Network Security Blog

One of the last things I’ve done at my last three jobs has been to help the administrators change the passwords on the systems I had access to.  Not that I helped chose the passwords, but I did remind them of what I had access to during my tenure.  When I took my current job, one of the first things I did was work with the staff to change as many of the passwords as possible (Why not all, you ask?  That’s a story for farther down the line).

So when I read about Source Media charging their ex-VP of Technology with unlawful computer access to the mail servers, I have to wonder why he was able to use passwords from 3 years previous!  Why hadn’t these passwords been changed immediately when he left?  And even if they weren’t changed immediately, why haven’t the passwords been changed in the time between now and then?

Source Media may need to have a long talk with their current IT staff about how their ex-VP was able to access the servers.  Where were the multiple layers of protection that should have stopped this from happening?  Why don’t their policies and procedures require the change of passwords on a regular schedule?  Where was the user education that should have stopped users from sharing their passwords?  Where were the detection safeguards that should have seen this information exiting the network?

Changing passwords is a simple, basic protection that is easy to instill in a your staff.  They may whine a little, but there’s no reason not to force quarterly or at least annual password changes.  And if this VP knew their passwords from three years ago, how many other staff members have come and gone in that time? 

I just hope they’ve changed their passwords now.

Technorati Tags: security, McKeay, password

Trackback URI | Comments RSS