Entry 2428, on 2026-01-29 at 13:17:51 (Rating 3, Computers)
Many people who make decisions on behalf of others seem very convinced that they are right about everything. Obviously if you are the sort of person who feels that you can do that you probably have an unrealistic view of your own infallibility, especially when you live in an echo chamber of sycophantic positive feedback. But I think if these people were more honest and considered opinions from a wider range of sources they might be a bit less confident and just maybe might make better decisions.
To be fair, there are usually very good reasons why decisions are made, and superficially they often seem to make a lot of sense. But there are always unintended consequences to every change, and awareness of that fact is often lacking.
I was working with someone recently who works for a large corporate entity. He suddenly found that all of his services, such as email and wifi access, had stopped working and his devices were telling him that his password was incorrect. We tried all sorts of things but it looked like his account had been locked for some reason, which happens automatically after a certain numbers of attempted logins with an incorrect password. But he had been using the same, correct password all along, so that didn't seem likely.
Anyway, it was a bit of a mystery and I was going to visit to help him, but then he called to say that after enquiring at the helpdesk (which had been closed previously) it turned out his account had been locked by security staff after he reported a phishing attempt where he clicked a link but didn't provide any further information, something which on a Mac is almost impossible to result in a major security concern.
So the security "experts" had followed what was probably standard procedure (which of course, was totally unnecessary and arguably more trouble than it was worth) by locking his account, but they hadn't bothered telling him. They claimed they had no way to contact him even though he had a phone issued by the same organisation.
But what is the consequence of this? Well when he asked me what he had done wrong I said he shouldn't have reported the phishing incident. He said thet they were told they should, and I said yes, in theory it is a good idea, but are you prepared to put up with the end result of that report? He replied, no.
So by instituting inflexible and dogmatic procedures to manage this sort of alleged security incident the management had ensured that people were less likely to follow the prescribed actions in future, and presumably that actually decreased security. Clearly an unintended consequence.
And this particular problem was made much worse because of the use of single sign-on. SSO means that one user name and password is used for all services at an organisation. Sign in once, and those credentials automatically propagate to everything else. It's good in that there is only one password to remember and often the login is handled automatically, but that can just as easily be achieved using password managers, like Apple's iCloud keychain which is built in to every Mac. It also means security is handled by one service and maintaining password changes and forcing password minimal requirements is easier.
But the down side of this is that you are putting "all your eggs in one basket". If a user accidentally gives away a password for one service, especially if it is one with minimal security issues associated, they are also exposed for every other service covered by that SSO password, including potentially really basic services they might need to fix the problem, such as login to the computer, and connection to the the network.
In my opinion SSO is just an inherently bad idea. It is standard practice in large corporations and many people would say that indicates it must be a good thing on balance, but I'm not so sure. I know how large organisations work and making sensible decisions based on deep knowledge of a process is not a common event! As decision making evolves further up the hierarchy the people tend to be less involved with the technicalities of anything and also less attuned to the needs of the people they are theoretically there to help. So they make worse decisions, not better.
So it seems to me that SOO is another example of something that leads to unintended consequences. It is something that seems like a good idea in theory, but in practice the bad aspects outweigh the good. As I said, this is just my opinion and I realise alternative views are possible, but I haven't ever heard a really strong argument supporting it, except it is what "everyone else does".
There is one last element of this I should mention too. The institution involved in this case requires employees to have a long and complex password which is changed regularly. Again, superficially this is a good idea, but what about those pesky unintended consequences?
Well in this case people cannot remember their passwords (because they are too long and because they change too often) so they write them on a sticky note next to the computer. This is additional security how, exactly? I agree it increases security against remote attacks, but it reduces it massively for casual local access.
Along with my computer science degree I also majored in psychology, so you might say I understand both computers and people (a claim I don't take too seriously, BTW) but it does seem that many other people making IT related decisions are ignoring the human nature aspect of their decisions. They're ignoring the unintended consequences.
Comment 1 (8531) by EK on 2026-01-29 at 20:21:00:
Useful! But when I read the first para I thought you are going to write on President Trump. Now I am disappointed.
Comment 2 (8532) by OJB on 2026-01-29 at 20:52:34:
Well sure, I quite like Trump in some ways, as you know, but I agree he is another leader therefore as susceptible to the criticisms I make of leaders as most others. I'll try not to disappoint you next time! :)
Thanks for reading this blog post. Please leave a message below.
You can leave comments about this entry using this form.
To add a comment: enter a name and email (optional), type the number shown, enter a comment, click Add. Note that you can leave the name blank if you want to remain anonymous. Enter your email address to receive notifications of replies and updates to this entry. The comment should appear immediately because the authorisation system is currently inactive.
BLOG PAGE