Any strategies for dealing with users sharing passwords?

dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
We're a small company of about 30 people, and sometimes a person needs to access someone else's machine (i.e. to get an email attachment while the other person is in a meeting or out sick). It seems like I'm being asked for someone's password every other day, and everyone is always shocked that I don't keep a list of all of them.

Anyway, there's no getting around it because I can't stop them. I'm just wondering if any of you have had to deal with a situation like this before and what strategies you have employeed to minimize the security vulnerability. Maybe I should just keep a list in True Crypt or something. If I don't, it's probably only a matter of time before someone starts one on a sticky note near their desk...
«1

Comments

  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    You need managements backing here. They share a password they get written up. They do it again they get fired. End of story.

    BUT, you won't be successful without management on your side.


    EDIT:
    There is not a single good reason I can think of that anyone should ever need anyone elses password. This is what security groups, access rights, and permissions are for. If they need access to something they need to be given access to it through their own account.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Management and their assistants are the primary culprits. No one else cares about anyone else's stuff.
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Just tell them you don't know the passwords. If things are implemented correctly, this is not untrue.

    If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

    I would be coming unglued if I were in your spot. This is not an issue to take lightly.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    "If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

    I would be coming unglued if I were in your spot. This is not an issue to take lightly."

    I like this and would just like to improve on his post.

    I would schedule meetings with management or mention it in other meetings. If you bring up your concern with genuine worry and have a solution presented to fix the problem then you are going to look better among your management team. Make sure you have taken notes and look organized when you present the issue.

    You want to become a part of security from what I know so this will make you look good in that area.
    My blog http://www.calegp.com

    You may learn something!
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    EDIT:
    There is not a single good reason I can think of that anyone should ever need anyone elses password. This is what security groups, access rights, and permissions are for. If they need access to something they need to be given access to it through their own account.

    We work on insane schedules, and if a file is stuck on someone's desktop or in their email, we're screwed. Obviously things like this could be avoided, but sometimes people just don't plan ahead.
    Just tell them you don't know the passwords. If things are implemented correctly, this is not untrue.

    I do, but they just call the other user something.
    If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

    This place is kind of a circus. I actually have no idea how we stay in business (besides my l33t IT skills of course). Management does whatever the hell it wants. There are no policies for things like this, and even if there were, they'd just be ignored. I appreciate where you're coming from, but I know all of that, believe me. I'm just looking for a way (if any even exists) to contain this as much as possible.
    I would be coming unglued if I were in your spot. This is not an issue to take lightly.

    You have no idea.

    edit: Mishra, I completely agree, but like I said earlier, none of that applies to this goofball organization. I'm not looking for best practices or anything like that. I already know those. I guess I just need a straight-jacket or something.
  • undomielundomiel Member Posts: 2,818
    Looks like dynamik came unglued a long time ago and is now numb to it.

    It doesn't sound like there is much you can do, but maybe next time they ask for someone's password you can suggest an alternative solution whenever possible. Or see if you can find any hoops to make them jump through so that they'll wonder if they really needed that password right then.

    Or move to Phoenix, live with snadam for 6 months, and take your pick of the jobs over here. :D
    Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    the best strategy would be an "acceptable use" policy
    forbiding it.

    then enforce said policy

    http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf
    rm -rf /
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Damn man, I don't know. People need to quit saving things to their desktop. That is retarded on their part anyway. Ask them how happy they are going to be when they lose everything because they didn't save it on the network drive you gave them.

    You may need to PUSH them in the right direction. That means you schedule the same meeting more than once if necessary until they learn the error of their ways.

    I generally refuse to have an emergency due to someone else's poor planning and refusal to take my suggestions. I will sit back and wait for it to bite them then say I told you so with a smile on my face. But then again I have an aggressive demeanor so that my not work out too well for you. Just sayin.
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    I appreciate everyone's responses, but it doesn't look like there's any realistic solution to this. Even if those policies were applied and followed, it'd just result in having the management fire themselves and their assistants, and then we'd all be unemployed and starve. I'll just let them keep doing what they're doing I guess.

    Actually, I've come up with a solution that just might work though icon_idea.gif

    It's called: F-It, I'm moving to Phoenix!

    Snadam, PM me your address...
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Oh yeah, you can lock desktops so the user can't even interact with it via group policy....
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    "edit: Mishra, I completely agree, but like I said earlier, none of that applies to this goofball organization. I'm not looking for best practices or anything like that. I already know those. I guess I just need a straight-jacket or something."

    Sometimes I post stuff and get the general answers too so I know what you mean. ;) But I thought that maybe saying that you should present the idea professionally until they tell you personally that they don't care might score you bonus points.

