Are IT guys supposed to know users passwords?

nice343

In my company the policy is yes. What about yours???? and is this a normal behaviorin an IT department?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

Netstudent

I know A LOT of user passwords. I'd say it's rather common if you are supporting end users. Especially the frequent ones that will never figure out an operating system or an application they use on a daily basis.

Plantwiz

nice343 wrote:

In my company the policy is yes. What about yours???? and is this a normal behaviorin an IT department?

Shouldn't be 'normal' if you are following a security parodical. As the IT guy/gal you have the keys to reset it so why do you need to know their password? On a quick fix, then the user can simply log on, or you can use your admin rights.

So, in today's IT world I say this should no longer be normal....back in the mid-late 90s...it was a bit more normal...not today.

binarysoul

The short answer is YES.

If doctors must know patients' medical history, why can't IT doctors know users's passwords?

Generally, IT people have other intersting things to do than to try to remember someone's password after they've helped them.

Plantwiz

binarysoul wrote:

The short answer is YES.

If doctors must know patients' medical history, why can't IT doctors know users's passwords?

Generally, IT people have other intersting things to do than to try to remember someone's password after they've helped them.

Why do you need it though?

And the analogy between an medical history and user password doesn't jive. If you are working a help desk or any part of a network....you should have the proper 'keys' to do your job and that shouldn't entail compromising a security policy.

So, I stand with there is no need to have the user password....if there was they why bother having a security policy? Might as well just take a Sharpie and write the password on the front of the Monitor Bezel.

Ahriakin

No. For many reasons, avoiding abuse of power, respecting the dividing line between what you need to do your job and what you could do if you wanted, ensuring that you can never be accused of using someone else's account and in the process denying them you as a scapegoat when they do break policy, or plain old legal compliance depending on the company business and standing.
I have the credentials to each and every domain, server, firewall, vpn, switch you name it, globally for our company - literally if it's connected to the network I can own it and as such I make a very distinct point of not knowing user passwords even if they want to give them to me, regardless of the fact that not knowing would not be an impediment if I really wanted to do harm.

2BEDB411

Plantwiz wrote:

nice343 wrote:

In my company the policy is yes. What about yours???? and is this a normal behaviorin an IT department?

Shouldn't be 'normal' if you are following a security parodical. As the IT guy/gal you have the keys to reset it so why do you need to know their password? On a quick fix, then the user can simply log on, or you can use your admin rights.

So, in today's IT world I say this should no longer be normal....back in the mid-late 90s...it was a bit more normal...not today.

Agreed...
I don't need to know their passwords, And if the problem is specific to THEIR profile, they can log themselves in for me and demonstrate the issue. Run the industry "hisec" standards for length, expiration, alphanumeric, history, and let them manage their own passwords.

This is not windows 98, it is not 1998, and let's not overlook loss of confidential information , or the new HIPPA (health insurance professional privacy act. ) USA TODAY is sitting right here in front of me (10/18/07) and actually has the "adult content" company lawsuit issue on the front page as we speak! You may want to read it.

In my opinion, Your current "shared password" policy means you will lose any disiplinary action or enforcement or prosecution power. How are you enforcing your internet use policy , proxy logs, or folder activity audit, if it is common knowledge that the secret password the user created is available to others? It will be the first defensive point brought to the table. Hence, you have no effective policy in place.

This "opens the door" for tremendous liability loss for your company. A person fired for surfing **** returned to sue the company for $100,000. A client observed a racially-targeted email and sued for $250,000 in damages. These are current news stories and current figures. And if these or other events were to happen to your enterprise, any defense lawyer would have a field day.
You may want to consider if convienience in the IT department could be a disaster in a court of law. I would move more of this responsibility back to the clients. And have them sign (an effective) password policy statement.

My Opinion Respectfully Submitted - M

networker050184

Sharing passwords with ANYONE is a big security no no. Like others have stated have them log you in if there is something you have to do with the user account, if not just use the administrator account (which the user should not know). You should never have a user give you their password, it is too much of a liablity if something were to be done from that account.

sprkymrk

Short answer - NO WAY!!!

