Being a former Navy man I thought a spin-off of the phrase “Dam the torpedoes, full speed ahead” said by Admiral David Glasgow Farragut was appropriate. Changing the phrase to fit my thoughts on how many software companies and developers still to this day don’t consider security when designing or updating application design and code.
Three Strikes and You’re out
It seems enforcing policies of complex passwords and locking accounts after 3 failed attempts is causing problems for one application in particular. It was written back at the beginning of the millennium and apparently not updated since.
According to complaints, users are being locked out because the policies are too strict. In addition several service accounts created during installation and needed to run the application are being locked out. One of the accounts is having major issues. Seems it runs a critical part of the application and is used by users when creating ad-hoc reports. If they don’t create the reports correctly and lock the account it brings down a major part of the application. Now that is some fancy coding right there folks.
They software vendor is requesting we remove the password policy so the users and the service accounts will never lock out. Their reasoning is based on how “it works” in the civilian sector without any password restrictions or lockout polices.
This way the users can attempt to log into the application as many times as needed until they log in with the correct password. Not to mention some of the passwords like “password1” and others similar can continue to work. After all it is a COTS product and any modification will require moths of code changes and tests and could cause major delays in the deployment.
Normally when those words are spoken by me or someone I call a friend, we are talking about adult beverages being consumed. This particular occasion I am speaking of my attitude and apparently what I must do to remain sane due to all the anti-intelligent thinking going on.
During a conference call the other day I was chatting with one of the managers via instant messenger about the request. Their advice; “Lower your standards”. Now, I really like this manager. But I must respectfully disagree with them on several levels on this one. Why is doing the right thing by enforcing policies for safety, security and just plain common sense so hard?
You can rationalize all you want if that makes you sleep better at night. I on the other hand have a real hard time doing things that just don’t make sense or are changed due to the political nature of the project.
“If doing the right thing is wrong, then I don’t want to be right.” – Unknown Author
The image wording to the left may be little extreme. Perhaps I am over reacting. Or maybe I actually care about some of these things others seemingly don’t care about. Until there is some type of preach or someones data is exposed due to loosening of some of the security safeguards. I don’t know. I think for now, I am just going for my type of attitude adjustment.