Any strategies for dealing with users sharing passwords?

dynamik

We're a small company of about 30 people, and sometimes a person needs to access someone else's machine (i.e. to get an email attachment while the other person is in a meeting or out sick). It seems like I'm being asked for someone's password every other day, and everyone is always shocked that I don't keep a list of all of them.

Anyway, there's no getting around it because I can't stop them. I'm just wondering if any of you have had to deal with a situation like this before and what strategies you have employeed to minimize the security vulnerability. Maybe I should just keep a list in True Crypt or something. If I don't, it's probably only a matter of time before someone starts one on a sticky note near their desk...

cisco_trooper

You need managements backing here. They share a password they get written up. They do it again they get fired. End of story.

BUT, you won't be successful without management on your side.


EDIT:
There is not a single good reason I can think of that anyone should ever need anyone elses password. This is what security groups, access rights, and permissions are for. If they need access to something they need to be given access to it through their own account.

dynamik

Management and their assistants are the primary culprits. No one else cares about anyone else's stuff.

cisco_trooper

Just tell them you don't know the passwords. If things are implemented correctly, this is not untrue.

If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

I would be coming unglued if I were in your spot. This is not an issue to take lightly.

Mishra

"If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

I would be coming unglued if I were in your spot. This is not an issue to take lightly."

I like this and would just like to improve on his post.

I would schedule meetings with management or mention it in other meetings. If you bring up your concern with genuine worry and have a solution presented to fix the problem then you are going to look better among your management team. Make sure you have taken notes and look organized when you present the issue.

You want to become a part of security from what I know so this will make you look good in that area.

dynamik

cisco_trooper wrote:

EDIT:
There is not a single good reason I can think of that anyone should ever need anyone elses password. This is what security groups, access rights, and permissions are for. If they need access to something they need to be given access to it through their own account.

We work on insane schedules, and if a file is stuck on someone's desktop or in their email, we're screwed. Obviously things like this could be avoided, but sometimes people just don't plan ahead.

cisco_trooper wrote:

Just tell them you don't know the passwords. If things are implemented correctly, this is not untrue.

I do, but they just call the other user something.

cisco_trooper wrote:

If they persist then I suggest you get a meeting scheduled with them regarding company security and your concerns. I personally don't want to know anyone elses password. This defeats non-repudiation. If they know a certain employee's password, and that employee then does malicious activity, you can't prove it was said employee with just security logs.

This place is kind of a circus. I actually have no idea how we stay in business (besides my l33t IT skills of course). Management does whatever the hell it wants. There are no policies for things like this, and even if there were, they'd just be ignored. I appreciate where you're coming from, but I know all of that, believe me. I'm just looking for a way (if any even exists) to contain this as much as possible.

cisco_trooper wrote:

I would be coming unglued if I were in your spot. This is not an issue to take lightly.

You have no idea.

edit: Mishra, I completely agree, but like I said earlier, none of that applies to this goofball organization. I'm not looking for best practices or anything like that. I already know those. I guess I just need a straight-jacket or something.

undomiel

Looks like dynamik came unglued a long time ago and is now numb to it.

It doesn't sound like there is much you can do, but maybe next time they ask for someone's password you can suggest an alternative solution whenever possible. Or see if you can find any hoops to make them jump through so that they'll wonder if they really needed that password right then.

Or move to Phoenix, live with snadam for 6 months, and take your pick of the jobs over here.

darkuser

the best strategy would be an "acceptable use" policy
forbiding it.

then enforce said policy

http://www.sans.org/resources/policies/Acceptable_Use_Policy.pdf

cisco_trooper

Damn man, I don't know. People need to quit saving things to their desktop. That is retarded on their part anyway. Ask them how happy they are going to be when they lose everything because they didn't save it on the network drive you gave them.

You may need to PUSH them in the right direction. That means you schedule the same meeting more than once if necessary until they learn the error of their ways.

I generally refuse to have an emergency due to someone else's poor planning and refusal to take my suggestions. I will sit back and wait for it to bite them then say I told you so with a smile on my face. But then again I have an aggressive demeanor so that my not work out too well for you. Just sayin.

dynamik

I appreciate everyone's responses, but it doesn't look like there's any realistic solution to this. Even if those policies were applied and followed, it'd just result in having the management fire themselves and their assistants, and then we'd all be unemployed and starve. I'll just let them keep doing what they're doing I guess.