For all the reasons already stated by others. FWIW in my environment (secure) everyone is required to use smart cards anyway.

In many environments with HIPPA and Sarbanes Oxley stuff you would fail an audit big time if the techs/admins knew the user's passwords.

Schluep

Even if you aren't in a regulated/audited environment there really should be no need to know passwords. As 2BED411 stated the legal ramnifications of such a policy if an incident were to occur would put your company in a very bad position.

If users know that there is no need to give passwords out even to IT techs it removes part of another large security threat, which is someone attempting to obtain passwords through social engineering. If people are used to giving out or sharing their passwords with IT or recognize that IT usually knows them anyway that opens the door for someone to pretend they are in a position to have that password.

If you have the ability to reset passwords for a user, why would you even want to know their password as an IT person? If someone does do something they shouldn't be doing, now the question could be "We need to know if that was John or Sally that did this on Sally's account. Sally said she didn't do it so maybe John logged in using her password." Why would you want to even put yourself in that position if you don't need to?

Kaminsky

If users are letting another member of staff know their password (ie the IT guy) who else has their password? Maybe security is so lax it's on a post-it nore on the side of the monitor! It's important for a user to undersantd the importance of security even in the smallest company.

PC Support personnel should have their own login credentials to do whatever they need on each user's PC anyway without needing the lower spec user password in the first place. That is, if the security has been set up properly on both the PCs and the network file system.

Definate No No!

Pash

Kaminsky wrote:

If users are letting another member of staff know their password (ie the IT guy) who else has their password? Maybe security is so lax it's on a post-it nore on the side of the monitor! It's important for a user to undersantd the importance of security even in the smallest company.

PC Support personnel should have their own login credentials to do whatever they need on each user's PC anyway without needing the lower spec user password in the first place. That is, if the security has been set up properly on both the PCs and the network file system.

Definate No No!

I always see users leaving their usernames and passwords on post-it notes, even if their password is like not even requiring complexity match via security settings, like joe.bloggs pw: cat. I mean derrrrrrrrrrrrrrr. Try remembering the domain admin account passwords, switch passwords, firewall passwords etc. But seriously, if they leave passwords lying about, shred em. Worst case you reset it for them and require change at next logon. I like organisations with nice password complexity and good security rules.

Aquabat [banned]

the answer is no. Why do you think we check change password at next login for users?

blargoe

nice343 wrote:

In my company the policy is yes. What about yours???? and is this a normal behaviorin an IT department?

I took the initial poster's question to mean, are you SUPPOSED to know the password, as in it is one of IT"s responsibilities to keep up with user's passwords. I guess I saw it that way, because I worked in an environment like that before. My first corporate gig was an NT/Novell shop a few years ago of about 1,000 users, the policy on the network was set to not allow password changes and never expire, and there was an excel spreadsheet that IT maintained with every user's password. I am not making this up.

binarysoul

Here is my strong criticism. Those who develop the so-called 'security policies' must be having sweet dreams and must stil be living in 50's and 60's.

I bet 40% of users' password can be cracked using dictionary techniquess. Here are some that can be actual passwords

password
12345678
cat123
dog123
myson123
mydaughter123
monday123
computer999
internet555
myemail
mybirthday

The only way you can secure passwords are to go persoannly and log every user at 8 am yourself.

networker050184

Our password policy wouldn't allow such passwords. They have to have a minimum of two capital, two lowercase, two numbers and two special charecters. This does lead to more password resets, but makes it much more secure. Well a lot more secure than cat123 anyway. We mostly use smart cards now anyway.

Pash

networker050184 wrote:

Our password policy wouldn't allow such passwords. They have to have a minimum of two capital, two lowercase, two numbers and two special charecters. This does lead to more password resets, but makes it much more secure. Well a lot more secure than cat123 anyway. We mostly use smart cards now anyway.

A banking organisation that we are contracted to currently employs exactly the same sort of rules. Also, aladin etoken with single sign on is becoming increasingly popular, as well as safeboot for laptops or offsite computers.

binarysoul

Banks maybe, but I've seen many large organizations where the above listed passwords were largely used, especailly with loggin on to Widnows.

