CEO does not believe in passwords

I agree, but I either need a better answer or a new job.
There's nothing else I can think of or a way to explain this to him.
I am in shock still.

lmao boomers

jesus fucking christ

Passwords are the problem is constantly changing the damned things that causes problems out the ass

It is normies. Not boomers.

1. Start looking for a new job right now
2. When you get an offer, go on reddit or stack exchange (both would be better) and post this same issue but explicitly mention the company/location so everyone knows exactly what you are talking about
3. Leave to new job
4. Wait for someone to hack into their systems and steal everything.

This kind of retardation can't be fixed without punishment. Your dumbass boss needs this to actually happen to understand the importance of security.

He's kinda right though. What is a password really going to do other than get in the way of innocent people.

havent zoomers used passwords since birth though?
they wouldnt even think to question them.

That's all they ever do.

I sometimes do webdev stuff for clients. And the average password is either

hobby1 or firstname.birthdate

Although some companies enforce regular password changes, then you have season1

No, this is boomer tier idiocy

The kind of idiocy where you can run a company and make hundreds of thousands to millions of dollars and still think and do absolutely dumbfuck retarded bullshit like this and get away with it.

>Enforce regular password changes
These people should be tortured to death.

but if you did a 360 you would be facing the same direction? how can you exit like that?

He's not wrong OP, invest in the new biometrics memes. Passwords are antiquated

You need to document this and look into covering your ass on paper. People are shitty sometimes, If a breach comes to fruition its a perfect scapegoat to come at you for incompetence and it's better to have your own measure of security in case it does.

Embezzlement time

Have you explained to him that this is the equivalent of throwing away all locks on doors everywhere. I think it would be great in theory but there is no way you would convince some companies e.g. a bank to leave their vault wide open. Same thing if your company operates warehouses, no way they will leave that shit open just because the CEO is too lazy to call the manager to get the keys. If the office is actually staffed 24/7 there could be an argument for this, but I doubt your company is.

In IT I think it could be done but would require a lot more monitoring, firewalling and deployment of whitelists. So just tell him you would have to rearchitecture the whole network to do it and it would take forever, and you would need to expand staff in order to have people monitoring all hours of the day. Not just on-call but an actual 24/7 staff.

I should pitch this out of spite and for the lawls.
IDK what else to do at this time.

Use Tor to hack in and do something disruptive but harmless.

we have the same problem
your options are:

>ignore him
>continue using passwords
>he gives up

OR

>you give up
>hacked
>"told you so"
>you get fired anyway as CYA

>He doubled down on no one internally would do such a thing.
God I wish I was as carefree as your boss

Attached: 1553192808562.gif (1200x1200, 478K)

You are an employee and you do as told, you are there to work, not to think.

Know your fucking place.

>gets sued later because the company gets breached and he's in charge of software security

Things like this are an indicator of a far bigger problem. I'd start looking for a new job.

Pretty sure there are laws against this

I bet your intranet has plenty of PII

That's why you moonwalk, user.

What's the problem?
You're not responsible for anything that happens, it's his decision. I'm assuming any damage done to the company as a result of his stupidity won't have any effect on your paycheck either, let him learn the hard way, and he will eventually, with a policy like that.

We did it reddit!

No seriously, go back. You've killed this site.

This so much. I fucking hate those ludicrous password rules, where you need to change every 3 months or so. This clearly decreases password safety by a large margin. I guess it's the same stupid people like OPs CEO, only on the other side, that come up with such bullshit.

But to answer OPs question. You don't need to explain to him anything. Tell him you are the expert, if he thinks that he understand more about IT then you, then you will gladly leave and let him do the job. If he refuses, tell this story at your next job interview.

Flesh out the idea as if you were going to implement it. Make it sound as expensive and dangerous as possible by presenting facts without a perceivable bias. Then hope to god that he realises how dumb his idea is and chooses to abandon it.

>weekly blood, semen, and urine samples required for biometric scanning

He's a CEO. He was likely born into wealth and never actually worked a day in his life, so he has no experience with anything other than leisure and convenience, much less common problems and practical solutions.

most NDAs have some kind of clause saying that you promise to take measures to protect the data you're given.
Same for personal data, if you leak someone's info because your password was 4 letters long he could have a right to sue you, especially in Europe.
get the legal team to back you up on this.

