Password Security?
-
SMBs do this a lot. It's crazy.
-
@thecreativeone91 said:
What's with people wanting to keep track of users passwords? I've seen this kind of stuff a lot. Heck I even had a person who is a local sys admin for a bank ask me this the other day. How hard is it to click reset password? I mean seriously?
http://community.spiceworks.com/topic/593563-managing-user-passwords?page=1
Every time I've encountered this it's based in fear of a person leaving. If you inquire to the person pushing this type of idea, you will find that something happened once upon a time where a password was lost, resulting in them latching onto this idea of having to keep every single user's password. I battled a little of this when I first started my current job because there was a misunderstanding of how permissions worked, how AD authentication worked and what a problem it was just having a excel list that was password protected with 0 encryption.
A lot of poor practices are a result of past emotional reactions to situations.
-
These threads are always coming up on Spiceworks and I've contributed to a few myself, without getting any satisfactory replies. I sit on the opposite side of the fence here. I sometimes ask users for their passwords. Let this be the thread that you all convince me to change my ways!
Firstly, what's the risk? I've heard people say it weakens any case at an employment tribunal, because the defendant can argue that the IT guy could have used his login credentials to somehow frame him. As the single IT guy for my organisation, I don't buy this. If I wanted to frame someone, there are plenty of ways I could do it. I could just manipulate log files. So the defence goes from "he could have used my login credentials to frame me" to "he could have manipulated the log files to frame me". There is huge amounts of trust in me implied in my position. The situation changes once a company employs two IT people. It would be much harder to frame someone if there was another technical guy here overseeing my work. So I can see why practices change for larger organisations.
I've heard people say it is unnecessary because everything can be achieved via things like Powershell and the Office Customisation Tool. People say I'm not qualified to be an IT Admin if I can't use these tools. I'd partially agree with that - I'm not an IT Admin and neither do I want to me. I don't have the time or inclination to learn Powershell in detail. Also, Office Customisation Tool is only available with Volume Licences and we use OEM & Retail. Now I'll overcome these obstacles if the risk is high enough (I'm not completely lazy!), but again, what's the risk?
People say writing user passwords down is insecure. Well, I write them down in the same place I write the Domain Admin password, so that is irrelevant. If someone hacked in to my Keepass database, getting hold of user passwords is the least of our worries.
Now, let's say you convince me of the risks. This brings me to the big problem I have with resetting a user password. People say "just reset it and let them know what it is and force them to change it when they logon." OK, how do I let them know? Some people say e-mail it to them. How do they get their e-mail if their password has been reset? Some people say leave a note. Is that really more secure? A domain password left on a desk for everyone, including the cleaners, to see and use? Really, that's more secure? If I could just tell them, that would be fine. But I only use their password because they're not around. If they were around, I'd get them to logon for me, so this wouldn't be an issue.
Convince me Mangos. And I need a better arguments than just "it's crazy" or "it's poor practice".
-
@Carnival-Boy said:
Firstly, what's the risk? I've heard people say it weakens any case at an employment tribunal, because the defendant can argue that the IT guy could have used his login credentials to somehow frame him. As the single IT guy for my organisation, I don't buy this. If I wanted to frame someone, there are plenty of ways I could do it. I could just manipulate log files.
Because you can act as them even while monitored. You can give the credentials to other people. You can trivially do what is extremely difficult with logs. Can you hide yourself with logs? Maybe, but not always and when you can it is incredibly difficult and there are many, many ways to catch you and you have to do it "later" so there is always a gap in which to catch you.
Yes, there is more than one way to commit a crime. But carrying a loaded gun vs. keeping a box cutter in your pocket is very different, even if you can achieve the same end result with effort.
But moreso, passwords used at work can be used to show password patterns and often are the same as passwords elsewhere. So keeping passwords from someone can be used in a non-work related hack attempt or social engineering attack. It broadens the scope of risk beyond the business and puts individuals personally at risk. Should they know better? Of course. But we are talking about end users. Are you educating them about the risks that potentially exist before they give you their passwords?
-
@Carnival-Boy said:
Now, let's say you convince me of the risks. This brings me to the big problem I have with resetting a user password. People say "just reset it and let them know what it is and force them to change it when they logon." OK, how do I let them know? Some people say e-mail it to them.
How are you getting passwords to them now? Whatever works today should continue to work.
-
@Carnival-Boy said:
People say writing user passwords down is insecure. Well, I write them down in the same place I write the Domain Admin password, so that is irrelevant. If someone hacked in to my Keepass database, getting hold of user passwords is the least of our worries.
Why is the domain admin password written down? Is this a break-glass system for turning over admin access to a third party? I don't know the reasoning here, but this sounds bad. And using it as logic that lesser vulnerabilities aren't that bad makes it far worse. You have a huge, unnecessary risk (potential of exposed admin password) and use it to excuse the risk of lesser exposure (access to everyone's passwords which, in theory, together are just as bad.)
It's actually worse getting all of them, though, because someone CAN act as the admin to cover their tracks but can assume the identity of the end users to make it nearly impossible to detect. Because they don't need to reset their passwords they are able to use the domain admin secretly in a way that they could not if the other was not available. Getting both magnifies the risk to the company (keeps you from detecting the breach) and puts the users themselves personally at risk (their personal identifies are compromised) and, if this was the US, puts the IT team at risk (users were put at risk and compromised.)
