Tuesday, July 23, 2013

Crazy Password Protection

When I open the pharmacy, I log into three computers and a cash register.

To put the cash drawer in the register, I need to enter my employee ID and password.

Then I need to log in to three different computers. First I put in the staff pharmacist ID and password. Once the computers boot up, I need to load the software to process prescriptions. I need to enter a common user ID and password for each processing window. For all three computers, I do that ten times. Once each processing window is up, I have to log in again with my own user name and password, THEN enter my initials, and enter yet another password. Then on the computer by the register I load yet another program to "sell" prescriptions and take them out of workflow. That's another ID and password. Then I need to load an additional program to see pseudofed products. I don't actually log in at that time because it will time out and I'd have to do it again later. BUT I put the ID and password in the boxes so that I can just click GO when the time comes. Then I have to log in to the pharmacy "portal" (another user ID and password) to check for tasks to do (recalls, etc). Then I have to log in to the company's email to check email. 

How many different times have I put in a user name and password? I don't know, I lost count. But this isn't all. There are other places which require user IDs and passwords. And the best part, every few months we have to change them all. Bear in mind that I'm in the pharmacy where the door is always locked. No one is allowed in the pharmacy except pharmacy personnel. Despite this, we still have to enter all these user IDs and passwords all day long. Apparently the company takes all this privacy very seriously.

Except today.

Today the "home office" called. What was her name? Christy? Carly? I don't remember. It was MONDAY MORNING and I'm FRICKING BUSY.

Whatever her name was says to me, "I'm calling from the corporate office. I need your user ID and password."

"Excuse me," I said.

"Yes, didn't you read the email? We're working on [something that corporate thinks is really important but in the grand scheme of things doesn't Gather Food for Vaal]. I need your ID and password to log in."

"Seriously? You want me to give you my user name and password?" Keep in mind that we do not have have Caller ID and for all I know this is a hacker in China trying to get into our system.

"Well you can email it to me. Didn't you read the email?" Now I'm not kidding you, we literally get about 50 emails a day about everything from how items should be placed on shelves to emails about mandatory videos we have to watch about KEEPING COMPANY PASSWORDS PRIVATE.

"Ok, I'll email it to you."

Ten minutes pass. The RPM calls. She wants to know the user ID and password. At this point I'm defeated. I have to give in. The god of the company has called, but apparently god doesn't know everything because she doesn't know my ID and password. So much for deity. To add to the fun, the RPM tells me that I need to give out my password when corporate calls asking for it. All these years I've been told to keep the IDs and passwords secure and now I'm just supposed to hand them over anytime someone asks?

Now we have a paradox. The passwords which I have been sworn to secrecy with blood oaths and threats of termination are apparently ok to just hand out anytime someone claiming they're from corporate asks for them. This is why HAL 9000 killed the astronauts, you know. He went nuts because of conflicting orders and crap like this is why I'm going to go crazy... more crazy than I already am. Many more conflicting orders from corporate and, well... "Daisy, Daisy, give me your answer do... I'm half CRAZY... over the love of you..."

1 comment:

technorantia said...

Doesn't surprise me at all. At work I have to swipe through *nine* proximity card controlled doors, gates, lifts and security turnstiles to get to where I am going, including showing picture ID to a security guard just to get at one of the gates.

Once I'm there, in one of the most secure rooms in the company, I have quite literally 63 different application logins, most of which expire once a month, and all of which have session timeouts ranging from 40 minutes at best to 10 minutes at worst.

So what do my workmates and I do? We set up login macros, print out sheets of passwords and hang them on our desks, and have post-its everywhere with security details on them.

Somebody regards this as "security". We regard it as "exceptionally annoying" and "a complete impediment to getting anything done."