

HAHAHA. Not really. If I was your new Information Manager, someone would have told me I have a new job!!!

It's just that I had the fortune to spend time in servitude of IT asset users, so I can understand what it feels like to be one.

All I can say is that, when I become a normal user, I was most appreciative of their work.

I have read meaningful contributions

we just rolled out a business application interconnected on more than two thousand systems. for a start the users need a
lot of support. Like i said in some cases they will have to log in fifteen times on a spot. I got tired of looking the other way. in some cases they punch before you look the other way. with their passwords you can do a lot of harm. I think in this case it rest on the tech to choose to be a good or bad guy. But crime doesnt pay, and its a matter of time, you will get caught. we were taught to be law abiding citizens from a very early age, if you choose to wear the wrong hat you will have yourself to blame. honesty last forever.