Akamai Diversity

The Akamai Blog

Two Embarrassing Security Lessons

Good news: I got another look at how well Akamai's security procedures work. 

Bad news: It's because I made two simple mistakes. And I knew better.
First, I forgot to change my password before going on vacation. Akamai InfoSec takes regular password changing very seriously. I knew this and had received daily email reminders. I planned to do it the day before vacation started, but forgot amid a busy day. 

Upon my return, I tried to access the various internal tools I rely on to do the job, and found myself locked out of everything. I figured I could simply go ahead and change the password, but everything I tried was rejected. The system is demanding when it comes to creating complex passwords. Grasping at straws, I asked colleagues if there was a larger glitch affecting everyone. I was promptly informed that the glitch was me. Because I didn't change the password by a certain date, I could only get it fixed by visiting the help desk.

The second lesson came less than an hour after I had that problem fixed.

I rushed off to a meeting without locking down my laptop. I'd been good about not making that mistake, because the customary punishment is to buy coffee for your whole team. When you send out an email about owing everyone coffee, people around here chuckle, because they know what it means. 

Despite my usual diligence, I returned from the meeting to this:


Don't feel too badly for me. I certainly won't make those mistakes again. And if there's a lesson to be shared, I'm glad to take one for the team.

Now if you'll excuse me, I have a box of coffee to buy.


My first adventure at not locking my screen, they actually confiscated my computer. On the second one, Andy sent an e-mail to our family mail list about me wanting to get a server rack for the basement. They all thought I had gone over the geek edge:)

Learning by doing.. nothing like it!

But while the laptop locking clearly was your mistake, and yours to face the consequence of, the password changing sounds more like a punishment for punishment's sake than any "well working security".

What if you'd been on holiday? On leave? Travelling wihtout your computer? After all, what's the suddenly appearing indicator of compromise, that makes your password so much more insecure one day after the scheduled change date?
They ask you to change your password, then they make it hard for you to do so?

Nah.. that kind of procedure might have some relevance in very high security environments, but in most of the world it just helps give security a bad name (And put a load of extra work on the helpdesk).

I think that having someone buy coffee or snacks for the team when they are careless is a great way to build up good habits. How many times do we walk away from our computer/laptop without thinking to lock it up? Having a kind of "punishment" in place can help breed better habits.

Fine. It gives an idea to lock when you leave even for short breaks.