back to article BOFH: Don't threaten us with a good time – ensure it

BOFH logo telephone with devil's horns So we've got our annual insurance audit to validate the company's worthless cybercover – a policy with more get-out-of-jail free cards than a prison monopoly set. "Just going over your general security settings … Can you tell me your password policy for users?" Brian, the guy from the …

  1. ArrZarr Silver badge
    Devil

    Insurance is just betting against yourself.

    Why would you bet against yourself if you know what you're doing?

    1. KittenHuffer Silver badge

      Insurance and warranties ..... only get them if legally or contractually required!

      If the insurance company is making a profit from them then on average you'll get back less money than you put in! Always a losing strategy for most gamblers, most of the time!

      1. John Robson Silver badge

        It's a known loss against an unknown gain.

        On average you'll come off second best, but if you don't have insurance then every so often you end up bankrupt... and the insurance company's profit is the price we pay to avoid that potential downside.

        1. This post has been deleted by its author

        2. An_Old_Dog Silver badge
          Joke

          Where's the Down Side?

          As members of the Board of Directors, not paying for insurance means Great Savings for Justice, our stock portfolios' values increase, and we give ourselves bonuses for being awesome financial stewards.

          If our factory burns down and we go out of business, we get our Golden Parachutes, and jobs elsewhere in the industry, with even fatter compensation packages.

          Where's the downside (to us)?

      2. Persona Silver badge

        I would agree with you on something like a washing machine warranty. Were it to break I could afford to buy a new one, however having house insurance matters. It's all about cashflow.

        I had a house fire many years ago caused by an immersion heater timer. We were out at the time and got back to find quite a mess. The total paid out by the insurance company was £118,000. Even if were to pay more than that in a lifetime of premiums (I won't) I would prefer to spend that over a lifetime and not all at once. Sorting life out was hard enough with the insurance, without it it would be devastating.

      3. David Hicklin Silver badge

        > Insurance and warranties

        Insurance, often legally required and yeah you could use your business or your house..

        Warranties: Put all the money you would spend on these into a savings account and watch the money grow - doubly so for consumer goods !! They really are money for old rope.

    2. Kevin Johnston

      Ah yes, like the wonderful life insurance bet. The insurance company bets you are not going to die in the next x years and if they lose your will says who gets the winnings.

      1. Jon 37 Silver badge

        Minor nitpick: In many countries, such as the UK, the life insurance pays out to a named beneficiary. It's nothing to do with your will. (Maybe there are countries that do it differently?)

        The reason for that is that your will divides up your "estate" - everything you owned. Many countries, including the UK, tax estates. So if the life insurance money went into that pot it would be taxed. By paying it directly you avoid that tax. Also if sorting out the estate takes a long time, that doesn't delay the life insurance payment.

        1. Anonymous Coward
          Anonymous Coward

          Death and Taxes

          Some people take out a life insurance to pay the death duties - otherwise, if you have valuable assets (like a house!) you can't sell it until you get probate and of course you can't get probate until you've paid the death duties : CATCH 22

        2. Anonymous Coward
          Anonymous Coward

          Nitpicking the nitpick...

          A lot of death-in-service life cover in the UK is written as part of a company pension scheme.

          So given recent announcements about bringing pensions into the inheritance tax net, you may want to take a close look at yours....

          1. Yet Another Anonymous coward Silver badge

            If you have a BOFH a lot of "death-in-service life cover" pays for the Friday night curry and beer, if a user chose to go too close.to a window.

            1. tezboyes

              Clearly the Company doesn't have death in service as a benefit for the Boss, otherwise they would have gone into receivership years ago!

        3. DuchessofDukeStreet

          It's optional in the UK - a policy can either be written to be owned by the life insured (and the payout therefore goes into the estate on death) or to be owned by a named beneficiary (who is then technically liable for paying the premiums) which keeps the payment outside the deceased estate. If the estate is subject to income tax, both options benefit from professional advice or a lot of personal research.

          1. Dinanziame Silver badge
            Devil

            I remember that in some cases and countries, you definitely want to avoid the life insurance to be paid to the estate, because that means estate taxes...

        4. Roland6 Silver badge

          >the life insurance pays out to a named beneficiary. It's nothing to do with your will.

          You need to have specified a named beneficiary and they need to be traceable, otherwise, it is paid to the Estate....

          Pension pots are similar. However, if you haven't informed the pension provider of your legal partner, they can refuse payout...