Actually, I've come up with a solution that just might work though

It's called: F-It, I'm moving to Phoenix!

Snadam, PM me your address...

cisco_trooper

Oh yeah, you can lock desktops so the user can't even interact with it via group policy....

Mishra

"edit: Mishra, I completely agree, but like I said earlier, none of that applies to this goofball organization. I'm not looking for best practices or anything like that. I already know those. I guess I just need a straight-jacket or something."

Sometimes I post stuff and get the general answers too so I know what you mean. But I thought that maybe saying that you should present the idea professionally until they tell you personally that they don't care might score you bonus points.

If you want to pursue it further even though your company doesn't care, then you need to make sure no one has administrative rights on a machine. If UserB gets Privledged UserA's password and wants to do something malicious then he could log onto UserA's machine and use their access or simply destroy their machine. I would try to address that.

cisco_trooper

Don't give up yet.

You can get this done, but you are just going to put it in terms that is going to strike them as good for the business. If they still don't think it is a good idea then they aren't very good business people and will likely fail in time.

If implemented correctly, no one has a need for anyone's password anymore, and they can quit asking, and quit trying to figure out how they are going to get on PersonAs machine to get the document they needed today, but PersonA called in dead or called in rich or whatever. They will be able to focus more on company initiatives and sales and marketing or whatever it is they do.

Strongly encourage the use of network drives, get management's backing, then lock the desktops so they can't save crap there anymore. Redirect MyDocuments to a server location. Assign rights so that management can at least read people's network files.

Ahriakin

I started with my current company about 20 months ago. Security was next to non-existent also and they were in the middle of trying to get SOX compliant. The single biggest change for users of course was File security, Password complexity and automatic screen-locking. Just about everyone complained and said that this was a small(ish) company and nobody would even think of malicious activity. The single most effective response was to tell them I would bypass their account from these policies if they took out their Credit Card, Drivers License and Keys and left them sitting on their desks all day. Not one took me up on the offer or argued further.

Anyway Dynamik what you really need is for Management to sign off on the current process if they won't improve things. Send (and copy) a mail detailing the proper way to do it, and also the current way where you would need to keep a definitive list of user passwords (include how the users are responsible for telling you when these change and also who is authorized to gain them from you). They may or may not reply but have it recorded somewhere safe that you advised them clearly of the risks and proposed a solution in case there are ever any future ramifications and you get caught in the blame-storm.

vCole

I put the password in for them, let them get the file & then make sure they log off.

Claymoore

Have you looked into Sharepoint? WSS 3.0 is a free download...

If your users used Sharepoint as a file repository instead of Outlook, then they wouldn't need access to other people's mailboxes (or desktops). Everything would be available on Sharepoint and your problem is solved. Other than breaking habits and getting people used to using Sharepoint, of course. You would probably get more buy-in from management if you gave them an alternate solution rather than just telling them 'No'.

Dynamik, I feel your pain. When I came to my current company as a consultant a few years ago, managers had access to all their employee's home drives and mailboxes. When I implemented Exchange 2003, I told them ability to share mailboxes wasn't supported anymore (wink wink). However, an administrator could get access to a mailbox if there were ever an issue and we would just need a request from HR for documentation. In 5 years I have had 4 requests. Using HR to justify why they needed access shielded IT and effectively stopped the requests. We knew the managers were really just spying on their people and that there was no real business case for granting them access to the mailboxes.

We changed how they accessed the Home Drives as well. I migrated to a new file server a couple of years ago and I reorganized how the department and home drive folders were kept. After that was complete, I told the department managers that I needed updated org charts in order to grant access to the Home drives to the correct managers and supervisors. Only two managers responded. Guess access to the home drives just wasn't as important as everyone originally believed.

darkuser

i just found the password

id10+t

cacharo

Being that it is a small company quoting policy may not get him far. I would try to have a rational, realistic conversation with leaders or management. I am sure you have done this already but I will provide a few scenarios that immediately popped into my head. Say the manager gave his password to someone who used it to give away proprietary information, sexually harass someone, or simply read everything they have sent and used it to blackmail them. They have to realize that it is a terrible idea, one that could very easily lose them their job. And sooner or later it will.

Bottom line is they have to have have the truth shown to them. With your google skills you should be able to pull up enough real-life security violations that fit exactly into what they are doing.

Could you create a communal email box that people could copy any emails that others need to be included in? We have personal and communal boxes here since we also run lean and it really helps.

