News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Sharky's picture
Sharky

Shark Tank

More posts | Read bio

April 16, 2008 - 8:48 A.M.

But it seemed like such a good idea at the time

53 comments

There's a new security policy at this biotech company, reports a pilot fish in the know: When logging in on a PC, the username field will now be blank, and everyone will have to input the name together with the password.

"The policy is announced weeks in advance," fish says. "In spite of this, the first day is painful. A flurry of calls comes into the IT help desk regarding people not being able to log in. One is from a junior member of the payroll department who is about to leave on a two-week vacation -- in fact, her flight is later that afternoon."

"A tech tries to help her over the phone, but apparently she couldn't tell the difference between the username box and password box, in spite of them actually being labeled as such."

Tech volunteers to come to the payroll employee's desk, but she insists her PC is broken and she doesn't have time, and anyhow she'll be gone for two weeks so there's no rush.

So tech does no desk visit, and payroll employee leaves -- but not before she manages to type her password into the username field.

And leaves it there. On a PC whose screen never goes blank, in a cubicle in a high-traffic area.

Tech logs in remotely, confirms that the PC is running correctly and closes the trouble ticket.

"A few days later, confidential information about salaries and benefits shows up posted in public areas and in the cafeteria," says fish. "Apparently, somebody has figured out how to log in as the payroll employee -- it's easy to figure out the username -- and gained access to the payroll server."

One senior researcher finds out from these postings that, although she has been with the company for years, has significantly contributed to crucial projects that helped the company survive, and has put in countless hours of unpaid overtime, she's making 20% less than a junior researcher who arrived fresh from school six months earlier.

Not surprisingly, a firestorm erupts. The tech is reprimanded and almost loses his job. The payroll employee returns from vacation and does lose her job. The irate senior scientist quits, taking a few key subordinates with her, and later sues the company for discrimination.

"The IT department checked in on who had access to the payroll server," says fish. "It seems that whoever accessed it without authorization did so from a common PC in the lab area. The perpetrator was never identified."

Sharky won't identify you either. So send me your true tale of IT life at sharky@computerworld.com. Just like everyone else, you'll get a stylish Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.
Now you can post your own stories of IT ridiculousness at Shark Bait. Join today and vent your IT frustrations to people who've been there, done that.

What People Are Saying

Add new comment

HUH????

Submitted by frednemo on April 16, 2008 - 7:33 P.M.

This would have to be a really old, old program as I have never seen a password window display the actual password. It's always the "***" or something. They would have to leave their username and password waiting on the computer screen, go on vacation without shutting anything down. So, I call bull on this one.
Someone had to have been watching to record the password or the person left it on a sticky-pad or something and also had their username available. Sounds like this fish might be the perp.

Reply | Report this comment

Really old program?

Submitted by Anonymous on April 17, 2008 - 7:45 A.M.

Like Windows 3.1.1, 98, 2000, Me, XP, or Vista maybe ...
They all have the same login box(es)

Reply | Report this comment

Uh, uh.

Submitted by AL on April 16, 2008 - 10:29 P.M.

No, read the story carefully:
"she manages to type her password into the username field".
Seems you are having trouble telling "the difference between the username box and password box".

Reply | Report this comment

further...

Submitted by AL on April 16, 2008 - 10:36 P.M.

I must admit, that this REALLY annoys me when some twit comes along and breezily "calls bull" on a story without taking the time to properly understand the situation. Shades of the IT cowboy approach - "lets just reboot and see if that fixes it".

Reply | Report this comment

Be careful what you ask for...

Submitted by ArmyDad on April 16, 2008 - 5:00 P.M.

Folks - This story could have come from my own background. First off, every time I get to thinking that I've seen it all, some *MORNO comes along and proves me wrong. I have seen recruits stand up in the middle of a live fire exercise because they thought "there was no way you guys could be using live ammo!" (we were)God protects fools and a$$es.

I've walked through the office of a high-security installation and found passwords on post-its. (Or maybe their husband's name is Buffy90210?) As the saying goes, if you make something Idiot-Proof, someone will invent a better idiot.

The collective intelligence is held above mouth-breathing, knuckle-dragging stooge only due to the genius of a few. Einstein was responsible for New York State by himself. No, the fault lies not with our intrepid hero, the fish, but with the reactionary, knee-jerk blame-storming that resulted in fish's reprimand.

And all of this because they wanted to have everyone type in a username. Guess what folks, it's not that hard to do. Anyone that can spell their name well enough to cash a paycheck ought to be able to type it in to do the work.

Sorry, grumpy today. Some idiot cut me off in traffic this morning and made me spill coffee all over the book I was reading.

AD

Play not with bytes, lest ye get bit.

Reply | Report this comment

I can see it

Submitted by Shamus on April 16, 2008 - 3:23 P.M.

Ok, for all of those who do not get it... The user typed their password into the user name field, then left.

Even if the screen saver comes on, what was typed is still there, someone sets something on the desk, bumps the mouse... everyone knows the users name... voila, security breech.

Reply | Report this comment

short version

Submitted by Anonymous on April 16, 2008 - 12:25 P.M.

The short version of this story:

Some moron with the word "security" in their job title or description decides that annoying users by making them re-type their easy-to-figure-out username n times a day is a good idea. Moron's reasoning does not include the potential for any downside effects as a result of this change. In fact, moron does no cost/benefit analysis at all, just does another authority trip and rams the utterly meaningless change through. Uncounted hours of productive employee's time are wasted by moron's actions. A security breach is a direct result and sensitive payroll information is released throughout the company. Everyone but moron gets into trouble.

It's good to be a security moron.

Reply | Report this comment

Spooky ...

Submitted by Mad Hatter on April 16, 2008 - 2:53 P.M.

Okay, that's spooky. I was having the same rant with a co-worker this morning. I don't think most corporations do a cost-benefit analysis before implementing security measures. The corporate computer is so bloated with anti-virus, software firewall, proxy, boot password, encryption, security agent, and various group policy lockouts, it is nearly unusable; the lost productivity on a corporate scale must be enormous. Security has a concept called "accepted risk" wherein a specific risk is evaluated and accepted because it is determined to be less costly than the countermeasure. But it's easier (and less risky to the Security Guy's job) to jamb in the countermeasure and say "we'll never know, and that's a good thing."

Reply | Report this comment

Quite a Yarn

Submitted by Anonymous on April 16, 2008 - 10:11 A.M.

Well, Well, that is quite a nice story. I really enjoyed it.

Reply | Report this comment

Security Conscious?

Submitted by mic0520 on April 16, 2008 - 10:06 A.M.

Speaking of security conscious... Why would a payroll clerk's cube be located in a high-traffic area?

I was an operator/programmer for a small manufacturer. I had access to all payroll information EXCEPT the executives. They were paid by the controller. I was also disgustingly underpaid. I trained clerks that made more than I did. I loved the job, but couldn't afford to work there any more.

Reply | Report this comment

Related Posts

Your next stop ... the Password Zone
Don Tennant: Racism's acceptance and denial
How many of you do background checks on your IT employees?
Yahoo DENIES giving Iran names of 200,000 protesters

Today's Top Stories

IE9 to tap hardware to boost performance
Free Web apps to help organize your holidays
New attack fells Internet Explorer
Google's Chrome OS hits BitTorrent
The 5 best and worst features of Google Chrome OS
Global warming research exposed after hack
About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.