Passwords: just another bureaucratic annoyance
by Andy Oram
Many workers in human services, she told me, are reluctant to provide data that would be useful to improve the services. She'd like to track homeless people as they move from one jurisdiction to another for instance, to provide better continuity of service and find out what works and what doesn't. The agency staff are afraid that sinister forces within government will misuse data. While we have no lack of sinister forces in government, it appears that the people needing human services are more at risk of snooping by random staff people, facilitated by the awful security practices just mentioned.
I'm not surprised that employees would treat passwords as just one of the many random impediments they have to bypass each day to do their jobs. Given how many regulations reflect political grandstanding rather than life on the street, and how many well-meaning regulations outlive their usefulness, workers have to interpret the rules in a (shall we say) creative manner. I'm sure many employees in private industry get through the day the same way; it's not limited to government. But an even deeper issue is at work.
One problem that most bureaucracies seem to have is the "enter the same data many times" problem. When you go to the hospital, you can end up writing your name and address five different times on five different forms; same at the state department of motor vehicles; etc. I'd guess that one of the problems with government computer systems is that your username and password fall into this category: you have to keep entering them over and over, and sometimes they're not the same username and password (because different systems have different rules for what is a valid username or password). I certainly feel like life got a lot easier after my browser (Firefox) started encrypting all auth creds with a master password, so that it was safe to let it remember creds between sessions. Effectively, that master password is now my one password. All the other stuff is implementation details.
|Governments aren't the only ones with these kinds of problems. I am a consultant who works for mostly private corporations and I have seen some doozies. One great example was this unix sysadmin who simply didn't want to adhere to the IT security policy we crafted for a secured printing system. His ONLY job was to install the Linux systems and then hand over the keys to us for integration testing for the next phase of the project. Instead of installing them and just leaving it at that, the jerk created himself a user account on every box and put an suid shell script in it so he could gain root anytime he wanted. I guess he thought we were dumb and wouldn't notice something so obvious. His excuse was that he didn't want to adhere to the IT process for obtaining elevated privileges because "it would take too long". Anyway, we tried to have the guy fired but he was a nephew or something of someone important and was simply moved to another division, presumably to continue his idiotic habits.|