People Twitter

A Password is a thing that protects you from hackers. If you work here for long enough, you might even get your own account.

heck, i had a consultancy gig where the customer wanted me on-site for intro 400km away, and i had to spend a few days with no hardware at all, never mind access. also it was a high-security thing so i had to be escorted around at all times until they could sort out the badge thing. very productive week, that. at least got a few hotel breakfasts out of it.

It's not always for lack of trying. I spent a year or so building the integration (from a box of scraps!) between the shiny new HR system and our IDP. This integration was supposed to be functional out of the box according to the HR system salesgoblin. It didn't just need to be configured, it needed to be built from scratch because they didn't actually support hybrid AD/Entra setups managed from the AD side. Which was only the unofficial standard for Windows based shops at the time.

Anyway, I wanted to make it grant employees access to shit based off a combo of Job Title and Department. On a technical level, it's basic baby stuff. Concatenate the Dept and Title into a string, use that as the key to a hashtable with the access they need listed. Bish bash bosh, bob's your uncle.

It would have been a cakewalk compared to all the shit I had to build for handling separations and all the data retention shit around those.

But none of the department managers could actually tell us what the fuck their workers needed access to. Like maybe 3% had any idea at all. And I didn't have the team or time to try and do data analytics across the access of everyone at the company just to get an unreliable best guess.

So it just handles setting new hires up with the basic access everyone gets and separations. Still a savings of ~1 hour per employee.

It's been something like 7 years since I built that integration. They're finally going to replace it with a true access management platform. It's cost them multiple millions so far, has an entire new department dedicated to the thing, it has been "in-progress" for two years, and it still hasn't replaced my shit yet.

My favorite part is when they come to me months in to something they're trying to get working, and I'm able to point them at where they made mistaken assunptions at the first step leading to the mess they're currently in.

I provided a ton of in-depth notes on our current standards, the weird gotchas/deviations, every single stumbling block and edge case I had found, all the seemingly logical and safe assumptions that don't actually hold. I don't think they read any of it. I keep asking them to reach out before they start working on a new piece of functionality. They don't.

So now I get to tell them things like "that assumption you built this piece of logic off of will bite you in the ass in this specific way", they say they'll take it under consideration, and I laugh knowing this whole project will probably implode under the weight of incorrect assumptions before it's finished.

My first day was sitting for 8 hours abandoned in a cubicle because my new boss forgot to put in the new hire requests for IT. No user, no email, no nothing. Only reason I had a laptop at all was because they happened to find an old one in a drawer.

End of week one: "you should have your work account by this time next week... at the earliest"

But to put all of that in context you have to remember the pay, which was also bad.

Lol the one I worked at had a 30% turnover rate because of this. Ridiculously skilled engineers working for a 8-14 month stint before they secured a much better job at a different company.

Even their longest working lead, who had joined since the start as a junior, left a couple of months after I joined

The funniest moment was when ~~HR~~ people ops posted the average expected salary ranges to confluence, which was a full 30% higher than what they announced for yearly raises.

Honestly this one's on you, pal. Why do you even care about the megacorp's business?

I was in the corporate medical industry. The only things that got handled at all in a efficient time was those required by law. Like if there was a incident in the field we had to have an initial report within a week and a corrective action within 30 days. Preventive actions were longer term, didn't have a deadline so it was not uncommon for it to go on for a year or more.

I can't give a real example for legal reason but let's a product was sold which gave electrical shocks to a patient. Within a week we had to tell the fda the cause was a faulty resistor. Within 30 days we had to correct our system, for example assign a person to test that resistor with a dmm on every device. Easy enough, give the operator who installs the resistor a dmm, update the instructions to say to measure that resistor and give a 5 minute training to said operator telling them that they have to measure it. Easy to do in 30 days and required. Now really the root cause was we didn't test for that in our multiple automated tests. The preventive solution would be update the automated testing software to check that. That has no time limit. It now becomes low priority. We did have to give an estimated time line, say within 2 years. By the time that deadline approaches most people who originally said that have left the company and new people are unaware. They submit an extension, and it's low priority again. Another 2 years go by. Now the high priority is the next product release. The old product will be discontinued so no one cares. So for 4 years and possibly several more years after it the company pays a person to manually measure a resistor. The automated test would eliminate this need, be more reliable, have documented results but wasn't implemented because it's low priority since there's no legally obligated time line.

Sounds like Honeywell.

“Now we need you to watch 4 hours of videos to teach you how not to sexually harass everybody.”

I have told my coworkers before.

The company does not make you take ladder training so you can learn how to climb a ladder, its so if you fall off, a lawyer can ask if you were following the ladder training exactly.

Could also be some compliance thing. The only job where I had mandatory security training was incidentally the same one where I had mandatory HIPAA training.

Funny enough I’ve worked at several companies where they will tell you to take the training and if you don’t do it they’ll keep telling you but after a while they just stop.

My dad was one of the guys who was in charge of administering those to his company. They had different tiers of difficulty, i think ranging from 1-5. They always sent IT and Engineering the 5s and they passed with flying colors.

Hr and finance never got harder than a 2 and they always fucked them up

Don't put that shit on IT. HR is the department that can't get the fuckin onboarding form right, can't send it to the right people, or just straight up don't do one and expect us to be mind reader's.

Rookie mistake. The password is what we write on a sticky note and tape to the edge of our screen.

Birthright membership in the Domain Admins group is what keeps all our users from being pestered when they want to install that neat new tool they found. Then you don't need to harden the built in admin account against attacks, you can just disable it!

Hilariously if this is internal only, it may be "secure in transit" as most mail doesnt flow over SMTP in that case. Some vendors, including m365, also encrypt mail by default between other m365 users, and I think all of gmail last I checked.

If that password isn't then deleted from email or is otherwise archived automatically, then you have problems.