One of my previous jobs was in the internal call center for a national organization. The upper management treated us like peons but gave us more power to cause problems than I've ever wielded before or since. We could remotely access pretty much anything connected to the Internet at any of this company's many locations around the US. That included security cameras, back office computers, and credit card systems. This is not a power that you want a disgruntled employee to wield.
Employees vented about their frustrations and would joke about what they could do if they were so inclined. No one ever took that seriously, though. Part of the reason was that every time anyone remotely accessed anything, the system kept a log. Someone could definitely do a lot of damage, but it would be easy to trace it back to the culprit. We all knew that it was much more likely for someone to storm out and never return than to face jail time and lawsuits.
Because of that tracking, it was drilled into us that our computers were to be locked at all times if we were not currently sitting there. Failure to comply was not a defense if something was done under our accounts. Not coming up with a good enough password was not a defense, either. The security of our accounts was our responsibility and ours alone.
Then came the company-wide email that IT was going to do a massive update on the entire system. They wanted us to write our passwords on sticky notes and leave them at our desks so they could log on as us and do them. I asked my supervisor why they couldn't log in with an admin account. He said to do what the email said and that I wasn't paid to question the IT department.
Even still, it went against common sense, much less everything we had been warned (read: threatened) about for that position. I'm pretty sure the employee handbook had almost this exact situation as an example of something that we shouldn't obey!
So, I emailed the manager of the entire call center, CC'ing my supervisor and shift manager. I laid out my concerns, primarily that anyone could get my password from the note, log in as me, and do a lot of damage. I didn't write it in the email, but I was prepared to get fired for disobeying the order. Soon after she got in that morning, the manager sent me an email. It was another confirmation that I was to write my password on a sticky note and leave it at my desk. She also stated that I would not be held responsible for anything done with my account from the time I left to when I was able to change my password.
I forwarded the email to my personal account and confirmed with my phone that it went through. My butt sufficiently covered, I complied.
My password was similar to: IliwmlsIswIl1l!
It meant something to me but looked like a mess when I wrote it out. I actually left notes on which characters were upper-case I
s, lower-case L
s, etc. to try to make it easier on them. I almost ran out of space on the sticky note.
I returned to my desk at the beginning of my next shift. A different sticky note was on my screen: "We couldn't figure out your password, so we had to reset it. This is your new temporary password: whatever-it-was
."
Wait...of course they could just reset everyone's passwords! Why was I only now thinking of that? Instead of doing it the simple way, they introduced the opportunity for horrible security breaches.
But I wasn't paid to question IT. So, I minded my own business and changed my password to something that looked equally as complicated. To this day, I like having passwords that I could tell someone without them actually being able to use it.
Also, the IT department never had us put our passwords on sticky notes again while I was there. I like to think that they didn't realize they could reset our passwords until they couldn't figure mine out, even when given copious notes.
Photo by Daniel Fazio on Unsplash.