The importance of keeping passwords secret is endlessly reiterated by security firms, banks, and others. Yet US government tax service workers are still to pick up on the message, it seems. Three in five (60 per cent) US Internal Revenue Service workers readily gave up their user names and agreed to change passwords to ones …
Passwords are useless
Surely given the magnitude of the failure, they shouldbe concluding that password security is doomed in this application with these workers, and move exclusively to some sort of smart-card or biometric authentication system.
What I didn't get from the report: When was the last time the employees tested were given education on password management? What was the size of the employee sample and where - geographically - were the employees located? What level of employee within the IRS was tested?
Want non-technical employees to have good password management skills? Educate them early and educate them often. By all means have a public hanging or two - pour encourager les autres - but if you haven't put the time and money into education then be prepared for an unfair dismissal suit or twelve.
Just doing what they are trained to do
kow tow to authority - and do what they are goddam told.
poor staffer just doing what IT tell 'em
i dont often side with poor old users, but on this occassion i do. How many times do IT helpdesk tell a user to do something .. often something that user is unsure about ("Really, you want me to click on the icon of a bomb?"). So when a user is asked by IT to give up their password and use one that they have just been told, i would expect them to do it.
This simply shows the lack of training offered to the non technical people about how to stay secure and not be socially engineered!
is this an IT publication or isn't it?
"Although attempts to attack the IRS's systems are commonplace, no successful attack has been recorded to date. "
shouldn't that read "reported" instead of "recorded"? Honestly.
RFID is the answer
Since the IRS employees can't be trusted with simple password-based security, it's time to inject them with RFID chips. Then all they have to do is plant themselves with range of their workstations, and the computer will recognize the chip and grant them access (as long as they are in range).
Now, for normal citizens, this is a very lightly-invasive procedure, since the chips are almost microscopic in size. However, this is a government operation, and therefor Milspec chips will be required. As everyone knows, Milspec chips are 10 times as large (and 100 times as expensive) as ordinary chips, so the implant procedure is going to be somewhat uncomfortable. To minimize the discomfort, the chips should be inserted into the buttocks. Security requires a good, deep implant - snuggled right up to the pelvis, I should think.
And, to ensure good security, the chips (which are now acting as the employee's "password") must be removed and replaced with new chips every 90 days. Sorry, that's just policy; we can't change it for just one government agency, now, can we?
I find it amazing they test employees with social engineering in the first place.
It's almost as if something sensible was being done - except for using IT staff to demand employees use new passwords, as one person has already stated, why would they refuse?.
Seems a somewhat unfair test. Now if the person received said instructions over the phone, rather than in person, ok - you need to educate people to not do things like change their password to something some unidentifiable person on the phone suggests.
But if the IT folks, the people they deal with day in, day out for IT related problems, walk up and tell them to start using a new password - why would they think it anything out of the ordinary?
They don't know that authorized IT personnel could change their passwords without having to ask. They're just doing what I'd expect them to do.
Poorly paid, poorly trained
The employees the article is talking about are amongst the least paid individuals in the US bureaucracy. And the worst trained. The IRS gives most of these people a few hours of training about their job and then drops them into the fire. Most of it is either OJT or some beneficent co-worker helping out a little. But security training? That might be a passing "don't give your password out and change it from time to time. Now we'll break for lunch".
Of course, we Americans then call these people with questions about our taxes. No wonder so many people have errors.
Our nice, shiny new Red-Hat Linux cluster, got the security treatment the other day. Now after you type your user ID it comes up with "Using keyboard-interactive authentication." as a password prompt.
I'd like to know who's responsible for this linguistic abortion, as I have a right good kicking with their name on it here...........
Actin like its just the government.
All companies do things like that. At least in the UK I have only once come across two people sharing a login and password in my time working for the government. And that was for a read only system, and they were jumped on as soon as it was found out. I’ve known private companies where several people have shared a login in the accounts department for the accounts system (Infact my wife was threatened with the sack for not sharing hers, until she pointed out the problem and they went to someone else who wasn’t as clued up).
This is all helped by the fact that the department I work for dose regularly remind people not to share or give out there password.
If the user is the weak link inthe chain of security, there's no point saying to them 'be a stronger link'. Passwords are a hasstle and people's memories aren't good, which is why you get 'fluffy01' fluffy02, 'fluffy03' as people are forced to change their passwords.
A fingerprint login or something that no one could borrow is surely the best. On the other hand, if you have access to somethign *really* important, you might find yourself yazuka'd.
It was not IT staff
"So when a user is asked by IT to give up their password and use one that they have just been told, i would expect them to do it."
I think the point was they **weren't** IT staff. It was just some unknown guy who phoned them out of the blue and **said** he was IT staff. There's very little difference with what they did to phishing emails. They just did it by phone.
- Boffins attempt to prove the UNIVERSE IS JUST A HOLOGRAM
- Review Raspberry Pi B+: PHWOAR, get a load of those pins
- Review Reg man looks through a Glass, darkly: Google's toy ploy or killer tech specs?
- MEN WANTED to satisfy town full of yearning BRAZILIAN HOTNESS
- +Comment 'Stop dissing Google or quit': OK, I quit, says Code Club co-founder