Usually password policies create more phone calls of "I got lock out after attempting my password 3 times" 'can you reset my password?' and users going nuts over why the system wouldn't allow them choose any password they type.

That's headache and frustration for workers and IT persons.

Oh, the other one is IT staff giving users temp passwords and asking them to change soon. How do you get around that if the system doesn't force you to change it right away? Ummmm

mgeorge

sprkymrk wrote:

Short answer - NO WAY!!!

For all the reasons already stated by others. FWIW in my environment (secure) everyone is required to use smart cards anyway.

In many environments with HIPPA and Sarbanes Oxley stuff you would fail an audit big time if the techs/admins knew the user's passwords.

Agreed

Every hospital that I've worked with uses smart cards. And while engineers/admins have access to the patient records database as a whole, they do not have access to read patient information. They use encryption and several other methods to secure that information.

these programs are built very strangely, but they work and most of them have proprietery databases. But any who time for breakfast

Plantwiz

networker050184 wrote:

Our password policy wouldn't allow such passwords. They have to have a minimum of two capital, two lowercase, two numbers and two special charecters. This does lead to more password resets, but makes it much more secure. Well a lot more secure than cat123 anyway. We mostly use smart cards now anyway.

Agreed. If you set your policies correctly, they must be changed and contain a combination of numbers, caps and characters as mentioned above.

So, it comes down to the IT people making sure they are adhereing to the most secure protocal available to them.

Blakwidoe

binarysoul wrote:

Banks maybe, but I've seen many large organizations where the above listed passwords were largely used, especailly with loggin on to Widnows.

Usually password policies create more phone calls of "I got lock out after attempting my password 3 times" 'can you reset my password?' and users going nuts over why the system wouldn't allow them choose any password they type.

That's headache and frustration for workers and IT persons.

Oh, the other one is IT staff giving users temp passwords and asking them to change soon. How do you get around that if the system doesn't force you to change it right away? Ummmm

If I was the System Administrator of these so called corporations those passwords would not even begin to pass the bar I would set. I would much rather spend 20 seconds resetting a password than hours tracing down what a hacker did to my network and correcting it or ::GASP:: losing it all togeather. Talk about a headache or frustration!!! not to mention trying to explain to upper management why their data has been compromised! I think Ill spend 20 seconds resetting passwords or designate someone to do that rather than lose my job over something as simple as password complexity.

sprkymrk

Blakwidoe wrote:

binarysoul wrote:

Banks maybe, but I've seen many large organizations where the above listed passwords were largely used, especailly with loggin on to Widnows.

Usually password policies create more phone calls of "I got lock out after attempting my password 3 times" 'can you reset my password?' and users going nuts over why the system wouldn't allow them choose any password they type.

That's headache and frustration for workers and IT persons.

Oh, the other one is IT staff giving users temp passwords and asking them to change soon. How do you get around that if the system doesn't force you to change it right away? Ummmm

If I was the System Administrator of these so called corporations those passwords would not even begin to pass the bar I would set. I would much rather spend 20 seconds resetting a password than hours tracing down what a hacker did to my network and correcting it or ::GASP:: losing it all togeather. Talk about a headache or frustration!!! not to mention trying to explain to upper management why their data has been compromised! I think Ill spend 20 seconds resetting passwords or designate someone to do that rather than lose my job over something as simple as password complexity.

Smart cards are the way to go. No more typing in a user name (which can be a pain if your user name is longfirstname.middleinitial.longlastname) or trying to remember a 15 character complex password - just bring your smart card to work (keep it on your person like you would your wallet or drivers license - in almost 4 years of using smart cards on a 450 user network I have only had 4 occasions where a user has forgotten it) and remember your 6-8 digit numeric PIN.

blargoe

Password security is as much (if not more) about keeping malware and hackers from easily cracking passwords to gain valid logon for mischief as it is keeping Joe from knowing Sally's password.

Sie

I'll answer your question with a question:

Do you tell your bank your pin number?