      2. Zippy´s Sausage Factory

        Your will says who ought to get the winnings. Usually people ignore it.

        1. EvilDrSmith

          As the old saying goes, "Where there's a will, there's a relative"

          1. Major N
            Pint

            Might be old, but I haven't heard that one before! Thanks for the chuckle

          2. Anonymous IV
            Unhappy

            > As the old saying goes, "Where there's a will, there's a relative"

            My old saying goes: "Where there's a will, there's a solicitor who benefits..."

    3. lglethal Silver badge
      Go

      I always look at Home Insurance in this way - I could put the money I spend in a bank account in case I ever had a fire and needed to rebuild. And in the long run I would absolutely save a ton of cash. However, if my house burns down at the end of the first year (or first 10 years), before I have the money to rebuild saved up. Well then, frankly, I'd be up sh&t creek without a paddle, and the choco crocs would be circling.

      Home Insurance allows me to not have to worry about when that fire happens, whilst knowing the pot of money will be there to rebuild if/when it happens (and fingers crossed, it never does happen). Ok, you have to take in the millions of caveats that the insurer will use to try and get out of it's obligation, but it is still a better option, if you cant have the money there from the start.

      Cyber Insurance though, is a complete waste of everyone's time, and the sooner it dies, the better for everyone...

      1. SVD_NL Silver badge

        Only insure something if you cannot afford to lose it AND if you cannot afford to replace it.

        Otherwise you're better off putting the same money you'd pay to the insurance company into your bank account.

        1. Anonymous Coward
          Anonymous Coward

          Only insure something if you cannot afford to lose it AND if you cannot afford to replace it.

          That is indeed the first and last principle of all insurance.

          In between is the principle that you only take insurance that you know have a history of paying out. Home insurance generally pays out, but many others do not. Check it!

        2. AVR Bronze badge

          In places where the car insurance companies effectively run the justice system as it relates to car accidents, you may be legally required to get car insurance to drive, or effectively required because if you're involved in an accident and uninsured then you are at fault. It's a bit of a way off cyber insurance, but there are sometimes other reasons to get insurance.

          1. SVD_NL Silver badge

            Over here you're required to get insurance that pays for someone else's damage when you're at fault for an accident (unless you're driving in a criminal way, e.g. drink driving).

            There aren't a lot of people on this planet who can afford paying for an expensive car + lifelong medical costs due to an injury.

            1. pirxhh

              Here on the old continent, car liability insurance is mandatory, to protect the public from you operating a potential deadly piece of machinery.

              Comprehensive or theft insurance is not, as the public cares very little if you have to take the bus after causing an accident with said piece of sh^Hteel. You may decide to take the risk of losing your car, and the lower it gets in value, the less attractive comprehensive insurance becomes. But if you should injure a cyclist, the insurance company will pay (and, should you have been intoxicated, may recover their losses from you). The victim should not have to suffer from your bankruptcy.

        3. Roland6 Silver badge

          >AND if you cannot afford to replace it.

          Disagree...

          I can afford to replace my recently dead freezer, however, it was insured and will get replaced for free. Okay I took a gamble, it was 15+ years old, so when the insurer accepted it, the odds were in my favour, and the replacement will require a little hassle (ie. it won't be as simple as an online purchase).

          I perform a similar trick with my steam iron and kettle: with one purchase I have a high certainty the 3 year extended insurance will be paying out; I live in a hard water area.

          1. John Brown (no body) Silver badge

            "I perform a similar trick with my steam iron and kettle: with one purchase I have a high certainty the 3 year extended insurance will be paying out; I live in a hard water area."

            A canny insurer may well have a clause that includes "proper maintenance" and twist that to check if you have used deionised bottled water for the iron and/or used a regular descaler treatment for both items. As someone who does warrenty repairs in the IT industry, I'd expect anyone doing kitchen appliance repair/replacement to do the same as me. Check first for "user damage". Allowing a kettle to build up lime scale in a known hard water area would probably be user damage. Except I suppose that these days it's probably not economic to even attempt to repair those items so that user damage won't even be looked at and the mis-use by the user simply adds a few pennies to everyone's insurance. The company won't care because the customers are paying for it.

            1. Roland6 Silver badge

              Agree, but high st. stores, their "warranty inspector" will give the item a simple lookover for, as you note, obvious damage and then pull an equivalent item off-the-shelf.

