3

I'm a new hire low-level engineer at a large company in the US. When signing up for my benefits/insurance package, I noticed that the password requirements included a 9 character maximum. Needless to say, I don't feel very comfortable committing personal information to such a lax requirement. [1]

Due to my (low) status, is it acceptable to bring this concern to IT and/or HR, or would that rock the boat? [2] I brought it up colloquially with my direct managers (with whom I have good relationships), and while they acknowledged the bad practice, they didn't seem too bothered about doing anything about it. They are most likely used to it, having signed up years ago.

I would very much not like to go with the flow and (a) not feel that my personal information is secure, and (b) let this practice go unnoticed or unreported. Of course, I feel silly thinking that the company would change a long-standing (and perhaps minor) policy just for me. But after all, every bad security practice is fine until it becomes very not fine very quickly.

[1] Since this is workplace and not a security SE, please that assume this is bad security practice that should be avoided so that we can discuss the question at hand, not proper security policy.

[2] In response to some feedback in the comments, please note that I am not suggesting going to the head of IT and screaming bloody murder about the massive security hole in their system. I had more of the following in mind: Hi [IT/HR person with whom I have a relationship], I noticed there was a 9 char password limit on [...], is that something that can easily be changed to allow more secure passwords? Thanks, Me.

nivk
  • 157
  • 5

6 Answers6

10

Due to my (low) status, is it acceptable to bring this concern to IT and/or HR, or would that rock the boat?

Short answer: Go with the flow. (for now)

I would wait to bring this up until after you have been with the company awhile ( six months plus ). They did not pick 9 characters ( right or wrong ) out of thin air, and whoever was involved with the development of the policy put in some time to create it.

As you establish yourself with the company, find out who wrote the policy and politely offer your suggestions, including reference material to support your suggestions.

Neo
  • 84,783
  • 53
  • 276
  • 322
  • 2
    They did not pick 9 characters out of thin air - This. Chances are they have a legacy system with a password limit of 9 characters. Im not sure it matters who wrote the policy but there has to be someone who is responsible for keeping it updated and current. That is the person to talk to. – IDrinkandIKnowThings Sep 06 '17 at 18:04
  • Interesting point, I had not considered that it might be a complicated legacy system. That probably tells you a little bit about my age (and reminds me how dated certain acronyms like "Eight Megabytes And Constantly Swapping" sound). That would make it significantly more difficult. @IDrinkandIKnowThings, is this then a recommendation to bring it up with someone? – nivk Sep 06 '17 at 20:30
  • 2
    @nivk - My best advice for starting a new job is to listen alot, ask questions where appropriate, and until you have a full understanding of what is going on do not offer advice on how to change anything. – IDrinkandIKnowThings Sep 06 '17 at 20:39
  • @IDrinkandIKnowThings, It's worth noting that I'm not in the IT department. The things I'm listening to and asking about are entirely unrelated (I'm an electrical engineer). Updated footnote on OP may clarify my intentions. – nivk Sep 06 '17 at 20:52
  • It is not unprofessional to send that email. It may very well be unwise to send it though. See my advice above. – IDrinkandIKnowThings Sep 06 '17 at 20:53
  • @nivk best to leave it be for now. – Neo Sep 06 '17 at 20:54
  • 1
    @IDrinkandIKnowThings, I tend to agree. Thanks for your help. I'll leave it be for now and possibly revisit later when I have more clout. – nivk Sep 06 '17 at 21:07
  • @IDrinkandIKnowThings Id bet real money this password has to fit on an AS400. – mwbl Sep 07 '17 at 20:48
4

So...I hate to bear bad news but...

  1. You're being too sensitive. If someone wants to break into the employee records, someone's password is not the vector they would choose. And if they do try, there is a near 100% chance someone's administrative password is far less 'secure' than anything you would choose.
  2. If it's a 'large company', their internal security personnel, auditors and lawyers are probably aware of this and are ok with it.
  3. A 'large company' is not going to change their policy over this, sorry :(

Finally, there's this: Man responsible for strong password requirements regrets his 2003 guidelines

