The Insecurity of Your Secure Password Policy

If you have a password policy that mandates passwords change every 90 days, and it takes 1-2 days for you to get everything back in sync (password manager, systems, keychain, etc…), you start warning people 10 days in advance, and you have systems that only allow passwords of certain lengths, and…  where was I?

Anyway… what percentage of users do you think are actually using a password manager that randomly generates that password, especially if there are systems that people need to log into that don’t have anyway to directly insert from a password manager app?

Instead, you’re going to get a password progression like:

  • Puppies1!
  • Puppies2?
  • Puppies3!
  • Puppies4.

So if you have one set of compromised passwords, you’re pretty likely that the WHOLE PASSWORD GENERATING METHOD is compromised for many users.

The extra burden of trying to come up with memorable but unique passwords so often is forcing users to dumb down their passwords.

Workers Want Recognition!

I spent a long part of my career working for a company whose CEO was huge on the power of recognition. (He even has a new book out about it. And it’s true; you can’t get very far if you don’t give your workers the recognition for doing a good job. Unfortunately, for knowledge workers, being recognized for stepping up to the plate to hit a home run is the tip of the iceberg. Recognizing someone for doing a good job is nice, but isn’t the expectation that workers will do a good job? Why are you still paying workers if doing a good job isn’t an every day occurrence?

Ok, maybe you are recognizing people for doing a “good job” but a great job. You’re still on a hedonic treadmill here. If a “great job” is truly exceptional, then you aren’t rewarding your employees that often. When a “great job” is routine, then why aren’t you shifting your expectations and paying accordingly?

Spot rewards are nice, but can be demotivating

There is nothing like found money (or praise), but it generally is spent quickly. (Unless your spot rewards are allowing the employee to take a year off or retire, but that would seem to defeat the purpose.)

If you’re leaning on spot rewards, then you may be training your employees to set gradually lower expectations, then beat them for rewards. Oh, no raises this year? Well, I can always game the rewards system!

Invest in people

Make permanent commitments to the reward you’re giving by delivering a raise and higher expectations. This is excellent, and I would like to see this continue… in expectation of this continued performance, here’s a larger financial commitment from us.

Give your people whatever tools they need to perform at a higher level. Offer the training. Provide educational resources. Send them to conferences. Allocate time for them to develop themselves. If you can’t afford a 2-5% contribution to potentially improve an employee by 10%, then you may not have any idea what you’re doing with that employee. Maybe you shouldn’t be in the business of employing those people and should find someone else to hire them and pay that company for effective use of those resources.

Invest in capacity

Stop skirting by just barely making your commitments. If you don’t have excess capacity, the minute something goes wrong, you’re in trouble. The alternative is depending on heroics from your employees. Heroics are like firefighting: Yes, they put the fire out, but now everything is water-damaged, and your firefighters will get sloppy and exhausted if used too often.

Invest in figuring out what is reasonable to do

Yes, you are in competition with everyone else who wants to please your customers, but all those customers you’re gaining are going to bail if your people break down and can’t perform.


You cannot put a price tag on trust.

Trust your employees to:

  • appreciate the capability you’ve given them.
  • be capable of working wherever.
  • work whenever they need to.

If you don’t know what results you want or the value of those results, keeping employees in the office from 8 to 5 is an expensive way to hide that fact. If you can’t trust an employee to get things done, then it doesn’t matter where they’re working, they’re going to make a fool of you at some point, and it will probably take you longer to figure it out if your measure of productivity is whether they’re in the seat or not.

Risk vs Volatility

As Taleb mentions in Black Swan, there’s a difference between risk and volatility. Trusting your employees seems like a risk, but you’re really lowering volatility of bad experiences near term in exchange for systemic risk of trust issues. So are all these other investments in your employees. Not making the investments may be penny-wise, but they’re pound foolish.