              For other goods, I've tended to go with the manufacturer's included warranty and effectively self insured. As you note, insurance requires a canny mindest; I don't expect to beat the insurers but I do expect to reduce my overall expenditure on insurance.

              Recently had a laugh, the new managers at a client, decided they were overpaying on the insurance (with NFU), and switched to a cheaper insurer, who as a condition, required them to keep an accurate asset register. Needless to say the cost of creating and now maintaining that asset register exceed the premium saving, plus NFU expected stuff to fail (anyone who has worked with farmers will understand why), so had built in a level of payout; which meant they effectively covered the replacement of a couple of laptops every year with no hassle, for which there was no explicit budget..

        4. veti Silver badge

          When I bought my son a Chromebook for school, I paid for a 3-year combined warranty/insurance policy, because I had a pretty good idea what was likely to happen in that timeframe.

          He's on his third replacement now, all completely free.

          1. Hazmoid

            Our sons ipad was smashed days after his time at school had come to an end and the insurance policy ran out. We had just opted to pay out the school to keep it too :( instead of returning it.

      2. Anonymous Coward
        Anonymous Coward

        I could put the money I spend in a bank account in case I ever had a fire and needed to rebuild. And in the long run I would absolutely save a ton of cash.

        You either have a very cheap house, or hugely expensive insurance.

        Just looking at rebuilding costs, I'd have to pay my annual home insurance premium for about 400 years to reach parity with the cost of rebuilding.

        1. The Dogs Meevonks Silver badge

          I was thinking the same thing, an avg home would cost in the region of 100-130k to rebuild... I just spent £18k converting a garage and a cloakroom into a bedroom & ensuite so my mum can come to live with us. If I'd paid a contractor to do it all from start to finish, that would have easily been £25k

          1. Roland6 Silver badge

            Word of advice from an insurance assessor who inspected a neighbour's house after a flood: ensure you are comfortably overinsured as payout will be reduced due to covering the additional costs of site clearance and temporary accommodation (ie. read your policy document).

            1. John Brown (no body) Silver badge

              I wouldn't call it overinsured. Buildings insurance is supposed to cover for a rebuild. The assessed "value" is supposed to cover up to a full demolition/clearance/rebuild. If it doesn't, then the insurer or their assessor got it wrong and you may well be able to claim on their professional liability insurance.

              1. Roland6 Silver badge

                Now look at what your policy says about accommodation and other costs incured, whilst you await the restoration of a habitable home.

                However, for many they are less likely to be under-insured on the buildings than they are on the contents, which is where the insurer will be looking to save money. So whilst you might get the house rebuilt, it may be lacking in fixtures and fittings ie. the fitted kitchen is covered under the contents not the buildings insurance.

      3. Anonymous Coward
        Anonymous Coward

        3 years after I moved in to my property I had a fire which gutted the kitchen, and the rest of the property was covered in soot, the bathroom had to be replaced as well purely from smoke damage.

        I will be dead by the time the buildings insurance premiums add up to the cost of repairs.

        I did not have contents insurance. £1,500 for washing machine, fridge, a cheap bed and sofa etc. Now by the above logic I was lucky that my ~£4000 worth of computer equipment was fine because if I had relied on putting insurance premiums in an account it wouldn't have covered it by 3 years...

        I have now lived here for 15 years. If I had lost my computer equipment and borrowed the money to replace everything with new high end kit from a loan shark then I'd have paid less than what insurance providers quote me for contents insurance. If I missed a payment then I would probably also get better customer service from the loan shark than I had dealing with that insurance company regarding the "high quality work" of their mandated contractors.

        1. Korev Silver badge

          I had an accident a few years ago, I saw the amount of money the insurer paid out for my care (multiple operations, weeks in hospital and years of physiotherapy), the insurer will never make that money back.

          1. John Brown (no body) Silver badge

            "the insurer will never make that money back."

            They already did. From the many insured people who didn't have accidents. Insurance is socialised across all payers. At least for now. With "big data" and so-called "AI", it's becoming more and more targetted at the individual such that it could become unaffordable to anyone classed as "high risk". We are already seeing this happing now with drivers and car insurance.

        2. Roland6 Silver badge

          >If I had lost my computer equipment

          If you used your computer for work, it would not of been covered under your home insurance....

      4. parlei

        Insurance is like an airbag or seat belt in a car: I can honestly say that I have never had any use of either. But if I get into a situation where they will be usefull (i.e. accident) I will be very happy have them.

