Having contributed to a massive derail, I like to share some experience of my own.
I used to work at various research facilities, and also in some private companies. Password security is usually not on their list if they think about IT security. Even SAP stuff was just secured with a simple stable password.
Some other thing I came to know, however, is a special form of security theater. I know someone who works at an IT department of a certain employer, and I have seen other related employers. Let me write the book…
Chapter 1: one word to rule them all
From what I have seen and heard, there is one single password for most services in most agencies. Windows PC, local and remote servers for R, GIS, the git-service servers, time management system, travel management system, email, everything. If your PW gets comprised, you are fucked everywhere. Single exception is SAP. Which has its own password.
Five failed attempts lock you out. Of everything. Except SAP. First thing you notice is, e.g., the in!-house git sever does not accept your push. Next, you can’t write an email to IT support about this. You reach for your phone, can’t get through and in the meantime your PC went into screen lock and you can’t login again.
However, if someone has your PW, they theoretically can access everything (as long as they have penetrated the firewall).
Chapter 2: do not write it down, they said?
Both your PW for SAP and the system need to be changed regularly, need a certain length and other (usual) characteristics. That’s annoying, but manageable. Or so you thought. Because one rule is you can’t reuse old PWs, and apparently there is a system which limits permutations (I suppose some kind of distance measurement like Levenshtein’s).
Of course, this means people have a word file with their passwords, somewhere. Very few are tech savvy enough to have a password manager.
Talking about password managers…
Chapter 4: cloudy, with intermittent showers
Anything cloud is bad. No-one is allowed to use cloud services. Which means that password managers are not accessible from another device. So, of you are locked out of your accounts (including your Windows logon, of course) you can’t access your password manager. Or your word file.
Just BTW, this also means that GitHub is off limits, and the in-house git service server is unreachable from the outside. Same is true for Dropbox, AWS, Azure, doodel, anything on other people’s computer: you don’t use it, because they are considered a threat to security.
Which of course leads to the next chapter.
Chapter 4: the things you mail
Of course, if you can’t exchange files via services in the cloud, people mail you stuff. Yeah, there’s a antivirus software, and some server-side solutions as well. However, you get mailed all sorts of documents and code. From all over the world. Sometimes via people from other institutions you might have had no contact before, because they have been assigned to a project or task you might be involved with. It’s not unsolicited mail, right? It’s official. Oh, and you get mail and tons of files from sub-contactors, of course. You don’t know anything about their IT security (or you might, and it’s nearly non-existant).
Oh, did I mention all PCs run Windows 7?
You know what prevents all sorts of problems and attacks? Right you are.
Chapter 5: no administration rights.
Software is rolled out through a repository. Only approved software can be installed. This keeps everyone save, right?
As everyone knows, classical plays have either three or five acts. I don’t write plays. But from what I have seen, this theater is nothing like The Globe, and the play given is nothing like Macbeth. Maybe it should be a fable?
IDK. But I doubt I can learn anything from that besides that working with people who are very, very afraid of some IT security breach does not mean they take IT security serious enough to actually think about it in detail.