Mishra

We just want to help YOU for once since you help everyone else out so much! lol

darkuser

darkuser wrote:

i just found the password

id10+t

just to clarify i mean your users
not you your're a good guy
and i identify with your situation

but the pretty secratarys dont care about the p/w until
their credit card gets stolen

then youll have a backlash OMG how COULD this happen ??????
why werent YOU doing YOUR job

you have to look at it this way
you have to protect people who are incapable of protecting themselves

dynamik

Mishra wrote:

We just want to help YOU for once since you help everyone else out so much! lol

Oh, and I definitely appreciate it! Everyone has given fantastic advice. Maybe I was more just venting than looking for an actual solution.

I think if one of you started working here, your head would implode. You would have to ease into like I did in order to maintain your sanity (I transitioned over in a merger from another computer).

This place is unlike anything you've ever imagined. Sexual harassment? Like when one of our installers walks by the owner's assistant and says, "Tall and slender, I'd like to bend her," and then everyone laughs (don't worry, she's fine with it and does it back to him)? Or when the owner had the bachelor party for one of his employees here? We still find AAA Classic Dancer magnets stuck behind file cabinets, etc. It doesn't bother anybody.

But the laid-back attitude and lack of structure wreak havoc when it comes to the business. Nothing is organized, everyone is constantly rushing around, etc. It adds a lot of unnecessary stress. I'm not worried about malicious users either. This is a tight-knit group that's been together for years. The whole situation just irks me.

rfult001

Set up a file server, tell people to save their crap there, and give people appropriate access to folders. If you are running IBM Domino or Microsoft Exchange for email, people should be able to delegate access to email accounts. This way there are no excuses.

cacharo

dynamik wrote:

It doesn't bother anybody.

I'm not worried about malicious users either.

This is a tight-knit group that's been together for years. The whole situation just irks me.

It just takes one. But some things are not under your control. Good thing its not your butt on the line (Dependant on how big the suit is)

Mishra

Try to implement finger readers or smart cards for authentication?

Tyrant1919

Mishra wrote:

Try to implement finger readers or smart cards for authentication?

I'd assume implementing any of those in a small organization wouldn't work too good.

Mishra

Tyrant1919 wrote:

Mishra wrote:

Try to implement finger readers or smart cards for authentication?

I'd assume implementing any of those in a small organization wouldn't work too good.

Why? Price? I've never really done anything with them.

Slowhand

Strategies for preventing password-sharing between users? Have you thought using a rolled-up newspaper, or maybe shock-collars. . .

Tyrant1919

Mishra wrote:

Why? Price? I've never really done anything with them.

I don't think fingerprint scanners support logging into a domain. Without some pricey third party solution at least probably.

Price for smart cards would suck too, not too mention the increased overhead with managing the certificates and what not.

Although I do miss logging into my computer with my Smart card while I was in the Chair Force :^(. Reminds me....

"Customer Support this is Airman Winters speaking how may I help you?"
"Yes I'm trying to logon to my computer with my CAC, and it's saying my certificate has expired"
"When does your CAC expire sir?"
"Oh, let me check. Hey, it expires today."
"You'll have to get a new one sir."
"Alrighty thanks!"

Sie

Mishra wrote:

Try to implement finger readers or smart cards for authentication?

I was going to suggest this but then the cost implications may be too great for a small company, and if the management arnt going to enforce Security Practices then they arnt going to shell out for additions like this.

I would just limit them as much as possible, users can only access from their own machine etc.

Or if your feeling particularly mean and have access to the rota you can always just produce a script to disable accounts of the people not present on that day. And have it re-enabled the next time they are in

Unfortuantly without management backing you cannot stop anyone telling another user their password, leanding them their smartcard etc all you can do is restrict it as much as possible / you are prepared to do.

Claymoore

Slowhand wrote:

Strategies for preventing password-sharing between users? Have you thought using a rolled-up newspaper, or maybe shock-collars. . .

Calm, assertive energy should be all you need, but one of these may help.

sprkymrk

Just make it a little painful for them in the name of security. When someone needs Joes password, go ahead and give it to them. Make a reminder to your self that pops up at the end of the day. Right before you leave, set that users account (joe) to "User must change password at next logon". Do that every time someone needs a password. Make like its an automatic thing for security. Pretty soon Joe won't want you to give out his password to anyone.