    If you want to pursue it further even though your company doesn't care, then you need to make sure no one has administrative rights on a machine. If UserB gets Privledged UserA's password and wants to do something malicious then he could log onto UserA's machine and use their access or simply destroy their machine. I would try to address that.
    My blog http://www.calegp.com

    You may learn something!
  • cisco_troopercisco_trooper Member Posts: 1,441 ■■■■□□□□□□
    Don't give up yet.

    You can get this done, but you are just going to put it in terms that is going to strike them as good for the business. If they still don't think it is a good idea then they aren't very good business people and will likely fail in time.

    If implemented correctly, no one has a need for anyone's password anymore, and they can quit asking, and quit trying to figure out how they are going to get on PersonAs machine to get the document they needed today, but PersonA called in dead or called in rich or whatever. They will be able to focus more on company initiatives and sales and marketing or whatever it is they do.

    Strongly encourage the use of network drives, get management's backing, then lock the desktops so they can't save crap there anymore. Redirect MyDocuments to a server location. Assign rights so that management can at least read people's network files.
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    I started with my current company about 20 months ago. Security was next to non-existent also and they were in the middle of trying to get SOX compliant. The single biggest change for users of course was File security, Password complexity and automatic screen-locking. Just about everyone complained and said that this was a small(ish) company and nobody would even think of malicious activity. The single most effective response was to tell them I would bypass their account from these policies if they took out their Credit Card, Drivers License and Keys and left them sitting on their desks all day. Not one took me up on the offer or argued further.

    Anyway Dynamik what you really need is for Management to sign off on the current process if they won't improve things. Send (and copy) a mail detailing the proper way to do it, and also the current way where you would need to keep a definitive list of user passwords (include how the users are responsible for telling you when these change and also who is authorized to gain them from you). They may or may not reply but have it recorded somewhere safe that you advised them clearly of the risks and proposed a solution in case there are ever any future ramifications and you get caught in the blame-storm.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
  • vColevCole Member Posts: 1,573 ■■■■■■■□□□
    I put the password in for them, let them get the file & then make sure they log off. icon_cool.gif
  • ClaymooreClaymoore Member Posts: 1,637
    Have you looked into Sharepoint? WSS 3.0 is a free download...

    If your users used Sharepoint as a file repository instead of Outlook, then they wouldn't need access to other people's mailboxes (or desktops). Everything would be available on Sharepoint and your problem is solved. Other than breaking habits and getting people used to using Sharepoint, of course. You would probably get more buy-in from management if you gave them an alternate solution rather than just telling them 'No'.

    Dynamik, I feel your pain. When I came to my current company as a consultant a few years ago, managers had access to all their employee's home drives and mailboxes. When I implemented Exchange 2003, I told them ability to share mailboxes wasn't supported anymore (wink wink). However, an administrator could get access to a mailbox if there were ever an issue and we would just need a request from HR for documentation. In 5 years I have had 4 requests. Using HR to justify why they needed access shielded IT and effectively stopped the requests. We knew the managers were really just spying on their people and that there was no real business case for granting them access to the mailboxes.

    We changed how they accessed the Home Drives as well. I migrated to a new file server a couple of years ago and I reorganized how the department and home drive folders were kept. After that was complete, I told the department managers that I needed updated org charts in order to grant access to the Home drives to the correct managers and supervisors. Only two managers responded. Guess access to the home drives just wasn't as important as everyone originally believed.
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    i just found the password

    id10+t
    rm -rf /
  • cacharocacharo Member Posts: 361
    Being that it is a small company quoting policy may not get him far. I would try to have a rational, realistic conversation with leaders or management. I am sure you have done this already but I will provide a few scenarios that immediately popped into my head. Say the manager gave his password to someone who used it to give away proprietary information, sexually harass someone, or simply read everything they have sent and used it to blackmail them. They have to realize that it is a terrible idea, one that could very easily lose them their job. And sooner or later it will.

    Bottom line is they have to have have the truth shown to them. With your google skills you should be able to pull up enough real-life security violations that fit exactly into what they are doing.

    Could you create a communal email box that people could copy any emails that others need to be included in? We have personal and communal boxes here since we also run lean and it really helps.
    Treat people as if they were what they ought to be, and you help them become what they are capable of being.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    We just want to help YOU for once since you help everyone else out so much! lol
    My blog http://www.calegp.com

    You may learn something!
  • darkuserdarkuser Member Posts: 620 ■■■□□□□□□□
    darkuser wrote:
    i just found the password

    id10+t

    just to clarify i mean your users
    not you your're a good guy
    and i identify with your situation

    but the pretty secratarys dont care about the p/w until
    their credit card gets stolen

    then youll have a backlash OMG how COULD this happen ??????
    why werent YOU doing YOUR job

    you have to look at it this way
    you have to protect people who are incapable of protecting themselves
    rm -rf /
  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Mishra wrote:
    We just want to help YOU for once since you help everyone else out so much! lol

    Oh, and I definitely appreciate it! Everyone has given fantastic advice. Maybe I was more just venting than looking for an actual solution.

