I work for a large international company. As with most businesses, security is a priority, but our biggest security threat is our users, who for some reason cannot remember the basics: their usernames and passwords.
As I hit the Save button on the latest change in our password policy, I'm amazed it's come to this. We, the IT professionals in charge of maintaining our network, have given in to the whining and complaining of our users and changed a policy purely based on their inability to follow it.
Now, instead of four failed login attempts locking a user out for four hours, we have changed to seven attempts and a one-hour lockout. Granted, the initial setting was unforgiving, but it came as a recommendation from a security analysis service that was paid a great deal of money by management.
Given the amount of locked accounts every morning, we had to make a change before we started getting accused of stifling sales with our stringent password policies.
What's next? Do we just stop using passwords altogether because people complain they have too many of them and they're too difficult to remember? Do we switch to fingerprint login for all computers? Is it time to take a serious look at retinal scans? Where do we draw the line?
Our users are far from dumb, mind you. Most of them are highly skilled CAD engineers or field sales reps where some high-tech machinery skills are required. They need a computer every day like the rest of us. It's more than just a convenience; they rely on laptops, tablets, and smartphones to do their jobs.
Yet the idea of changing passwords or even remembering proper login combinations is simply lost on many of them. Securing our network is practically pointless -- their passwords are on sticky notes on their laptop screens!