Attached: sinalgoverto.jpg (655x527, 36K)

Why can't he sign in to any PC anyway?
You are running Active Directory, yes?

yes, of course it's AD.
He wants to sign in as the user and "see what they are doing" and "what programs they have"
It's fucking embarrassing coming from a business owner.
I started here 6 months ago and there are a lot of other preposterous policies. I'm definitely going to moonwalk the fuck out when I get another offer.

worse part is that I guess I failed because I could not adequately explain to him the necessity of passwords and have him understand their importance. I consider myself grounded in standard security practices.
I have never second guessed passwords in my entire career. Everyone just understands they are required. I didn't fumble on giving good reason for it. I was stern and polite and refuted his arguments appropriately.
Maybe I made him defense because I didn't go along with his plans or just say "yes sir" idfk

The US does as well and OPs company would be opening themselves up to massive legal ramifications if they actually did this.

Any legal team and IT head would point this out to the CEO and tell him to shut the fuck up unless he wants to get massive fines and or jail time.

You need to be a yes man with a but.

Yes, BUT _____

and then you explain how it's illegal to treat financial information in such a way and if he wants to open himself up to that sort of liability, he needs to find himself someone else to implement it, because you wont.

We don't fall under any consumer protections as far as I know. We are a small company of about 50 employees and we sell business-to-business.

b2b is far worse, you fuck around with their info and they find out about it and you can expect to get reamed by a team of lawyers.

It is always normies. I saw the same thing happen in a place I worked at for a while. The compromise was to change all passwords to....

youtube.com/watch?v=a6iW-8xPw3k

...I shit you not.

Underrated post

>Any advice?
Document that you brought this up with him immediately if you have witnesses all the better, it was a meeting so I assume so. And leave the company right fucking now before this becomes your problem. Cause two things are gonna happen guaranteed, shit will fuck up massively, you will be blamed.

I agree and this is what my plan is. But how would you handle that conversation? I was dumbfounded to be even answering the questions. And then mortified at what he asked me to do. I couldn't say 'no' on the spot. but I was not going to change his mind either.

Is there anything I missed or could have pointed out that would make him reconsider? I doubt this will be my last conversation about this before I get out.

tell him that he hired you for a reason, and it is in his and the companies best interest to listen to what you're saying.

I have had situations exactly like this twice now. I made the mistake of sticking around and trying to change their mind with all sort of arguments, research papers, getting colleagues in on it etc. The thing I learned is document everything, and don't bother their mind is dead set on it and you won't change it. Seriously leave while you can cause when shit hits the fan, and it will sooner rather than later, the first thing you will hear is "legal is getting involved" and he will try to blame you.
Especially when handling customers financial data is involved you don't fuck around. If he wants to sink his company and ruin himself let him, but don't let him drag you down with it.

Since your company is B2B, ask him if he's willing to call up your biggest customer and ask how they feel about your company not using passwords internally.
And yeah, with financial data, you need SOX compliance in the US, and likely something similar for wherever you are. Point at that.

gdpr and iso27001 requirements

U.S. company so GDPR would not apply.
SOX seems like where I need to do my research.

nope, never mind. We do not fall under SOX.
We are not a public company.

Honestly I don't know American laws but the shit about access to every PC alone has to be in violation of some law cause it certainly is here.
But as you are handling customer financial data I bet his idea of IT Security is in violation of probably literally a dozen laws.

1 - Log on as the CEO
2 - Open up Outlook and send an email to your biggest customer saying "Fuck you fuckface!"
3 - "Gee Boss, it coulda been anyone, there's no way of telling since we removed the passwords"

And the invariable step 4

>You're fired for not convincing me to change my mind that removing passwords is a bad idea

Attached: 1498497030389.png (274x274, 221K)

SOX still matters if you deal with any public companies as customers. Or if the company is looking to go public, or get additional private investment (loans, VC money), you can bet that they'll be looking for SOX compliance or at least leaning towards them. Having no passwords will be a huge red flag.

in that case I’d work out some sort of network segmentation with a firewall so the boss can no-auth rdp to employee machines or whatever he wants but the protocol is blocked everywhere else. there’s similar techniques used in cni networks where legacy controllers need to be remotely accessible

definitely get this signed off in writing though lol

He's right. We should abandon any passwords an use public/private keys for anything.

Well, that's the coolest idea I have heard so far

>not keys with passwords and second factor auth
Do you even blue team?

Are you sure you are not a character in a British sitcom?

Just give him access to the user folder on the network drive. Tell him that he doesn't need to go to someone's computer when he can do it from the comfort of his office.
There. You don't need to remove passwords on things and he can snoop if he wants.

What's the name of the company? I'm just curious.