    I think if one of you started working here, your head would implode. You would have to ease into like I did in order to maintain your sanity (I transitioned over in a merger from another computer).

    This place is unlike anything you've ever imagined. Sexual harassment? Like when one of our installers walks by the owner's assistant and says, "Tall and slender, I'd like to bend her," and then everyone laughs (don't worry, she's fine with it and does it back to him)? Or when the owner had the bachelor party for one of his employees here? We still find AAA Classic Dancer magnets stuck behind file cabinets, etc. It doesn't bother anybody.

    But the laid-back attitude and lack of structure wreak havoc when it comes to the business. Nothing is organized, everyone is constantly rushing around, etc. It adds a lot of unnecessary stress. I'm not worried about malicious users either. This is a tight-knit group that's been together for years. The whole situation just irks me.
  • rfult001rfult001 Member Posts: 407
    Set up a file server, tell people to save their crap there, and give people appropriate access to folders. If you are running IBM Domino or Microsoft Exchange for email, people should be able to delegate access to email accounts. This way there are no excuses.
  • cacharocacharo Member Posts: 361
    dynamik wrote:

    It doesn't bother anybody.

    I'm not worried about malicious users either.

    This is a tight-knit group that's been together for years. The whole situation just irks me.

    It just takes one. But some things are not under your control. Good thing its not your butt on the line (Dependant on how big the suit is)
    Treat people as if they were what they ought to be, and you help them become what they are capable of being.
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Try to implement finger readers or smart cards for authentication?
    My blog http://www.calegp.com

    You may learn something!
  • Tyrant1919Tyrant1919 Member Posts: 519 ■■■□□□□□□□
    Mishra wrote:
    Try to implement finger readers or smart cards for authentication?

    I'd assume implementing any of those in a small organization wouldn't work too good.
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • MishraMishra Member Posts: 2,468 ■■■■□□□□□□
    Tyrant1919 wrote:
    Mishra wrote:
    Try to implement finger readers or smart cards for authentication?

    I'd assume implementing any of those in a small organization wouldn't work too good.

    Why? Price? I've never really done anything with them.
    My blog http://www.calegp.com

    You may learn something!
  • SlowhandSlowhand Mod Posts: 5,161 Mod
    Strategies for preventing password-sharing between users? Have you thought using a rolled-up newspaper, or maybe shock-collars. . .

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • Tyrant1919Tyrant1919 Member Posts: 519 ■■■□□□□□□□
    Mishra wrote:
    Why? Price? I've never really done anything with them.

    I don't think fingerprint scanners support logging into a domain. Without some pricey third party solution at least probably.

    Price for smart cards would suck too, not too mention the increased overhead with managing the certificates and what not.

    Although I do miss logging into my computer with my Smart card while I was in the Chair Force :^(. Reminds me....

    "Customer Support this is Airman Winters speaking how may I help you?"
    "Yes I'm trying to logon to my computer with my CAC, and it's saying my certificate has expired"
    "When does your CAC expire sir?"
    "Oh, let me check. Hey, it expires today."
    "You'll have to get a new one sir."
    "Alrighty thanks!"
    A+/N+/S+/L+/Svr+
    MCSA:03/08/12/16 MCSE:03s/EA08/Core Infra
    CCNA
  • SieSie Member Posts: 1,195
    Mishra wrote:
    Try to implement finger readers or smart cards for authentication?

    I was going to suggest this but then the cost implications may be too great for a small company, and if the management arnt going to enforce Security Practices then they arnt going to shell out for additions like this.

    I would just limit them as much as possible, users can only access from their own machine etc.

    Or if your feeling particularly mean and have access to the rota you can always just produce a script to disable accounts of the people not present on that day. And have it re-enabled the next time they are in icon_twisted.gif

    Unfortuantly without management backing you cannot stop anyone telling another user their password, leanding them their smartcard etc all you can do is restrict it as much as possible / you are prepared to do.
    Foolproof systems don't take into account the ingenuity of fools
  • ClaymooreClaymoore Member Posts: 1,637
    Slowhand wrote:
    Strategies for preventing password-sharing between users? Have you thought using a rolled-up newspaper, or maybe shock-collars. . .

    Calm, assertive energy should be all you need, but one of these may help.
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    Just make it a little painful for them in the name of security. When someone needs Joes password, go ahead and give it to them. Make a reminder to your self that pops up at the end of the day. Right before you leave, set that users account (joe) to "User must change password at next logon". Do that every time someone needs a password. Make like its an automatic thing for security. Pretty soon Joe won't want you to give out his password to anyone.
    All things are possible, only believe.
Sign In or Register to comment.