We don't write down any of these. No need to. Needing to reset passwords is a critical alerting system to alert users to the compromising of their accounts.
-
@scottalanmiller said:
How are you getting passwords to them now? Whatever works today should continue to work.
They are given it as part of their induction when they join the company. But that's not practical on a day to day level.
-
@scottalanmiller said:
Why is the domain admin password written down? Is this a break-glass system for turning over admin access to a third party?
Essentially, yes. I've read tons of stories of networks getting compromised, usually as part of a penetration test. I haven't actually done a pen test here, but I've no doubt that our network could get compromised. What I haven't heard though, is networks getting compromised via a Keepass database (or similar password management tool). Those products seem pretty robust. That doesn't appear to be the weak link in our security.
-
This post is deleted! -
Also, I could actually forget the domain admin password. I'm not getting any younger!
Without wishing to sidetrack the thread too much: if you don't write the Domain Administrator password down, and only have an IT staff of one, what happens if that person dies or is terminated or otherwise becomes unavailable. Physically resetting the password? Is that best practice? It seems messy to me.
Also, you're an MSP aren't you? How do manage client domains if you don't write down any passwords?
-
What prevents the users from calling you when you reset their password? You could leave them a note something to the effect "I needed to login as you, your password was reset - please call me to get the new information"
-
Another "reason" I see is when you spin their password, their phone suddenly starts popping errors. When this is done because someone is out of town, how do you get them to log in and set their new password?
-
@Dashrender said:
What prevents the users from calling you when you reset their password? You could leave them a note something to the effect "I needed to login as you, your password was reset - please call me to get the new information"
I'm not always around. People work 24/7.
-
@JaredBusch said:
Another "reason" I see is when you spin their password, their phone suddenly starts popping errors. When this is done because someone is out of town, how do you get them to log in and set their new password?
Can they do it on their phones using OWA?
-
@scottalanmiller said:
@Carnival-Boy said:
Now, let's say you convince me of the risks. This brings me to the big problem I have with resetting a user password. People say "just reset it and let them know what it is and force them to change it when they logon." OK, how do I let them know? Some people say e-mail it to them.
How are you getting passwords to them now? Whatever works today should continue to work.
This is what I have done before at my last job. It doesn't actually reset the users password just generates a password based of the hash of there email and last four of social. I just had a excel sheet (encrypted) of what passwords are to be reset to when they are reset. Users would have to go to another persons computer and go to the internet to generate this. Though I think some eventually memorized their "reset" password. they would have to change it at next logon.
-
@Carnival-Boy said:
@JaredBusch said:
Another "reason" I see is when you spin their password, their phone suddenly starts popping errors. When this is done because someone is out of town, how do you get them to log in and set their new password?
Can they do it on their phones using OWA?
Nope. Has to be done from a domain joined computer.
-
@JaredBusch said:
Another "reason" I see is when you spin their password, their phone suddenly starts popping errors. When this is done because someone is out of town, how do you get them to log in and set their new password?
Depends on the work environment but, unless they are FLSA exempt the HR standard anymore is to not allow email outside working hours for them, as even if they choose to work on their own or are asked by their boss to check their email they still have to be paid for that time as a exempt employee. There have been law suits over this.
-
@Carnival-Boy said:
@scottalanmiller said:
How are you getting passwords to them now? Whatever works today should continue to work.
They are given it as part of their induction when they join the company. But that's not practical on a day to day level.
With a temp password, you can always give it in the same manner. It's a one time and you know when it has been used because it gets reset. Everyone needs a temp one now and then or a reset system. That's fine. But it should be generated from the IT side and the end user should always know if it has been used before (they would be unable to log in.)
-
@Carnival-Boy said:
@scottalanmiller said:
Why is the domain admin password written down? Is this a break-glass system for turning over admin access to a third party?
Essentially, yes. I've read tons of stories of networks getting compromised, usually as part of a penetration test. I haven't actually done a pen test here, but I've no doubt that our network could get compromised. What I haven't heard though, is networks getting compromised via a Keepass database (or similar password management tool). Those products seem pretty robust. That doesn't appear to be the weak link in our security.
Keepass is pretty secure. But how it is used is what matters. Are you the only one with access to it? If so, isn't that a point of fragility? If not, that's a lot of password exposure. Are you confident that no one is writing down the Keepass password?
Keepass is great, I just wouldn't keep the one master domain password there.
-
@Carnival-Boy said:
Also, I could actually forget the domain admin password. I'm not getting any younger!
Without wishing to sidetrack the thread too much: if you don't write the Domain Administrator password down, and only have an IT staff of one, what happens if that person dies or is terminated or otherwise becomes unavailable.
I'm of the opinion that there should never be only one domain admin. There should be someone, somewhere (could be the attorney) who keeps a backup account who is never, ever allowed to use it unless to terminate you or to deal with your demise. It's effectively a break-glass.
An organization much larger simply has a domain admin team. It's easy when you are bigger. But the CEO or Corporate Counsel or someone very senior, very trusted and very not involved should have a means to gain access in case of emergency.
We have an emergency break-glass that goes through a third party to get a sealed password for a one time emergency. We would have to reset the glass afterwards. But there is no casual way to get that access. You'd need a conspiracy to do it.