Password management

steve_fsteve_f Member Posts: 97 ■■□□□□□□□□
in Off-Topic
Has anyone got a good reference for best practice for user password management in an enterprise environment?

I am especially interested in whether or not it's a good idea for admins to know all the user's passwords.

I have googled it, and found a few articles, but none are from sources that I would consider authorative.

Thanks.
· Share on FacebookShare on Twitter

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    steve_f wrote:
    I am especially interested in whether or not it's a good idea for admins to know all the user's passwords.

    Absolutely not; you lose non-repudiation.

    What other questions do you have?
    · Share on FacebookShare on Twitter
  • TechBoy22TechBoy22 Member Posts: 81 ■■□□□□□□□□
    I would not agree with that idea to know everyone's password as it goes against their privacy. Besides, you can always remotely get into their account from the admin account if they forget their password on Windows XP. The best management is to make them knowlegable on password security and the best ways to implement that.
    Michael
    _______________________________________

    Dreams are made up of small ideas with BIG pictures. Focus is the key that unlocks the door to success.
    · Share on FacebookShare on Twitter
  • steve_fsteve_f Member Posts: 97 ■■□□□□□□□□
    Thanks for the quick reply.

    I see your point.

    We are exposed to accusations of logging in as someone else.
    And if a user is accused of doing something untoward, they can say "It could have been anyone in IT, they have our passwords"

    I'm wondering whether to mention this to my manager. I m 2nd line support. My manager is the network admin, and his boss is the CIO. They may be hesitant to change our policy as it has been like this here since the company got computers 20 years ago.

    The users know we know their passwords. They offer them up to us as soon as we come over to them. Some of them, I'm sure they'd give my their bank account details if I asked them. They call us and make requests like "Could you log in as me and set my out of office" and "could you log in as me and archive my emails" These have always been acceptable requests here.

    Has anyone a decent source that I can show my boss about this? It doesn't have to be a weblink, could be a book.

    I am getting this for Xmas: http://www.amazon.co.uk/Practice-System-Network-Administration/dp/0321492668/ref=wl_it_dp?ie=UTF8&coliid=IRTDMJMH6JZF4&colid=1HJFQXMAPSSLB

    I am confident in my technical skills, but would like to increase my knowledge of real world best practices.
    · Share on FacebookShare on Twitter
  • blargoeblargoe Member Posts: 4,174 ■■■■■■■■■□
    This is a horrible practice. I can say this as someone that worked for a company that followed this practice. We also didn't have password complexity requirements, and didn't allow users to change their passwords. It was painful to change, but we finally did... but the manager responsible for the previous policy was let go first.

    JUST ABOUT anything these users request can be done without logging in as them. Not quite everything, but most. For example, your Exchange admin can delegate the rights to someone to connect to someone's mailbox, and that person can set people's out of office.

    Maybe if you could find some stories or articles on how companies with lax password policies have gotten in trouble because of it... if you can attach $$$$$$ to it, decision makers will always listen.
    IT guy since 12/00

    Recent: 11/2019 - RHCSA (RHEL 7); 2/2019 - Updated VCP to 6.5 (just a few days before VMware discontinued the re-cert policy...)
    Working on: RHCE/Ansible
    Future: Probably continued Red Hat Immersion, Possibly VCAP Design, or maybe a completely different path. Depends on job demands...
    · Share on FacebookShare on Twitter
Sign In or Register to comment.