IT at work changed everyone's email passwords to have the same format where what differs from account to account is the LAST 4 DIGITS OF THE USER'S SOCIAL SECURITY NUMBER. When I complained, the CFO told me that since banks, et al, use it for ID purposes, it must not be that bad an idea.

I tried to explain that institutions accepting that as proof of ID is the reason it's a bad idea and was ignored.

Holy shit guise! I think maybe my complaining got through to them! Tomorrow he is re-enabling password reset and TFA!

Show thread

I'm not even mad that his email seems to consider TFA some kind of new idea that just came out, like he's reading the wind and soon everyone will be doing it

Show thread

@tomasino bonus points: in her response she also included a friendly paragraph about how if I'm not happy here, there are other places to work. Made me feel warm and fuzzy.

@W10x12_UNO is your company high profile enough you can "whistle-blow" on her to the press? shame shame shame?

@tomasino No, we're not a very big operation and even if every client we work with was provided with a detailed account of the situation and why it's wrong, I doubt they would lose face in the industry. Construction manufacturing is as backward an industry as it seems like at first glance.

@W10x12_UNO I guess you have no choice but to hack them! For justice.

@W10x12_UNO at least they're not publicly visible but that's just ... wow, that's just such a bad idea!

Did they already know everyone's password or are they just newly incompetent?

@thenomad I really can't explain it. At first, his genius idea was that no one should know their own password, because someone put their password into a phishing site. He decided he would enter everyone's email password for them so no one could accidently divulge their credentials.

But then out of nowhere, this happened. He gave me a sticky note with the password on it (company initials in all caps + "mail" + social + "!") and asked me to make sure that the number was right.

@W10x12_UNO Did he suffer a stroke? That "password" is ... so insecure as to be meaningless. It's also unsafe and unwise and a bunch of other things.

@thenomad He has zero training for this role. His only internetworking-adjacent skill is buying domain names he thinks he'll sell for millions.

He's the sole IT for a 150 person company and he was just promoted to that spot from an unrelated department. He just conned the execs into thinking he knows what he's doing. Nothing will convince them that he's not an expert.

@W10x12_UNO He's *just* heard about 2FA, therefore it *must* be new. Otherwise he'd have heard of it before, right?

Sign in to participate in the conversation
Mastodon @ SDF

"I appreciate SDF but it's a general-purpose server and the name doesn't make it obvious that it's about art." - Eugen Rochko