I once heard a person complain that developing the perfect complex password was the only way they could expressing their individual creativity in the homogenous locked down corporate soul crushing prison of the standard operating system environment. Having attained the right combination of capitals, symbols, numerals and whimsy, they were loath to change it to something else after the three week time limit had expired. Their reluctance was partly due to the effort required in remembering yet another complicated password, a task that can seem somewhat Sisyphean, an a fear that they would never again attain that level of creative ennui that resulted in their current password.
So how can we regularly create and remember complex passwords that need to be unintelligible enough not to be guessed by someone who knows us or replicated by someone who briefly catches a glimpse of us entering it through our keyboard. The answer is that we probably can’t. Passwords are, to mangle a quote from Churchill, a terrible solution to the problem of authentication, except all the other ones we’ve tried.
Systems Administrators are the worst when it comes to not changing their passwords. This is because they are the only people on the network who can ignore password policies and configure their accounts so that their passwords will not be changed.
When a new hire as systems administrator at one workplace, I was approached by a contractor who asked me to reset his password rather than having to go through the lengthy process of password reset with the helpdesk personnel. At that moment my phone rang and I asked the contractor to come back in a few moments. When he returned he said not to worry about resetting the password because he had handled the matter. I asked him how he had resolved the problem. It turns out that the previous systems administrator had told him his password. Policies were so lax at this workplace that the previous systems administrator had not only never changed his password after telling the contractor what it was, but the systems administrator’s account had not been disabled once he left the organization. Needless to say I fixed this security issue rather quickly.
This sort of thing happens all the time. When I was making my transition from Help Desk to Systems Administrator back in the 1990’s, the guy who was our org’s current sys admin went on leave for a few weeks and gave me the root password for a collection of servers. It was all the same password, but it had a cool mnemonic and I figured that he had changed it to that so I’d remember it and not bother him while he was on leave on some tropical beach somewhere. Fast forward five years where I’ve met up with that friend on an entirely different continent in one of the cages of a datacenter where there were servers he was responsible for managing. He told me that I’d be able to log on to them. I could. Not really world’s best security practice – but sort of gets my point across about systems administrators and their love of the same password.