When I was an IT admin, I had the pleasure of dealing with people who would submit urgent service requests about a problem they were having and then leave for the day, leaving their office empty and computer locked by the time I could get there to help. Fortunately, in many cases, I was able to fix their problem while they weren't there. Why? Their password was somewhere on their desk in one of these easy-to-find locations.
Photo by Juan Martinez.
- Under the Keyboard. This is a pretty common one, and one of the first places to look if you need to find someone's password (or one of the first places to avoid if you need to jot down an often-used but difficult to remember password). The worst offenders leave them on a Post-It on their keyboard tray, or under the spot where their keyboard lives. Others attach the post-it to the underside of the keyboard, thinking it's better hidden there. In both cases, it's a sure bet that anything under the keyboard will have a password on it.
- Under the Phone. A surprising number of people still keep their passwords tacked to the underside of their desk phone or its receiver. The people who usually put their passwords here think they're being smart and stealthy, but in reality taping a yellow Post-It note to the underside of your phone just screams "passwords here!"
- Under the Mouse Pad. This is another common hiding place for people who don't want to put their passwords under their keyboard. They'll usually slide a couple of sheets of paper under the mousepad with their usernames and passwords on it and refer to them when they forget, or update them when their password expires.
- On the Monitor. This one isn't so much a "hiding place", as it's one of those "security through obscurity" techniques that almost never work. Most often practiced by people who keep dozens of other Post-Its on their monitor, this technique is still easy to get around as soon as you have physical access to the person's computer. Besides, it's not too hard to glance through the post-its on the monitor and find the one that has "u: something/p: something else" on it.
- In the Top Drawer. Most people who work in open offices with short cubicles tend to lock their desk drawers, but colleagues I've worked with who had their own offices or had semi-isolated cubicles were almost always guilty of leaving their desk drawers unlocked. When I would visit their offices, the master list of their usernames and passwords were almost always in the top drawer, on a scrap of paper or the top of a thick stack of post-it notes, usually in plain view.
- Under the Desk. One of the most disturbingly common spots many officer workers hide their passwords is one of the easiest to find: right under their desk surface. Just sit down at their desk and put your hand directly under the desktop, and you'll often find yet another Post-It note attached there. Most people who do this operate under the assumption that no one's ever under their desk to see or notice such a thing -- except the IT admin or help desk tech they call when they've jostled the Ethernet cable loose from the back of their desktop.
This list isn't exhaustive: anyone who's spent time as a field technician or IT admin in an office will tell you that people often leave their passwords in strange places that are easier to find then the user ever hoped they would be.
In many offices, the most common hiding spots for Post-It notes and paper scraps laden with login information depend on the office furniture and office layout. For example, if your cubicles have low cabinets right over most users' monitors, you can expect to find a few people keeping their passwords on the inside of those cabinets. I knew one person who put Post-It notes on the bottom of their chair -- she was livid when she arrived one morning to find a colleague had borrowed her chair for an impromptu meeting in her office next door.
If you keep your passwords in any of these places, stop now before it's too late. You may be making your IT admin's life a little easier when he or she drops by to fix your computer problems, but they know full well you're sacrificing your organisation's security in the process. Now is a good time to give a service like LastPass, an app like 1Password or one of these great alternatives a try, so you can remember one password and then mix up the passwords you use for other services. While you're at it, make sure you're using good, strong passwords. And don't put in urgent service requests and then leave for the day: submit them when you know you'll be around to help your technician troubleshoot the problem, or don't claim it's urgent.
Do you know an office worker that keeps their passwords on Post-Its or in notebooks on their desk? How do you keep your passwords safe from prying eyes without compromising their security? Share your tips in the comments.