Project Math, or How to Make Things Take Twice as Long

Sometimes it seems like throwing four people at a project makes the project span 4 months, when a single person could have completed the work in a couple of weeks. Your communication lines are O(n^2) (actually, (n^2-n)/2)… 2 -> 1, 3 -> 3, 4 -> 6. If you’re not doing mostly independent pieces, you’re creating an unofficial management position for every 2-3 people you sign up. Realistically, 6 would be 15 units and 12 would be 66 units, so a mere doubling in time is really optimistic unless the 6 extra workers are making sure that project managers and customers don’t bug the workers actually building the car.

Worse still, usually, the extra 6 workers will need to be brought up to speed mid-project by the other 6 workers on top of introducing the extra ongoing communication complexity.

In other words, (ノಠ益ಠ)ノ彡┻━┻

Why Isn’t “The Process” Followed?

“We have a ticketing process for all of these things. Anything you do needs to go through that.”

The assumption is that, by going through a proper ticketing process, every request will be funneled through some sort of prioritizing and that that will minimize disruption.

Imagined scenario–total support/development time, 30 minutes:

  • Person needing a change to something files a ticket.
  • Magical “prioritization” takes place.
  • Technical worker executes in perfect order from off the queue.

Real attempt at following the process, 2 days:

  • Person needing a change contacts a random technical person.
  • Some effort to redirect or funnel through ticketing process is made.
  • Urgency communicated.
  • Another manager included on email chain, all the while missing managers who also need to be involved.
  • Random forwarding of emails to managers who also need to be involved.
  • Restart of the story from the beginning.
  • Someone else is left out of the loop.
  • .
  • .
  • .
  • Technical person takes care of what should have been a 30 minute task in the first place.


People in Hell Want Ice Water

It is a known fact that employees don’t know what they want. They say they want ice machines to work, but they really want all the vending machines to be replaced with a brand new vending service that provides freshly prepared (sort of) items that you can purchase for grocery deli prices without leaving the building—because employees hate leaving the building and stuff.

So whenever an employee provides feedback, either anonymously or openly, they don’t know what they’re talking about.

Employees really want open office plans, fancy break rooms, and whimsical methods of celebrating what the hell they supposed to do anyway.

How Long Will This Simple Concept Take to Build?

How long does the business person asking for it think it will take? Double that.

Is there a model system that it is being compared to? Double your estimate again. Double your estimate again if it’s being compared to more than one system.

Is it the design going to undergo audits for standards or compliance? Add 50% for each.

Does Agile mean “work before requirements are figured out in a process that’s really Waterfall”? Add all the effort up until your last new specification to the end of the project timeline.

Is “concept” or “pilot” being used in the place of “live production product that will be expected to scale and configure from day 1”? Double your estimate again.

Congratulations! You now have a very conservative estimate for how much effort things will take.

RASMMAMSTCCHWE: Results And Some Mandatory Meetings And Make Sure To Cover Core Hours Work Environment

ROWE is awesome. We all believe in ROWE. All meetings are optional.

Except everyone has to attend the bi-monthly two hour update meeting.

But aside from that, ROWE is great. You can work anywhere.

Except that our online meeting software sucks, and this is an important meeting, so you really need to be on-site for it. (There are meetings for which we don’t care about the quality of the online meeting software? Why are we having those meetings?)

Other than that, you can work anywhere, at any time as long as the work gets done.

Except for core hours. You must work core hours.

Oh, Zojirushi 62 oz Coffee Carafe, You Make Me Very Angry

I guess my beef isn’t specifically with this coffee carafe, but I do take issue with the design of the carafe that makes my unfortunate circumstances that much more likely.

The problem with this carafe is that it’s hard to get coffee out of it once the first few ounces of coffee are gone. You have tilt the coffee pot on its side, and that’s where my trouble started.

There I was, trying to get coffee out of a one-third to one-half full coffee pot.

There (some indeterminate amount of time before) someone else was, barely screwing the lid on the carafe.

Back to the present, there I was, getting doused with coffee from a very well insulated pot as the lid came off.

If you see this carafe in your office, be very careful pouring your coffee, or even better… RUN AWAY.