      5. TSM

        When we bought our first house, we were required to arrange insurance as a condition of getting the loan (reasonable enough), and not having strong opinions we opted for the convenient option of arranging it through the lender's insurance arm as part of the settlement process. (We changed insurers later.)

        About a week after we moved in, storm damage meant that part of the kitchen ceiling needed to be replaced. We were glad that we hadn't delayed on getting the insurance sorted out!

    4. Charlie Clark Silver badge

      So, you always not what you're doing? I'm not going to argue that all insurance policies are reasonable and reasonably priced – because we all know there are plenty of overpriced products with little or benefit – but the basic principle of pooling risk is sound.

      1. ArrZarr Silver badge

        If I were the BOfH, a fictional character in a humorous article, sure. The lack of insurance isn't going to bite him. There's a reason I do have home insurance ;)

        1. Charlie Clark Silver badge

          Well, there is that but your original post was more general.

          While we know the industry has woken up to the potential golden opportunities, I think there is value in having our assumptions that we know what we're doing when it comes to security checked every now and then. But, having observed several negotiations and box-ticking exercises along these lines, I'd always recommend spending the money on pen-testing first to know where you really are vulnerable, especially new exploits for old software/practices become available. These can form the basis of any discussions, either with insurers, or with customers who expect it. Done well, it's like a checkup at the dentist and can be educational for all concerned

          OTOH mindless box-ticking remains the most popular approach!

    5. herman Silver badge

      Life insurance is the worst. You are literally betting that you will die before they think you will.

      1. Persona Silver badge

        That same life insurance company would also be happy to sell you an Annuity policy. There they would be betting on the opposite i.e. that you will die before you think you will.

        The house odds, or premium in this case, ensure that on average they win whichever way it plays out.

      2. Roland6 Silver badge

        However, an endowment life insurance is a very good legal tax dodge. Hold the policy for 10 years and all proceeds are tax free, die before 10 years and the payout will be tax free and outside of the estate. The best policies (for investment) are those which had minimum life insurance (think funeral expenses) and allow "massive" contributions....

    6. The Dogs Meevonks Silver badge

      I'm glad I have insurance, because since I moved out of my folks house at the age of 18... I've had the following things happen

      Had my flat burgled, insurance paid out almost 3k.

      Dropped my first PC on a concrete floor, had my insurance replace it with a much better one.

      Dog knocked over the very old 720p only LCD TV, insurance replaced it with an much nicer LED one

      Idiot in a BWM tried to overtake me on the inside of a roundabout and turn left, insurance paid out £1458 for the car I paid £1050 for, let me buy it back for £220, and I spent £600 repairing the dinged door and wing, plus powder coated the wheels, added a reversing camera and came out with around £600 in my pocket.

      Drunk/drugged up idiot in an Audi smashed into my car (and 3 others) whilst it was parked on the road, whilst visiting my parents, insurance paid out £2500 for a car I paid £1900 for, I picked up a newer identical one in the same colour, swapped over a load of the 'improvements' I'd made, inc the powder coated wheels and OEM spoiler I'd had done, stripped out some sensors from the engine bay and removed the sat nav system, headlights and drained the fuel tank before they took the car away.

      I'm now in my mid 40's, I couldn't have survived the burglary in my early 20's when I had no money to replace anything, same with the PC. When my dog broke the TV, I'd given up work to help care for my dad as he had parkinsons and dementia... so I was living in near poverty for several years.

      As for the 2 car incidents, not really an issue financially... I practised 'bangernomics' where I buy a luxury type of car for dirt cheap money that was at least 10-12yrs old with a 100k or so on the clock and keep it until it becomes uneconomical to repair any more. If you buy the right make/model, you're laughing (I stick with Honda for the ultra reliability, but almost any Jap brand will suffice providing the vehicles are built in Japan)... But the fact I paid £1050 for one, got almost £1500 payout, bought it back, fixed (that thing was like a tank) it up (profiting around £600), and then sold it for £750 a year later meant that cost of ownership for the 4yrs I owned it was negative £300. As for the 2nd car incident, I still have the replacement 5yrs later, it's still running well, and those spare parts I stripped come in very handy, the headlights for example swapped out as the others went foggy, and I'll refurbish those to sell, the satnav system was sold for £200 and I have spare air/fuel/egr sensors should any fail.

      I don't mind paying for insurance.

