Password Management Is Real Risk Management


Who says you need to have a process for managing passwords on your IT systems (one that includes back-up contingencies and perhaps technology)?

This is risk management 101.

This story out of San Francisco, while entertaining enough as chuckle-inducing news, is not the kind of thing you want your company in the press about... The city of San Francisco had its network systems held hostage by an employee who evidently changed network system passwords and withheld them. For nine days.


Luckily for them, the city--with access to the police, judges and steel bars-- was able to easily get a judge to make this disgruntled-employees' bail so astronomical ($5 million, damn) that he's forced to negotiate from jail with the mayor of the city, who saves the day and calls off the pricey Cisco from continuing its emergency decoding project. But nine days is embarrassing.

What's with city technology workers and Cisco lately?

As I said in the careers blog over at eWEEK:

[A]s an organization (hey, IT managers, I am speaking to you), don't entrust one person to be the holder of critical-system passwords and not have a contingency process and technology in place to handle. This just means your employers name is going to be all over the press, and maybe your name too. This isn't to say that rogue employees who prove to be difficult will not occur. In many small or mid-level organizations, it's not financially feasible to employee a second network or system administrator. It's too expensive. But having backup and shared root password responsibilities is essential, and there is some password management technology out there that could help.

As eWEEK columnist Larry Seltzer rightly points out, what if you fell through a manhole?

How do you manage passwords? Share your password management practices (and maybe some unfortunate nightmares, without naming names, of course).