DTRT
  • 4,870
  • 1
  • 15
  • 24
  • I 100% agree with #1, we have just had a round of memos warning about (far more common and successful) phishing scams. Still, this is (a) for personal and health information, not company information, and (b) a relatively simple fix with very low cost. Re #2,3 it's worth noting that passphrase requirements in other parts of the co are much more strict. I have no idea why a 9 max was chosen for this. Re finally, yes this is exactly what I am trying to avoid, a la xkcd! – nivk Sep 06 '17 at 16:54
  • @nivk 97%, the 'password' field in some museum candidate HR system is limited to 9 chars. This will be fixed when the new multi-million dollar replacement is finished after 4 years of delays...welcome to the corporate world! – DTRT Sep 06 '17 at 17:03
  • So, any reason for the Downvote? Any comment? Totally unwarranted and misleading. Should be ignored. – DTRT Sep 06 '17 at 17:21
  • I didn't downvote, but to me this answer reads mostly as a challenge to whether it's bad security policy, rather than whether, assuming it's bad, it should be brought up to management. – S. Grey Sep 06 '17 at 17:39
  • #3 is the only one that matters but you do not explain why they will not change their policy... – IDrinkandIKnowThings Sep 06 '17 at 18:02
  • @S.Grey - well, the degree of "badness" is entirely relevant as to whether the OP should agitate for change, and to what degree. Any advice that ignores that aspect is pretty useless. – PoloHoleSet Sep 06 '17 at 18:12
  • @Johns-305 As mentioned by others, Item 3 is the only relevant part. – Neo Sep 06 '17 at 18:18
  • 1
    @PoloHoleSet Relevant, sure. However all but one short sentence in this answer is challenging the premise rather than answering the question, and the crux of the question is not addressed. – S. Grey Sep 06 '17 at 20:52
0

You've really got two choices here:

  1. Use the system and sign up for your benefits. Use the strongest password you can come up with.
  2. Don't use the system, and pay for your own benefits because it's likely that no one at work is going to do the on-boarding in your place.

Even in the case of #2 above, the whole system is only as strong as the weakest administrator password used. Realistically, a large company isn't going to rush to make changes over something like you're describing. You're probably too far down the pecking order to make much of a difference unless you, by some token, discover a factual breach in the authentication.

Xavier J
  • 42,848
  • 10
  • 86
  • 146
0

is it acceptable to bring this concern to IT and/or HR

Generally, no - at least not yet. Not just because you're new to the organization, but also because you aren't IT. To put it bluntly, the background of your question comes across to me as you "knowing better" than the professionals whose entire career is deciding these things, despite the fact that, by your own admission, you aren't an expert on the topic. And I'm not the least bit invested in your company, so imagine how those in said roles in your company would react.

Once you get your feet on the ground, understand how the organization works, and get to know the people, then sure, if it still is a concern to you, carefully float the question to those who would be receptive. But going out of your way to question security of systems that aren't part of you or your department's responsibility as a new, non-IT employee is a bad idea and a good way to get a reputation as a high-maintenance employee.

Lastly as a bit of an aside, most large organizations, assuming we're defining large as something on the order of 10,000+ employees (not 500 employees or the like), will have a robust risk management program. At the highest level, security isn't just about "this is the best technical security configuration to make, therefore you must do it," but rather, it comes down to making executive decisions about balancing risks versus benefits. So most likely, people know about it, and have decided that it is worth the risk to follow such password policy.

S. Grey
  • 267
  • 1
  • 7
-1

In a perfect world, people would consider ideas based on their merit and not the credentials of the source, and people would be happy to be informed that they had made a bad decision so that they could correct it and avoid the same mistake in the future.

But in a perfect world, everyone would be honest, no one would try to steal your information or use it maliciously, we wouldn't need passwords, and we wouldn't be discussing this.

In real life, most of the time someone who just started with the company a few weeks ago gets very little respect. You haven't proven yourself yet. You could be the smartest person in the room, but no one knows that. And so the people who have been there a while and have proven themselves aren't likely to take criticism from you very well.

Not always, of course. But often.

If I were you, I'd just go with it for now. Gain some respect by doing quality work. Work that doesn't involve saying that someone else's work was bad. Then, when you've established yourself, you will have enough respect so that when you politely say that some past decision was a bad idea, people may be willing to listen.

Jay
  • 11,053
  • 1
  • 24
  • 37
-1

If you feel strongly that this is an important issue (I am following your note not to comment on my perspective on that), you should bring it up to HR. It sounds like you are early in your career -- you will be faced with issues like this all the time. It is your job as an engineer to find problems and report/fix them.

If you go to HR (rather than IT) they should be in a position to take your feedback and forward it appropriately. It may be that nothing is done -- then it is up to you to decide whether to accept it or not (you can walk away from the job or refuse the benefits if the issue is important enough to you). HR will not retaliate, and assuming you present your issue in a professional manner this should not cause any problems for you. Who knows? Maybe you'll be the 100th person to complain and they'll finally fix it. In any case, you'll be a more valuable employee and a better engineer for not letting the issue drop.

Joe
  • 37
  • 3