Anne brought to my attention the security practices at a medium-sized company in Chicago that make security nearly impossible: the company's IT department assigns Windows domain passwords to the users. In a recent communication, IT said this practice made the domain more secure.
It actually made me mad to hear about this practice. They're not only wrong, they're wrong in a particularly ignorant and incompetent manner, and someday they're going to have a significant security incident.
Secure log-ins serve two distinct purposes: authentication and authorization. Authentication means that the log-in procedure should guarantee that the person providing the log-in credentials is who she claims to be. Authorization means that the successfully logged-in person has access to the data he needs access to, and no more.
Most people only equate log-in screens with the latter. In many organizations I've worked with, people share passwords all the time, thinking that the password controls what they can do. It's often then impossible to figure out who did what with which data. Within a company that has Sarbanes-Oxley reporting requirements, this kind of sloppiness may actually violate criminal law in some cases.
Your bank knows about authentication. It's why you have a PIN (personal information number) for your cash card. It's also why sites like the IRS Website ask for hard-to-know information, like your previous year's adjusted gross income, before they let you do anything. Some people at your bank and at the IRS are authorized to see your information, too, but when they look at it, there's a record that they are looking.
IT administrators never actually need your password, because their authorization far exceeds yours. Plus, it's usually important for IT departments to know who did what to each computer. When you have the keys to the kingdom, you come under greater scrutiny.
For these reasons, the only person who should know a log-in password is the person who chose it. Any password that the person did not, herself, choose, is no better than a password that a "malicious user" has cracked or stolen.
Now look at what the company Anne mentioned is doing. The IT department has a list of passwords, which can be stolen. Also, the IT department can log in to any employee's workstation as that employee (which is, I think their goal). Once in, they can send email under the employee's identity, rummage through confidential information (for example on a law partner's computer, where the lawyer has a legal obligation to keep the information private, even from other people in her firm), etc.
No doubt the IT department would claim they need this kind of access to ensure employees aren't using computers for personal work, or storing copyrighted materials on work computers. But since the password list exists, even if compromising material were found on the employee's machine—which, by the way, the IT people have the ability to find under their own login credentials—now there is a legitimate claim that the employee had no knowledge of the problem, because there is no way to show conclusively that only the employee could have put it there. (Had IT put it there under their own credentials, this would be easily determined by checking the security information on the computer.)
This isn't the only idiocy perpetrated by this particular IT department, but it's the one most contributing to their lack of security. If there were a professional organization of computer people, these guys would be thrown out.