Social Deconstruction II

In a previous post, Social Deconstruction I reflected on a barrier that had been put up on a Thursday, and by Sunday, completely bypassed. I had recent cause to revisit that area again recently and

Barrier bypassed

Barrier bypassed

as you can see, an actual, real gate has been put into the fence. The power of the crowd basically overruled the original intent of the landowner.

Of course, this could have been done from day one.

This is true in the IT world. How often has the security department come and said, “we’re implementing this new security policy” with little input from actual users and are surprised when users get frustrated and try to bypass the new security feature.  I had this happen at a client of mine. In the case of the fence above, people bypassed the security the fence builders wanted (presumably to reduce liability), and by doing so, increased their chance of getting hurt (and ironically, presumably increasing liability).

One of the security features that I think annoys most of us are passwords, or more accurately arcane password requirements. For example, some systems require a certain amount of complexity, but don’t necessarily tell you what the rules for complexity actually are! Yes, I’ve had that happen. Turns out they required special characters, but, only a specific subset of special characters and the ones I tried weren’t on that subset.

Now a minimum password length, makes sense. A one character password can be cracked by anyone. But, what about short maximum password lengths? Yes, perhaps that was a good idea when memory and storage were scarce (ok even then, not a great idea) but not so much these days. Yet, I know at least one system where your password has to be between 8 and 14 characters.

Another annoyance is the “must change every N days” where often N is something like 90 (though I’ve seen even lower). What does this mean? Folks end up with passwords like: Secur3Passwrd$1, Secur3Passwrd$2, Secur3Passwrd$3, etc.

Truth is, many of the so called password rules, actually encourage us to create lousy password, and so we repeat stuff, or write it down or take other steps that make it easier for to use them, but also as a byproduct weaken passwords.

The National Institute of Standards and Technology recently released an updated set of guidelines: NIST 800-63B that discuss good password requirements (note I have NOT read the entire document, just large portions of it).  Spycloud has a decent review here: New NIST Guidelines Acknowledge We’re Only Human. I’m not going to recap the recap here, but I will add what I generally do:

  1. I use a password manager. You can read reviews for finding one that best meets your needs. Personally, I use one that does NOT have storage on the cloud. While in theory they’re encrypted and secure, I get paranoid. (Yes, I do recognize if someone compromises my desktop, they can get access to my local password manager. But on the other hand, if they get access to my desktop, they can probably just install a keyboard logger and I’m hosed anyway.)
  2. I use a different password, automatically created by the above password manager for nearly every site of system I log into.  This ends up meeting most (but not all) of the NIST suggestions (they’re certainly NOT easy to remember, but they don’t have dictionary words, can be as long as I need, most likely are NOT in a previous breech, etc.)

Note, I said most, not all. There’s a few places I used passwords I can remember. These are systems I interact with on a daily or near daily basis, such as my desktop, AND the password manager itself. There would be no point to have a password manager if I couldn’t log into it, or if the password were so simple anyone could guess it.

So, I make sure these passwords are easy to remember, but extremely hard to guess. (For example, they do NOT include the name of my first dog, my mother’s maiden name, etc.)

In conclusion, if you’re in charge of security, make it usable, or else people WILL try to bypass it, simply to get the job done. And, remember, you’re always in charge of your own security, so make it usable, but secure.




Age Impostor Syndrome

This past weekend I was at another successful SQL Saturday. It was, as always, great to see so many of my fellow speakers and friends.

I was perhaps a bit more nervous than usual for this SQL Saturday because I was giving a new technical talk and my demo wasn’t working like I wanted and I hadn’t done as many run-thrus as I like to do.  But it was well received and people seemed to really like it. (For those interested, it was a demo of running SQL Server for under $200, including licensing and hardware!)

During a conversation this weekend I used the expression that I might grow old, but I don’t have to grow up. But I’ve realized it’s more complicated than that.

  • In the past week I’ve completed my 51st orbit of the Sun while still breathing
  • I’m preparing to cook dinner for a bunch of college students this weekend
  • I’ve been working with two recent college graduates on a couple of projects
  • I’m consulting on a new project and using my years of experience to guide it in the right direction
  • My son is completing his first semester at college and coming home this week
  • Apparently received praise (this is second hand) for work I’ve done in a volunteer community

Physically at times I sometimes feel my age, and there certain facts that suggest I really as old as I am; but mentally, I often actually forget I’m as old as I am. I wonder, “why do folks think so highly of me, I’m just a young kid trying to figure my way out in the world.”  Then I realize, I’m not that young kid at his first programming job, trying to figure out how to create a make file.  I’m a middle-aged man who has decades of experience in my various fields of expertise.  People look to me, the way I look to my mentors because they expect me to have the answers! (And fortunately, they’re actually sometimes right.) Sometimes too I’ll be engaging with people my own age and they treat me as equals and I get excited that they’re treating someone half their age with such respect. Then I remember, “but wait I AM their age.”  Or people half my age act as if they’re looking up to me and I want to say, “but I’m no different than you” but then remember, “Oh wait, I do have that many more years of experience.”

So, there’s still a bit of me thinking I’m an impostor. I really don’t know as much as people seem to think I do.  Or that I’m not as old as I really am. Can one even be an age impostor?  Not really, I mean age is a pretty objective fact. But the truth is, I don’t feel my age, and for that I’m grateful.

I’ll continue getting older, but I simply won’t grow up any faster than I have to.

One final request from this wizened old boy, make sure to subscribe if you haven’t!  And speak a little louder so I can hear you.




“I’d procrastinate, but I keep putting it off.” It’s an old saw but I think there’s some truth to it, at least for me.

Actually the truth is, when I’m not busy, I tend to procrastinate and things don’t get done. But when I’m busy, I get more done. How many of us say “I perform better under pressure”? I know I do.

The other phrase that comes to mind lately is “When it rain, it pours.” The above two adages seem to be the story of my life lately. This is not necessarily a bad thing.

You see, in the life of a consultant it’s often feast or famine. And some times of the year are often more famine than feast. For example, my largest client goes into a code freeze during the last 2 weeks of the year. Taking this into account, I figured I’d have some downtime and be able to work on some projects around the house.

But then, last week, another client emailed me to ask about my availability. They’re a good client and I enjoy working with them, so I responded right away. Unlike my previous project with them that was just a few hours, this one was a top priority project with a firm deadline and lots of work in a short period of time.

Suddenly, my calendar was more full than I expected.

Then my largest client, during our weekly all-hands call, informed me that a project I had completed, they were probably going to take a completely different tact on, and “oh by the way, we’ve got a strict timeline!”

And then of course today, another client calls in with an issue.

Suddenly my calendar was even more full than I expected.

Oh, and did I mention I have a talk to present at SQL Saturday in DC this weekend? And the hardware I was going to use for it is not working?

Suddenly my schedule was completely topsy-turvy and I’ve had to work harder than ever.  But, since I’m already busy, I’ve actually spent a little extra time on other projects that I had been putting off; like finishing the edits on my second article for Red-Gate’s Simple-Talk and then writing a first pass of my third article for Red-Gate’s Simple-Talk. I probably would have procrastinated on that last one a bit longer if I weren’t busy. I know, sounds backwards, but yes, being busy encouraged me to spend time writing.

Of course sometimes even some schedules have to slip, hence this post being 12 hours later than normally scheduled.

When it rain, it pours.  And right now, that’s a good problem to have.