A distinct disinterest
What is it with the state of security that i’m seeing around me?
People are using weak passwords, or the same password for everything, and not only that. The people who are supposed to be responsible for security do not discourage or prohibit the use of such passwords. Hell, weak passwords are sometimes even encouraged. “Pick something that you’ll remember for sure, as long as it has at least one capital letter”. Then we end up with passwords like “Dog1234” and then when the obligatory tri-monthly change comes a-knocking, we get “Cat1234”, because of poor user education and poor (or non-existant) complexity rules.
If we have something like full-disk encryption, chances are it’s synchronized with windows, using a single sign-on. Or then it’s a PIN code or something that’s way too easy to guess or deduce.
Security is just simply abhorent everywhere i look. And i’m not sure how to start changing it. Other people are making the policies, i can only offer suggestions, and complement users on good choices (and i’ve seen some of those too!). I’m more for positive feedback, but sometimes i just want to scream. It’s like nobody cares that a fucking VPN password only has single factor authentication, and the password is like December2009.
“But it has numbers and a capital letter in it!”
It sounds to me like you could start being the guy who makes the policies. Since we really have no one who makes explicit policies and enforces them. You could at least talk to IT management about it!
I might suggest that.. to someone.. if someone is interested. Problem is, we’re short two guys already.. and it’s only gonna get worse.