An employee has usage rights to company hardware assigned to them. Not ownership rights.

use AD and have a master admin that he can use to login to any machine

done

>tell this story at your next job interview.
>"Yeah I left my last job because my boss was a fucking retard"
This isn't something that lands well with HR shitters in interviews

In the US being able to login as someone on work PC can result in a huge issue if anything goes wrong and a person is fired. A wrongful termination lawsuit would be very easy to win claiming that someone else sabotage the fired person job and future career. That the company did not employ any IT security standards.
The only people who have such access is the IT department exclusively because they manage such security. A CEO or under should never have the full rights that a network admin has. Much like the CFO has to sign off on specific financial documents and not the CEO.

>His response was that there are people around all the time, someone would see that bad actor on the wrong computer.
>I tried to explain we need to keep financial records and sales data secured. He doubled down on no one internally would do such a thing.
He has a lot of faith in his staff for probably no good reason.
My bet is that a pentester could probably walk right in now and get whatever he wanted even with passwords in place, without getting challenged by staff.

>Any advice?

A. Leave the dumpster fire of a company

Or

B. stay for the free easy money (since clearly IT is not a priority) and cover your ass. Record what he said ensure it falls on his head when someone makes off with all company data.

>not taking information security seriously because he's a nosey prick
also, unless you live in a third world country, there are serious legal ramifications against not securing personal/customer data due to negligence.

>CEO does not believe in passwords
Is this your CEO OP?

Attached: Stallman001.jpg (480x320, 16K)

He's a retard. That place likely won't be around for long. If you own stock I would sell it and quit.

What he wants to do is likely violating so many regulations it isn't even funny.

Crimes of opportunity. Our SCCM admin accidentally built an administrator account into the wim that had no password. No one saw it for years until some joe blow from the street found it and did stupid shit with it. We're all retards in this story but still, no passwords is wrong.

Can employees really get sued in freedomland?

Agree and remove all passwords

start looking for a new job

leave and let the business deal with having no passwords or security

this
hes an arrogant asshole and hes giving you warning signs to the fact that he's going to fuck something major up

Hello newfag, you should do a 360 and go back to where you came from.

my company uses 1password and everyone saves all of them in chrome lmao

If the cable guy accidentally fucks up while installing your cable and does some damage, you can sue the cable company. If the cable guy shows up for the installation appointment drunk and takes a swing at you, you can sue the cable guy (unless cable company policy was to show up drunk and punch customers). Individuals are protected when acting as agents of a company, not when they decide to do whatever they want when they're technically on the job.

What if the boss wants to do something illegal? (this would be highly illegal in the EU)

Taking a swing at me is criminal law, I was thinking about civil.
Employee should never have civil responsibility, if he fucks something up company uses its insurance and fires him at the most.
I'd be scared shitless working with expensive equipment if fucking it up meant a lifetime of debt.

If something happens then he will get fired. But need to have everything in writing so he is not criminally liable.

In the US it's common to sue people who violate criminal law. If someone commits arson and burns your house down, you (more realistically your insurance company) can sue that person for damages entirely separate from the criminal proceedings (and with a lower burden of proof).

Just rat out the owner to the businesses you employ. Enjoy watchim him burn

>being this new

Attached: 1545029926479.jpg (2000x1316, 3.9M)

So he should leak this to the press?
Other idea: OP, take out all the passwords then leak sensitive information to the competition

do what said and explain that it's quite literally illegal to have other people's personal information that easily accessible

zoomers get out

why do they do this? do they really think that it makes passwords better? like seriously what is the goal here? they think that someone is out there brute forcing a login for 3 months straight and then you change it and the threat is gone? so fucking stupid. if only there were just a standard set of expectations for passwords in the modern world

yeah, instead of one person suing your company, it'll be an entire team of lawyers representing another company. that'll go well

Sony

Attached: 1545030035660.jpg (666x960, 143K)

>how to get sued in 5 easy steps

Just set up biometric access with 2FA. Then give him admin access to network materials with a combination of a token on his phone and fingerprint scanner on every terminal he wants to access. This way he doesn't need to remember any passwords, he can access everyone's terminals by checking his phone for "the password" and you're still secure behind two factor security systems.

>my boss wanted to make dangerous changes that would have had potentially ruined the company and refused to take my professional advice on board

OP if you're serious here are the steps I would take
>Warn them about the dangers
>If they ignore the warnings, wait for someone to attack
>File your two week notice once it happens
>Leave in the middle of them panicking for not heeding the warning

If you're not serious then
>Become hackerman
>Hack your own company
>Tell your boss the exact thing he didn't listen to happened
>Tell him to hire a specialist or give you a raise to unfuck it
>Leave once you get upfront money
Be sure to have your boss invest in Bitcoin mining for collateral before the company goes into the red financially

No I am not a smart person but I have fun sometimes

Attached: E5C2915BCDCF4AD5BA45F7E3BFC4ED6E.png (526x526, 216K)