msmemory_archive: (Default)
msmemory_archive ([personal profile] msmemory_archive) wrote2009-04-08 02:29 pm
  • Add Memory
  • Share This Entry

(no subject)

If you're going to implement a strong, mandatory, inconvenient policy, it would sure be a good idea to issue a memo, or an all-staff email, or post it on the intranet.

Having to have our IS guy visit each person in the whole site to explain that their computer was locked while they were in the restroom or at lunch, and it will lock itself after 15 minutes of inactivity henceforth, just stinks, for us and for the hapless IS guy. (It also lends itself to people choosing the shortest, weakest passwords they can get away with, if they have to log in several times a day.)
Flat | Top-Level Comments Only

[identity profile] tashabear.livejournal.com 2009-04-08 06:41 pm (UTC)(link)
We have to do that in the military, except that we also have to use our ID cards to log in. We get to use a PIN, though.

It's lots of fun when you get to the gate in the morning and realize that you left your ID in your computer the previous night.

[identity profile] learnedax.livejournal.com 2009-04-08 07:44 pm (UTC)(link)
You know, we also just started doing that, with no explanation at all. I wonder whether it's some new mis-feature that's being pushed by MS...

[identity profile] msmemory.livejournal.com 2009-04-08 07:55 pm (UTC)(link)
I can live with the policy, though I dislike it. What pisses me off is that there was no notification. (Not even "And as of next Wednesday, if you're away from your desk for 15 minutes or more, your computer will automatically lock. Just provide your password, and all your applications will still be in the state you left them.")

[identity profile] ilaine-dcmrn.livejournal.com 2009-04-08 08:21 pm (UTC)(link)
Wow, if we implemented something with that kind of customer impact with no notice our eyebrows would be singed back to our collarbones.

[identity profile] cvirtue.livejournal.com 2009-04-08 08:24 pm (UTC)(link)
I'm not an infosec person, but it seems to me that if a company is going to have this sort of security paranoia, then 15 minutes is *too long.*

So as well as being annoying, stupidly implemented, etc, it may also be too lax to be useful.
cellio: (avatar-face)

[personal profile] cellio 2009-04-08 09:24 pm (UTC)(link)
Our company has this policy, and you can't override the settings. My manager pointed out that they had just made his computer less secure; he had had it set at 5 minutes. Unfortunately, they didn't care. :-(

[identity profile] hugh-mannity.livejournal.com 2009-04-09 12:37 am (UTC)(link)
Yep. Ours is a mandatory 5 minutes. We have to change our passwords every 90 days and they have to be a minimum of 6 characters and include a number.

Fortunately I know enough SCAdians whose names I can mangle that I haven't run out of memorable passwords yet. In fact I haven't done with Carolingia ;)
ext_104661: (Default)

[identity profile] alexx-kay.livejournal.com 2009-04-09 02:23 pm (UTC)(link)
Our passwords have to be at least 8 characters, include At least three out of the four from the set [lowercase, uppercase, numbers, punctuation], not be 'too close' to anything the built-in automated program has in its dictionary, and can't be any of the last 25 passwords you used.

I hate password-changing day.

[identity profile] corwyn-ap.livejournal.com 2009-04-08 11:59 pm (UTC)(link)
Why would you tell everyone at once? That way people can conspire to have the rule overthrown. By having people find out one at a time you spread the discontent around, and by the time a critical mass of people know, many will be resigned to it.

[identity profile] n2mlq.livejournal.com 2009-04-10 12:35 am (UTC)(link)
Or you wind up like me, with good strong passwords, and I keep the auto-lock set for five minutes, three was just a little too short.
Flat | Top-Level Comments Only