Sunday, September 21, 2008

Increased Security on IRS Laptops for VITA Use

As IRS laptops are being shipped out of the depot, it may be useful to keep in mind the security measures and precautions taken to ensure that data from our returns is kept confidential. To this end, there a login required at the BIOS level to allow access to the disk encryption, and another login is required to allow access to Windows. It is recommended that the TaxWise installation itself have password protection.

Over the past few years, the initial passwords have been made longer, stronger and requiring more brute force computation to break each year. However, this has resulted in passwords which require combinations of Shift key to change case within the password, and also the use of passwords which are not easily guessable. From passwords requiring simple phrases in upper case letters and numbers, to those requiring phrases with combination of upper and lower case letters and numbers, to those based on the first letters of phrases with mixed case, numbers and special characters, these passwords have become harder and harder to remember and type correctly.

At one site, each year it required a while to get the correct login - and too many incorrect logins could result in the PC locking up. To avoid this, volunteers were writing the passwords and the the logins on reference materials or on scraps of paper, and promptly forgot where they were put them, and the next week the same problem occurred.

I don't know if other coordinators have the problem, but it seems silly to have to remind volunteers one at a time what the password is, especially when it is impossible to state it verbally.

So if it is a problem, what can we do? Some ideas that come to mind are the following:

a) Have a training class on learning to remember logins and passwords and practice entering them correctly.
b) Provide instructions on how to change the default login and passwords.
c) Require logins and passwords to be changed every week, and use Windows to log changes of passwords, and transmit the logs to the IRS to check for compliance.

Any other thoughts, and or opinions?

No comments:

Post a Comment