Cyber Security

IT department celebrates third anniversary of that password reset email everyone’s been ignoring

The information security team at Midlands-based logistics firm Hartwell Distribution gathered this morning around a slightly stale Colin the Caterpillar cake to mark three years since they first sent the company-wide email requesting all staff update their passwords to meet minimum security requirements.

The message, which has been forwarded, re-sent with increasing urgency, and eventually just silently wept over by the IT department, currently sits unread in approximately 340 of the company’s 400 employee inboxes. The remaining sixty employees opened it, briefly considered complying, then returned to using the same eight-character password they created during the Blair administration.

Gary Pemberton, Head of IT Security, spent the anniversary morning watching someone from the finance department attempt to log into the shared drive using ‘Hartwell1’, a password that appears on seventeen separate dark web databases and was cracked by a moderately determined teenager in under four seconds.

“We’ve tried everything. Pop-up reminders. Mandatory training modules. That one where you have to watch a cartoon hacker steal someone’s identity whilst gentle piano music plays in the background. Last month we even offered a £20 Amazon voucher to the first person who enabled two-factor authentication voluntarily. Nobody claimed it.”

The celebration comes just days after the department’s latest security awareness campaign, a colourful poster series featuring a worried-looking padlock character named ‘Locky’, was installed in the break room. Early reports suggest the posters have been universally ignored, with one now bearing a coffee stain and another partially obscured by a notice about someone’s missing Tupperware.

Jennifer Walters, a systems administrator who joined the company eighteen months ago, has already developed the thousand-yard stare common among IT security professionals. She notes that roughly half the company has written their passwords on Post-it notes affixed directly to their monitors, whilst the other half uses variations of ‘Summer2024’ and will presumably migrate to ‘Winter2024’ without prompting.

“There’s a man in procurement who still hasn’t changed his password from the temporary one we assigned him in 2019. It’s literally ‘TempPassword456’. He’s been hacked twice. We’ve sent him six emails, visited his desk in person, and once left a handwritten note. He remains serene in his commitment to that password.”

The company’s multi-factor authentication rollout, initially scheduled for January 2023, has been postponed indefinitely after a focus group of senior managers described the requirement to check their phones during login as ‘a bit much, really’. The IT department has subsequently lowered its ambitions to simply hoping people might consider not using ‘qwerty’ as a password, though even this modest goal appears optimistic.

The morning’s celebrations concluded with Pemberton cutting the cake with a letter opener, as nobody could locate the kitchen scissors. Their password-protected location remains, as ever, a mystery nobody seems particularly motivated to solve.

Leave a comment

Your email address will not be published. Required fields are marked *