Administrators: Force Secure Passwords Because Users are Lazy. This is the story of how a stolen laptop and a careless employee got me banned from my favorite pawn shop.
The punchline to this story is hidden in my phone call to a complete stranger:
Stranger: How do you know Bob?
Me: All I know about Bob is what I found on his laptop.
And later in the call:
Stranger (to someone in the office with him): This guy on the phone is standing outside a pawn shop in Houston and …
Loud voice in the background: OMG, he found our laptop?!
Author Note: Pawn shops are often a great place to find older camera equipment (I’m hunting for old 35mm Canon lenses for my XSI with adapter ring for artistic shots). I have the expectation that nothing for sale is stolen. This article is not about pawn shops, it’s about security. So no flames please.
While walking through the electronics section of a pawn shop, I noticed a Dell laptop in the WinXP screen-saver mode. Interested to see if it was worth the $200 price tag, I tapped the space bar for a closer look.
That’s when I met Bob.
There was no login password, dismissing the screen-saver took me right to Bob’s desktop. 2 seconds later, it was obvious something wasn’t quite right. If someone was going to sell their old laptop for a few bucks, chances are they would delete personal and company information; Bob didn’t give up this laptop voluntarily.
Sifting Through Data
Knowing that Bob would probably like to have his laptop back, I spent several minutes sifting through files looking for contact information. There was directory after directory of company financial data, historical pricing information, bid sheets (won and lost) and client contact information. Finally, in a online purchase receipt next to his credit card number, I found Bob’s company phone number.
I found enough information to contact Bob by rifling through the company’s sensitive financial information that was on public display in a resale shop
Calling Bob’s Boss
Bob didn’t answer the phone, but his boss did and was happy to get my call. He notified the police investigator working the recent office robbery and a few hours later, the pawn shop manager received a visit from two officers. After lifting some fingerprints, the nicked laptop was returned to its owners while the manager of my favorite pawn shop was out $200 bucks.
Apparently, the office robbery was perpetrated by someone looking to nab some computer equipment. But had Bob’s laptop been stolen by evil-doers from a rival company, the damage would be immeasurable. For the ripe sum of $200, anyone could have bought this company’s laundry and Bob’s credit card receipts.
Users Hate Security
When it comes to IT security policies, I’ve worked in polar extremes. At one design shop, every C:\ drive was an open share. On the other hand, when working IT litigation support for Enron, VPN was restricted to using company-provided software and our home PCs were required to have extreme password policies enabled. Logging in from home was a 5 minute, multi-step process that IT felt was warranted.
Secure systems are inconvenient for users. For the sake of efficiency, they may choose convenient passwords (or disable security entirely). Users may also prefer the same password for every system, even for their CBS Survivor fan site.
Statistics suggest as many as 600,000 to 1 million laptops are lost or stolen each year
Number of USB Keys lost or stolen yearly is impossible to calculate
Reduce Risk, Fix Bob, Bob is Lazy, Long Live Bob
System and site administrators have to design security with the expectation that users are lazy and have no concept of security. The majority of your users may be well-informed and aware of their responsibility to security. But it only takes one Bob to lose a laptop with a lousy password (if any) to put a business at severe risk.
Enact password and drive encryption policies in your organization to prevent an over-night robbery from turning into a company destroying event. This is not the job of IT managers, CEOs, CFOs or building security. It is the responsibility of system admins and developers. Your company’s data is in your hands, is it worth a $200 laptop resale?
Be a Company Hero
When a member of the sales team forgets his laptop in a taxi and his director storms in your office wanting to know the risks, you can confidently say there is no exposure. The hard drive was encrypted and the login password is impossible — the device is useless without reformatting first. Someone in the world gets a free laptop, but the company is not at risk.
As a side note, the pawnshop owner saw me standing by the laptop for several minutes. So now I can never show my face in that place again. Maybe that’s not a bad thing.
NOTE: I originally wrote this article while working for Dzone.com, August 23, 2008