    7. Richard Tobin

      Insurance increases your expected loss - how else would insurance companies make money? - in return for removing the possibility that your actual loss is much higher.

    8. TechnicalVault

      Not just betting against yourself, other people can cause you loss

      It's not just betting against yourself, but betting that someone else may cause you loss.

      If you look at the origins of fire and property in the insurance in the UK, you'll find the roots in a catastrophic event, The Great Fire of London. That event was caused by one person's mistake but it caused catastrophic losses to thousands. It's not like you could have even recovered those losses by suing Thomas Farriner, as the value of the losses far exceeded one individual's wealth.

  2. MisterHappy
    Coat

    Ouch!

    "Yes – because we use a different cupboard sometimes – to mix it up a bit."

    This is far too close to one of my previous employers to be a coincidence, surely.

  3. Pete 2 Silver badge

    The Generation Game

    > And it's an enterprise level, next-generation firewall?

    Ummm, if it is deployed then that (by definition) makes it the current generation.

    A "next generation" firewall can only exist in the R&D departments of firewall makers. And you definitely wouldn't want to be running one of those. Not until it gets released as a product and therefore becomes the new current generation.

    1. Doctor Syntax Silver badge

      Re: The Generation Game

      A "next generation" firewall can only exist in the R&D sales and marketing departments of firewall makers.

      FTFY

    2. chivo243 Silver badge
      Pint

      Re: The Generation Game

      I too, was the PFY at one time, I would have made the TNG comment! And every time we had an auditor or some such sniffing around, my hackles raised a bit, and then the baffle them with bullshit mode kicks in...

      Happy Friday --->

      1. Hot Diggity

        Re: The Generation Game

        The problem is that sometimes they baffle me.

        Genuine question that a company I once worked for was asked by auditors - Do you have TCP?

        After a very long pause wondering why this would ever be asked - Yes

        The person asking just had no idea at all what questions would have been relevant to ask or how they should be worded.

        We have annual audits and yes, attempting to baffle them is the only enjoyable part of that process.

        There is always another question to answer.

        After a while, I extend my response time to add long as possible knowing that the due date for the audit completion is coming up and they need to submit their findings by that date.

        1. keith_w

          Re: The Generation Game

          I was once asked, while being interviewed by my manager to-be for a position as network administrator, if I knew anything about TCP. I looked at him in a somewhat amazed way and said 'Yes, it's a requirement to be Cisco certified.'. He was the head of technical support and my certs were on my resume.

        2. Bebu sa Ware
          Coat

          Re: The Generation Game

          "Do you have TCP?"

          With or without the IP?

          We tried TP4 but it didn't have anyone to talk to so it was lonely.

          I am very wary of nongs doing surveys obviously sent on fishing expeditions especially by new brooms trying to make their mark by finding synergies and efficiency dividends. Enough hells in this game with fresh ones.

        3. John Brown (no body) Silver badge

          Re: The Generation Game

          "Do you have TCP?"

          Of course! There's always a fresh bottle in the first aid cabinet in case of bug bites.

        4. This post has been deleted by its author

    3. Korev Silver badge
      Boffin

      Re: The Generation Game

      Next Generation Sequencing (NGS) has been a thing in biology labs for ~15 years. NGS itself may well be superseded by some other sequencing technology...

      1. OhForF' Silver badge
        Trollface

        Re: The Generation Game

        If NGS has been around for 15 years labs should be using at least 5G sequencing by now. Is progress in sequencing that slow or is the marketing in biology sub par?

  4. Michael H.F. Wilkinson Silver badge
    Coffee/keyboard

    Brilliant

    Slight deviation for the original BOFH password policy:

    "... Modify the user's password minimum from 6 to 32 letters, give the password a 1 day lifetime, set it so that they HAVE to use the password generate utility when they change their password (so their password will always be something that looks like vaguely pronouncable line-noise), add a secondary password with the same as the above, then redefine their CLI tables so that the only command that works is DELETE, and all other commands point to it."

    Sheer genius.

    Somehow this episode reminds me of the time my wife was pissed off at the sysadmins at her work, because they wouldn't let her stick a post-it with her password on her computer monitor. The spoilsports!

    She was quite offended when I heartily agreed with the sysadmins.

    1. lglethal Silver badge
      Trollface

      Re: Brilliant

      Your wife - what a silly lady! Everyone knows how insecure the post-it note with password stuck to your screen is. That's why the Post-it note goes under your keyboard! I thought everyone knew that!

