Because, really, password security IS important

This pilot fish goes to work on a huge project for a government agency. "There were over 400 people in the same building working on this contract," says fish. "Everyone had a PC on the administrative LAN, and at least a third had a Solaris box on the firewalled development LAN.

"There were about a dozen commercial products running on the two LANs that had conflicting password requirements -- length, special characters that were accepted, etc. When I first started on the project, I had nine different passwords I had to keep track of."

In time, the IT team gets that down to three passwords. But fish also has problems with the commercial configuration management system.

Eventually he's so fed up that he barges into the area where the sysadmins work and refuses to leave until someone fixes the problem.

Several people try to get the system working for fish, but they fail. The problem is escalated to the boss -- and fish marches over to his desk to make sure it gets done.

"As I stood looking over his shoulder, he attempted to log into the system as root," fish says. "However, he fat-fingered something and I saw him type his password in the clear.

"He muttered a few choice words and quickly cleared his screen, entered the system and fixed my problem. I didn't say anything or acknowledge that I had seen the password.

"What amazed me was that the admin password was 'abcroot.' I figured he would change that immediately, or at least within a day or two."

But the CM system now works for fish, so he returns to his work. And for the next two years, he dutifully changes his three passwords every 60 or 90 days, depending on the system, and deals with the problems that ensue when one password expires while fish is on a month-long vacation.

As the project nears its end, deadlines get harder. One weekend, fish's team is working overtime to meet a Monday-morning target when a co-worker rushes a little too much and fouls something up.

Fortunately, it can be fixed -- all it will take is making a change in the configuration management system. Fish's co-worker knows what needs to be done, and he knows how to do it. He just doesn't have the necessary privilege for his login.

"Nary a CM admin was onsite or available via phone," says fish, "so I attempted to logon as an admin using the 'abcroot' password I had seen two years before. And it worked!

"I soon discovered the same password was used as the admin password on all the PCs, Solaris logons, etc."

You don't need a password to send Sharky your true tale of IT life. Just e-mail it to me at sharky@computerworld.com. You'll get a stylish Shark shirt if I use it. Add your comments below, and read some great old tales in the Sharkives.

Now you can post your own stories of IT ridiculousness at Shark Bait. Join today and vent your IT frustrations to people who've been there, done that.

Copyright © 2009 IDG Communications, Inc.

  
Shop Tech Products at Amazon