Security question

[anything I don't mind]

Do you think using mothers maiden names for DR webmail access is a good idea?

I don't think so, at one site out of convenience they want to make all the users use their mothers maiden names as their password to access their DR webmail which gives full access to their email. Its third party email server that allows access to exchange data in an event exchange is not available.

They also want to keep all the users passwords in a spreadsheet. (even though its their mothers maiden names? stupid)

I said that the users have the facility to set their own passwords and they should do that and if they forget we can just reset them. I was laughed at for being too deep as i suggested that if there was a targeted attack the mothers maiden name would be an easy choice. The IT guy i worked with response was that if it was a targeted attack then they would already know the passwords even if the users set them.

This is the sort of non sense i have to put up with when trying to make things secure, i just said do what you want and if anything happens i am not responsible, if only if it was that easy.

 

[anything I don't mind]

I don't understand why they don't just their normal passwords for the DR site? Why does it have to be different at all?

The way the mimecast works in continuity mode is that the link to the AD is down and they don't store the passwords, so they have a second password called a cloud password that will rarely be used and the thinking is that they will forget it and come a dr situation they won't be able to login to the mail without resets. If they are going to use their mother maiden name i am going to disable access until its needed. Don't have the effort to fight that client on it. They just do what they want, they ask for IT input then do what they want anyway.