Hawaii Emergency Management Password Found In Press Photo

[kirbyrj]

So you use a password manager, either online (like LastPass) or on a thumb drive (like KeePass). Writing it down for public display is never a valid solution.

I agree, but I'm sure they wouldn't want me using a 3rd party password manager either. Where this guy below works, I'm sure that a password manager would get you fired.

We have a simple policy where I work.

If you write down a login or password, then you will be terminated immediately. I also clear all cookies so none can be remembered for the user. Yes, it makes my life a pain sometimes, but I am not going to have my job compromised by some numpty.

Everyone aware of that sticky should be fired.

 

[BSmith]

Quite right. I do not allow password managers in the building. Those are just another security hole looking for a place to happen.

 

[vagabond102]

It would be your prerogative not to hire me. However, I think passing up an opportunity to hire someone, who might actually be very good at what they do (yes, even a little cocky about it), is a mistake. If someone walks into my office with that level of confidence, the first think I want to know is why they are so confident. Not to sound passive-aggressive, but that is just the way I roll. How you roll is up to you.

Oh, I am in the same boat as far as keeping up logins and passwords. No way am I going to remember 25K of them. I have written some programs which manage that information in an encrypted form, with the decryption key being hidden away. The only time I recall ever having to access it occured when someone left the company.

As the one who has to make the decisions on how things are done, I am a hard nosed arse when it comes to following protocols I have established. I also have an open door to anyone who has any ideas on how to do things better.

Everyone in the company knows (via training) writing a password down or recording a credit/debit card number is basis for immediate termination.

I'm all about security, as I've seen entire facilities shut down due to peoples lack of concern for it. (One is an employee allowing someone to tailgate into an access controlled area, and they promptly walked off with a PC with PII on it, I was blamed as I was responsible for locking machines to desks, but John Q Law didn't agree as I had 3 POs that showed the company declined my lock kit requests)

Going back to my original objection, my basic point is that no matter what you do or how good you think you are, there is always someone better and no system is ever %100 secure. Ever. Heck, they have tech these days that can get data in ways that need no direct connection or access. I certainly don't question how good you are, just the "my systems are bulletproof" mentality.

Of course this is all a moot point for me, as my job was just offshored and I'm looking to chance careers now.

 

[BSmith]

vegabond, I know for a fact no system is 100% secure. You see my confidence as me showing ignorance. By the way, I am very good at what I do. It is not luck I have never had a system violated.

Remember the DOOM virus in the early 2000's? Thousands of companies were crippled by it. No one in my company even knew there was a problem.

I attend all the Black Hat conferences and any other hacker conference I can go to, just to stay on top of what may be the next challenge in keeping things secure. The only way to combat problems like this is through education. We have to learn what they know. It is a never-ending process, as you are aware.

I also do a lot of other things to keep a network secure, but I am not going to give away the farm. I make a living knowing more than the last guy did.

Sorry to hear your job got off-shored. Companies are idiots sometimes.

 

[King of Heroes]

Quite right. I do not allow password managers in the building. Those are just another security hole looking for a place to happen.

My employer actually has the same policy. But they also provide an on-prem hosted password manager for us to use (only accessible via jumpbox and two levels of 2-factor authentication).

 

[DeathFromBelow]

12345 is pretty tough to remember.

 

[lostin3d]

To keep it simple and secure I try to enforce with our staff that they simply create a password protected worksheet. That way they only really need to remember two(one for login, then the file) and the rest can be copy/pasted as needed. As long as we keep the network secure, so are their files. Also makes it a lot easier when time comes to update or change and no post its, hard copies needed. No third party password managers, flashdrives, etc.

Honestly, for me, the hard part is that people can be idiots. Most people understand that after locking a door you should also take the key out, this is much more difficult to get the average person to understand in the virtual house.

 

[pendragon1]

12345 that's the combination on my luggage