      1. Rafael #872397
        Coat

        Re: Brilliant

        You could always use KEYBOARD as the password and save a whole entire post-it!

        1. Ochib

          Re: Brilliant

          My password is "Incorrect" so when I type it in wrong, the system tells me that my password is incorrect

          1. Anonymous Coward Silver badge
            Boffin

            Re: Brilliant

            I have a similar policy, but save a step: my password is "your password" - that way when the login screen says to "enter your password" I just do what it says.

            1. Primus Secundus Tertius

              Re: Brilliant

              My user account has a user name PASSWORD and a password that is USERNAME.

        2. frankvw

          Re: Brilliant

          At a large company I contracted with in the 1990s someone in the typing pool had the brilliant idea of using the serial number at the bottom of her keyboard as a password. It took us a while to catch up on why she had login problems every time her keyboard was replaced.

          1. rafff

            Re: Brilliant

            "using the serial number at the bottom of her keyboard as a password."

            But how do you type while reading the underside of the keyboard?

            1. John Robson Silver badge

              Re: Brilliant

              I presume the "at" the bottom, rather than "on" the bottom is relevant here.

            2. Flightmode

              Re: Brilliant

              I'm still convinced that under-keyboard post-its are the number one reason why cellphone cameras were invented.

            3. Nik 2

              Re: Brilliant

              "But how do you type while reading the underside of the keyboard?"

              Clever people, touch-typists...

          2. jmch Silver badge
            WTF?

            Re: Brilliant

            "It took us a while to catch up on why she had login problems every time her keyboard was replaced."

            Wait ,how often WAS her keyboard replaced? More than once even over a span of several years is surely unusual! (unless she kept glasses of coke on her workspace)

            1. tezboyes

              Re: Brilliant

              Well it was the 90s, so presumably they were cheap nasty keyboards that couldn't stand up to the amount of pounding a professional typist can get through. Should have got a proper old IBM beast, the kind that you can use as a weapon!

      2. This post has been deleted by its author

      3. An_Old_Dog Silver badge
        Devil

        Re: Brilliant

        I have a Post-It note with a password stuck to the bottom of my keyboard! It's 64 characters long, looks like modem-line noise, and is, of course, totally wrong.

        (Icon for BOFH.)

    2. phuzz Silver badge

      Re: Brilliant

      In a shared office, it's a bad idea, but for a home user it's not so bad. It's about the interplay between physical, and network, security.

      1. Anonymous Coward
        Anonymous Coward

        for a home user it's not so bad.

        Indeed. A home user can type the password from a poster hanging across the room and it will still be more secure than any office warrior with a 100 eyes/lenses on their hands when typing.

        Most passwords are stolen using key-logging malware or retrieved from massive password leaks anyway (remember LastPass, or [breach of the month]). That is why world&dog wants everyone to use passkeys.

      2. Charlie Clark Silver badge

        Re: Brilliant

        Sounds quite habit forming. If so, better to learn good habits no matter where you are.

        1. John Robson Silver badge

          Re: Brilliant

          Humans are really quite good at looking after small pieces of paper to which they attach value.

          Paper can't be hacked, so the pool of people who can possibly access said piece of paper is very small indeed - certainly when compared with the count of ne'er-do-wells online.

    3. Charlie Clark Silver badge

      Re: Brilliant

      I recently came across just such an exhibit! The person concerned had left the company so no, er, discussions were required.

      1. The Oncoming Scorn Silver badge
        Pint

        Re: Brill!ant

        I usually create passwords, based on UK Railway Station Names, but for the last few years I've been using Bandname"LP Title"Year, while meeting the usual requirements.

        Up until earlier this year when it came to changing the password, I used the same password while only changing when I hit the shift key (Must be said my password is actually half as long again as the minimum).

        Then we moved to a new authenticator system, they gave me access as part of my support role to the authenticator password & I now just set myself the same password when it expires.

        1. Charlie Clark Silver badge

          Re: Brill!ant

          The recommendation for the last few years from several official bodies, including the German Federal Office for IT Security, is that as long as passwords are sufficiently complex, they shouldn't expire. This is because forcing people to renew often ends up encouraging bad practice, along with the lockouts by the usual suspects who changed passwords just before going on holiday…

          Passphrases to generate mnemonics (Battery horse staple…), or stategies like yours are great for stems, but need extending with something service specific to make them both more complex and memorable.

