login chaos
Sep. 2nd, 2005 02:45 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
cellioNow that we've been bought by a large company with large infrastructure, I've had to acquire quite a few more username/password pairs -- benefits site, HR site, sites for specific health providers, VPN, timesheet system, etc etc etc. (This is, of course, on top of the normal stuff -- machine login, email, etc.)
This wouldn't be so bad if all of these systems used the same pattern for the user name and maybe even the same requirements for passwords. But they don't. So there I was, trying to access one of these sites, getting "user name or password not valid" complaints, and having to try all the possible combinations of all values I could think of (because telling me which it disliked would give away too much information).
The problem turned out to be the user name. It wasn't my last name. It wasn't my email address. It wasn't my SSN. It wasn't my employee ID (actually the first thing I tried, since it was a corporate site and that's a corporate-issued ID). No -- it was the first letter of my first name plus the first four characters of my last name plus the last four digits of my SSN. I kid you not. Yeah, now that they mention it I recognize that. But who remembers stuff like that? Especially when there's exactly one system among the myriad that it applies to?
Is it any wonder that people write these things down (including passwords) or tell their browsers to take care of it?
This wouldn't be so bad if all of these systems used the same pattern for the user name and maybe even the same requirements for passwords. But they don't. So there I was, trying to access one of these sites, getting "user name or password not valid" complaints, and having to try all the possible combinations of all values I could think of (because telling me which it disliked would give away too much information).
The problem turned out to be the user name. It wasn't my last name. It wasn't my email address. It wasn't my SSN. It wasn't my employee ID (actually the first thing I tried, since it was a corporate site and that's a corporate-issued ID). No -- it was the first letter of my first name plus the first four characters of my last name plus the last four digits of my SSN. I kid you not. Yeah, now that they mention it I recognize that. But who remembers stuff like that? Especially when there's exactly one system among the myriad that it applies to?
Is it any wonder that people write these things down (including passwords) or tell their browsers to take care of it?
(no subject)
Date: 2005-09-02 08:11 pm (UTC)As I said, your IT director is not in control, or has other priorities than security.
It's downright easy to authenticate everything -- websites, timesheet systems, machine logins, VPNs, whatever -- against a single source that speaks a decent API. You appear to already have that. None of these projects should have been allowed to declare themselves ready for adoption until they showed that they use the same authentication/authorization system as is already in place.
Then you would have one username, one password, and one PIN for your card... and you could change the PIN and password easily, and everything would update instantaneously. It's not a miracle, it's not hard...
(no subject)
Date: 2005-09-02 08:31 pm (UTC)I assume we're dealing with a hodge-podge of systems, developed in different environments and later cobbled together, rather than a real plan. I don't know; I'm new here. But it's real frustrating for the users.
(The timesheet program, for example, runs on a 3270 and looks like it dates to the 60s or early 70s. The company has been around for more than 50 years, so that's entirely possible. I am so not used to that sort of longevity!)