The cursor is a rhythmic taunt. Blink. Blink. Blink. I’ve been staring at this login screen for 9 minutes, which is exactly how long it takes for my coffee to go from “perfect” to “liquid disappointment.” I just got back from a week in the mountains where the only protocol I had to follow was not getting eaten by a bear. Now, I’m back in the cubicle, and the bear is this dialog box telling me that my credentials-the ones I’ve used for 29 months-are invalid.

Wait, no. They aren’t invalid. They’ve expired. Because apparently, in the 169 hours I was away, my digital identity became a security risk that can only be mitigated by changing “Summer2023!” to “Summer2023!!”.

I know exactly what my password is. I’m right. I know I’m right. I have that specific, itchy certainty that comes from having a memory for sequences. But the system doesn’t care about my certainty. It’s like that argument I had yesterday with the lead developer about the load balancer. I showed him the logs. I showed him the 409 errors. He looked me dead in the eye and said it was a CSS issue. It wasn’t. It never is. But he’s the one with the “Senior” title, so now the load balancer is still screaming and I’m the one being told my password-the one I typed 19 times into my brain to memorize-is “incorrect.”

The lock is not for the thief; it is for the landlord’s peace of mind.

– Observation on Friction

The Watchmaker and the Wall of Friction

Miles T.J. doesn’t use a computer much. He spends 39 hours a week peering through a loupe at tiny, brass gears that are smaller than a grain of salt. He’s a watch movement assembler, a man whose entire existence is predicated on the idea that things should fit together exactly as they were designed. If a screw is 0.009mm off, the entire movement is trash. He understands friction. He understands that too much resistance in a system eventually leads to a catastrophic failure.

When Miles comes home and tries to check his payslip on the company portal, he encounters a level of friction that would make a mechanical watch explode. He has to provide a 19-character password. He has to use a special character, but not that special character, because the legacy database from 1989 can’t handle a semi-colon. If he fails 9 times, he is locked out for 29 hours. Miles, being a man of practical precision, does what any sane human would do: he writes the password on a fluorescent orange sticky note and slaps it onto the side of his monitor.

This is the secret reality of corporate security. It is a system designed by people who read white papers but never actually have to live inside the architecture they build. They think they are building a fortress. In reality, they are just building a very expensive collection of sticky notes.

The Insurer’s Spreadsheet

Most of these policies aren’t about stopping a sophisticated state actor from infiltrating the 199 servers that hold the company’s secrets. If a hacker wants in, they aren’t going to spend 199 years brute-forcing a 19-character password. They are going to send a phishing email that looks like a FedEx notification, and someone-probably a tired manager who just had their 9th meeting of the day-is going to click it. No, these policies exist to satisfy the 29-page questionnaire from the cyber-insurance adjuster.

The insurer asks: “Do you enforce periodic password rotation?” The CTO, who hasn’t written a line of code since 1999, says: “Yes.” The insurer lowers the premium by $10,999. Everyone feels safe. The spreadsheet looks beautiful. Meanwhile, the actual security of the company has decreased…

The VPN Gauntlet

I’m currently locked out. I have 29 minutes before my next meeting, and I can’t even open the slide deck because it’s on the cloud drive. I called the IT help desk. I’m caller number 19 in the queue. The hold music is a distorted MIDI version of a song that was popular in 1989, and it’s looping every 49 seconds. I’m sitting here, staring at the dust on my monitor, thinking about the 119 employees in this department who are all performing this same ritual of frustration.

This is especially true when it comes to remote work. The transition to decentralized offices meant that we had to extend the corporate perimeter to people’s living rooms. Instead of making that transition fluid, many organizations just doubled down on the friction. They implemented VPNs that drop connection every 39 minutes and multi-factor authentication that requires you to have your phone, a hardware token, and perhaps a lock of your first-born’s hair.

It doesn’t have to be this way. There are ways to handle remote access that don’t treat every employee like a potential spy. Infrastructure that supports RDS CAL deployments, for instance, allows for a more managed, centralized approach to how users interact with the resources they need. It’s about creating a secure tunnel that doesn’t feel like a gauntlet.

The Ghost of 2019: Mental Discipline

I remember an argument I lost back in 2019. I was advocating for a password manager rollout. My boss at the time-a man who still printed out his emails to read them-refused. He said, “If we put all the passwords in one place, that’s where the hackers will go!” I tried to explain that the passwords were already in one place: under everyone’s keyboards. He didn’t listen. He felt that the manual effort of remembering a dozen complex strings was a form of “mental discipline” that kept the staff sharp.

So here I am, 9 years later in my career, still fighting the same ghosts. The irony is that the more technical we get, the less we seem to understand human psychology. We treat the human element of the system like a bug that needs to be patched. But you can’t patch human nature. You can’t patch the fact that if you give a person a choice between a 19-character password they will forget and a 4-digit PIN they will remember, they will find a way to use the PIN.

If you want to know how secure a company actually is, don’t look at their firewall logs. Don’t look at their 199-page security audit. Just walk through the office at 19:59 on a Friday night when the cleaning crew is there. Look at the monitors. Count the sticky notes. That is your real security posture. The $15,999 we spent on the latest AI-driven threat detection software is currently being bypassed by a piece of paper that cost $0.009.

The Argument Over Buster

I finally got through to the help desk. The technician sounds even more tired than I am. He’s probably reset 49 passwords today already. He asks me for my employee ID number, my mother’s maiden name, and the name of my first pet. I tell him. He pauses.

“That’s not the pet we have on file,” he says. I feel the heat rising in my neck. “I have two dogs. Did I put Rex or Buster?” “I can’t tell you that, sir. For security reasons.” I’m now arguing about the existence of a dog that died in 2009.

– The Kafkaesque Queue

Eventually, I convince him I am who I say I am. He resets my password to a temporary one: “ChangeMe123!”. “You’ll have to change that immediately,” he warns. I hang up. I log in. The system prompts me for a new password. It must be 19 characters. It cannot contain my name. It must contain a symbol, a number, an uppercase letter, and a blood sacrifice.

The Builders vs. The Walls

We build these systems to protect our data, but we forget that data is only useful if people can actually reach it. When the walls get too high, we don’t just keep out the enemies. We keep out the builders, the thinkers, and the people like Miles T.J., who just want to make sure the gears keep turning without being crushed by the weight of the clock itself.

In the end, the most dangerous vulnerability in any network isn’t an open port or an unpatched server. It’s a workforce that has been trained to see security as an obstacle to be bypassed rather than a standard to be upheld. And until we start writing policies for the people who actually use the computers, the sticky note will remain the most powerful hacking tool in the world.