          1. collinsl Silver badge

            Re: Brill!ant

            > (Battery horse staple…)

            Correct!

          2. John Robson Silver badge

            Re: Brill!ant

            Why use a mnemonic... why not just use the whole passphrase?

            It's verging on criminal that touch typing isn't taught in primary schools alongside writing - or maybe a little later in primary school.

            Typing words is generally faster than typing random strings, even if you know the string reasonably well, just because the letters are definitely the "focus" point of our keyboards, and we already have the muscle memory an patterns built in for typing words.

            Wow - it's amazing how many more typos I made typing that sentence than I normally do...

        2. Anonymous Coward
          Anonymous Coward

          Re: Brill!ant

          When setting up new accounts, our sysadmin used to set the password to whatever she saw out of the office window at that moment. People would be given accounts with passwords like "BigRedBus", "PoliceCar", "HeavyRain", etc..

          1. lglethal Silver badge
            Joke

            Re: Brill!ant

            So that's why I was given the password "Twodogsf%&king"...

            1. PRR Silver badge

              Re: Brill!ant

              > I was given the password "Twodogsf%&king"...

              No joke: I was helping the boss with a PEBCAK problem, and it turned out his password was 'fükker'. That was apparently his grandmother's pet name for him. I did not want to know how or why this happened.

              1. KarMann

                Re: Brill!ant

                Ever seen The Corsican Brothers?

          2. M.V. Lipvig Silver badge

            Re: Brill!ant

            I've started using patterns now that the company is demanding 15 characters with numbers, caps and special characters included. Come password reset time, I use the same pattern and just shift one key to the left for the first character. They get their security and muscle memory lets me "memorize" the line noise.

            1. David Hicklin Silver badge

              Re: Brill!ant

              Car number plates and postcodes along with an extra random character or 2 work well

              1. Terry 6 Silver badge

                Re: Brill!ant

                Maybe old reg numbers and childhood/relations' addresses/phone numbers.

                Anyone who's going to dig that deeply into your life that they know your aunty Mary lived at 7TheWillowsLE17 or that your dad's first car was BRM123D is more of a threat than a mere scammer/hacker.

            2. John Robson Silver badge

              Re: Brill!ant

              Password reset schedules are just dumb in the vast majority of cases.

              I mean at least I can genuinely say that I have no idea what my password is, I know how I generate it though: "openssl rand -base64 21"

              Then it lives in a password manager, and I don't touch it again until it's time to renew it, at which point I generate it and put it in a text document so that I can easily copy it to the dozen or so things which need it in the first two days. Then it can get scrubbed... but I don't yet have a password manager I can tell "all these things that you think are different are backed by the same SSO login, update them all at the same time".

          3. Doctor Syntax Silver badge

            Re: Brill!ant

            I once used the species of tree outside the window. But then the tree got too big & I had to cut it down...

        3. Korev Silver badge

          Re: Brill!ant

          As a former cell biologist, I sometimes use the names of constructs and cell lines that I used in ancient history as they look about as random as regular expressions when written down

    4. Anonymous Coward
      Anonymous Coward

      Re: Brilliant

      My wallet has a business card with five, 4 and 5 digit pin numbers and a number of passwords written on it.

      There goes the 4 tries logging in.

    5. herman Silver badge

      Re: Brilliant

      Sticky note!? Everybody knows the proper place for a password is written with a permanent marker on the underside of the keyboard.

      1. veti Silver badge

        Re: Brilliant

        At least sticky notes are detachable. Thus obviating the "read one side of the keyboard while typing on the other" challenge.

  5. Antony Shepherd

    Lock it up in a box...

    In a previous job, all the server passwords were written down on small cards and placed inside one of those little cashboxes that was kept in the bottom drawer of my desk.

    It was locked, obviously, but nothing a good screwdriver couldn't break open.

    The reasoning of the person who suggested this was if ne'er-do-wells could get to the box it was already a security fail.

    1. Ol'Peculier

      Re: Lock it up in a box...

      It's like locking internal doors. If they are already in, all that's going to happen is you have more doors to replace.

      1. Yet Another Anonymous coward Silver badge

        Re: Lock it up in a box...

        It does stop "intruder with clipboard wandering around like they are supposed to be there"

        Just watch any Defcon talk about pen testing

        1. TRT

          Re: Lock it up in a box...

