The following is in response to a Sharkbait posting about a boss who insisted on a three letter user name and identical password.
I had a boss who made the same demand. He insisted his user name and password be his initials. I pointed out the threat this posed, but he insisted that no one would ever try to hack his account anyway.
I mentioned the name of a former employee who was suing the company. The boss laughed.
I was not surprised when in one of the depositions the former employee's lawyer produced a confidential e-mail that the VP had sent the owner. I asked the lawyer how he got that e-mail and he refused to answer.
I told the Owner about this and his response was "Well if he'd read my e-mail I'd have known because it wouldn't have been highlighted anymore!"
I replied with "If you give me two minutes of your time I'll show you how easy it is for someone to read your e-mail without you ever knowing. I'll use your account as an example."
He stared at me for a second and said "Well there's no need to get carried away."
"Please change your password. If you don't (former employee) will continue reading all the e-mail you receive."
"I'll never remember it."
"Write it on a piece of paper and keep it in your wallet."
He kept the new password in his wallet for a good week before he just wrote it on a post-it note on his monitor. I left the issue be. At least now someone had to get INTO the building to read the owner's e-mail. I also convinced him to change the password whenever an employee left under hostile circumstances.