It is a subject that is overlooked and ignored, but very real, are
complex passwords required - are they an asset to the company? I know
one thing, they cost an awful lot of money to maintain.
What I have detailed below happened in one of the largest
manufacturing plants in the UK, it had been standard practice for
nearly a year.
On a pre-inspection walk down, I checked one of our DCS (Distributive
Computer Systems), just a house keeping visit to make certain that all
was clean, tidy and there was nothing to evoke the regulators
interest. There, on the side of the display unit was a post-it with
an alpha numeric string of around 10 characters on it.
I could not relate this string to a user name (not there and then) but I could go into the system and see what operator was starting, clearing and
accepting product batches, and yes to my abject horror, it was the
same operator, nightshift, dayshift and weekends. It would appear
that the complexity of the password, along with the three monthly
changing, had led to a lot of erroneous password entries and
subsequent lock downs, which closed down production until a suitable
person could reset it.
At week ends and meals times this was often a considerable amount of time. Since closing the line was serious enough to warrant a severe telling off, along with adverse comment being inserted in the staff records, the staff slowly became apprehensive about using their passwords. If there was one there - that everyone was certain about - they all used it. This is very
serious cGMP breach, a practice the FDA require to lead to at least
the threat of dismissal.
So the moral of this is - why have complicated passwords - when the
risk is - people will not use them. From the pharmaceutical point the
security lies in the history log much more than the password, i.e.
events are time and date sequenced and stamped, to hide an illegal
change is difficult and beyond the ability of all the users.