          "Well, we don't put up floor plans of the data centre on the walls any more. And we've taken all the direction signs down".

          "Yes, any intruder ignorant of the building layout would be at a distinct disadvantage."

          "What? Security through obscurity is no security!"

          "They'd need to know which corridor to go down."

          "What door to open."

          "When to duck."

          1. OhForF' Silver badge

            Re: Lock it up in a box...

            Auditor: What do you mean, the PHB ending up in the basement failed at security?

            BOFH: He did not remember the pattern of active pitfalls to deter intruders changes every Tuesday.

          2. tezboyes

            Re: Lock it up in a box...

            When to duck.

            When to jump.

            When to swivel.

  6. Herby

    Warning...

    Common sense is not allowed here. Most password requirements devolve into using post-it notes (as described above). Especially if password managers are not allowed (like the last place I worked).

    Insurance? Paying Vinny usually worked quite well...

    1. John Robson Silver badge

      Re: Warning...

      "Especially if password managers are not allowed (like the last place I worked)."

      They banned notepad?

      1. Evil Scot Bronze badge

        Re: Warning...

        Worse...

        They built AI into it !!!!!!

      2. Yet Another Anonymous coward Silver badge

        Re: Warning...

        No they banned the bard whose only job was to learn everyone's password and recite it back to them.

        At least after he was promoted to manager

        1. tezboyes

          Re: Warning...

          Paul Simon ?

          (You can call me AI)

  7. Anonymous Anti-ANC South African Coward Silver badge

    Inn-sewer-ants

    If old Foureyes comes along, and gives me an inn-sewer-ants policy, I'm going to read it well through for any loopholes in my favour before signing it...

    1. Diogenes8080

      Re: Inn-sewer-ants

      X-Clacks-overhead...

      1. Evil Scot Bronze badge

        Re: Inn-sewer-ants

        I see you have found a job with no heavy lifting.

        (We need a black hat icon. GNU pTerry)

    2. Prst. V.Jeltz Silver badge

      Re: Inn-sewer-ants loop holes in my favour

      So you're going to bet me that the pub doesent burn down?

  8. Prst. V.Jeltz Silver badge

    "So you don't use a non-privileged user for day-to-day work?"

    amazing how long it took for that to become the norm , around here anyway

    1. Yet Another Anonymous coward Silver badge

      We have an excess of non-privileged users, HR stopped us calling them incompetent

    2. Doctor Syntax Silver badge

      With sudo every ID on the sudoers list is a privileged user ID but I suspect most are used for everyday work.

  9. Coastal cutie

    And there was I expecting Brian to get defenestrated - the BOFH must have been in a kindly mood

    1. Charlie Clark Silver badge
      Thumb Up

      Or, at the very least have his own policies and payout exemptions tested… No payout when his company car mysteriously drove itself into a wall, because the doors can be opened by the proximity of one of his wearables…

    2. TRT

      He did need to file the report... but you know there's a lot of "red ink" inside your average insurance assessor.

    3. Doctor Syntax Silver badge

      "the BOFH must have been in a kindly mood"

      Not at all. Brian had a function to perform.

  10. TRT

    In sewer ants...

    It's got something to do with the reflected sound of underground spirits.

  11. herman Silver badge

    I was expecting a neat list of passwords on a sheet of paper on the notice board in the corridor, with a webcam pointed at it.

    1. Excused Boots Silver badge

      "I was expecting a neat list of passwords on a sheet of paper on the notice board in the corridor, with a webcam pointed at it."

      Don't...Give...Management...Ideas!

    2. Terry 6 Silver badge
      Joke

      You've just invented the password manager

  12. Bebu sa Ware
    Windows

    Password Policy

    The spouse once (late 90s, early 00s). worked in a financial institution where the policy required changing passwords (>8 chars, mixed case, digit+, special+) every few months but there wasn't a diktat about post-it notes. The staff in the department had long ago worked out that the system on recorded the last five passwords so each monitor had post-it node with a list of the six passwords they used cyclically. Was probably some DEC system with TCB.

    At least recently the recommendations on password policy is a little saner.

  13. Doctor Syntax Silver badge

    I'm sure there's lots of harmless fun to be had going round the office after hours swapping post-its between keyboards.

  14. dmacleo

    I Love PFY

    nuff said

  15. Blackjack Silver badge

    Hopefully the BOFH actually has the backups up to date, that's were he stores all the blackmail material after all.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like