Explain Security to Employer

Let's address your points one by one.

  1. The 3rd party sent everyone in our company the same password in a company-wide e-mail.

A password that everyone knows is not a password. It's like leaving the key under the mat, only without the mat to hide it.

  1. The app does not have a way to change the password.

So if you ever lose your keys or think someone else might have them, you can't change the locks - and from point 1, we know that your keys are already in other people's hands.

  1. All of our usernames are predetermined and easily guessable.

So, the people who have your keys also know where you live.

  1. It's possible to login as anyone from any device into this app.

Put the first three together - other people have your keys, they know where you live, and you can't change the locks - and yeah, this is the result. Anyone can get into somewhere that should be yours alone. To recycle your employer's car analogy, he's asking all employees to lock their cars but leave the keys in the door, and then park in the company car park underneath a sign with their name on.

And on top of all this, he's asking you to do this on your personal phone. Your employer has no right to be touching that device. Depending on what this app does, this could be exposing your personal data to risk because of a third-party security flaw that you have no control over.

Even if the third-party app isn't malicious and doesn't do anything that causes a risk, there's no guarantee that it's 100% free of accidental flaws or bugs that might cause a security weakness or present an opportunity for some other malicious party to exploit. Given this third-party company's atrocious handling of basic security practices like "don't email passwords", "don't re-use passwords", and "always allow users to change their passwords", the chances of their app being completely safe, secure and free of vulnerabilities is looking pretty slim.


My advice is to try to explain the security implications from a risk based approach. What could happen if you installed an app with such poor security? You don't have to explain how to take advantage of the poor security in the app, but just expose the risk. Impersonation alone is a very significant turn off for many managers, someone could do something bad and blame another person, even as a prank it could lead to serious repercussions.

In my experience, managers need to balance risk with benefit, and once they see what may go wrong they start to wonder if its really worth it.


While analogies are useful when explaining basic concepts to someone completely unfamiliar with the field, they actively harm professional discussions. Understand that every analogy is subjective, and non-representative of any field-specific details. Actually, the car analogy is especially bad because it confuses safety and security. Bottom line, use analogies with care, and stop using them the moment you feel carried away.

Instead, I would ask your employer how to deal with specific threats you can identify. For one, this app seems to be vulnerable to impersonation. Tell your boss how you can use this app to pretend to be someone else, and ask him what counter-measures will be implemented to prevent this.

Tags:

Passwords