Password management

Has anyone got a good reference for best practice for user password management in an enterprise environment?

I am especially interested in whether or not it's a good idea for admins to know all the user's passwords.

I have googled it, and found a few articles, but none are from sources that I would consider authorative.

Thanks.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

dynamik

steve_f wrote:

I am especially interested in whether or not it's a good idea for admins to know all the user's passwords.

Absolutely not; you lose non-repudiation.

What other questions do you have?

TechBoy22

I would not agree with that idea to know everyone's password as it goes against their privacy. Besides, you can always remotely get into their account from the admin account if they forget their password on Windows XP. The best management is to make them knowlegable on password security and the best ways to implement that.

steve_f

Thanks for the quick reply.

I see your point.

We are exposed to accusations of logging in as someone else.
And if a user is accused of doing something untoward, they can say "It could have been anyone in IT, they have our passwords"

I'm wondering whether to mention this to my manager. I m 2nd line support. My manager is the network admin, and his boss is the CIO. They may be hesitant to change our policy as it has been like this here since the company got computers 20 years ago.

The users know we know their passwords. They offer them up to us as soon as we come over to them. Some of them, I'm sure they'd give my their bank account details if I asked them. They call us and make requests like "Could you log in as me and set my out of office" and "could you log in as me and archive my emails" These have always been acceptable requests here.

Has anyone a decent source that I can show my boss about this? It doesn't have to be a weblink, could be a book.

I am getting this for Xmas: http://www.amazon.co.uk/Practice-System-Network-Administration/dp/0321492668/ref=wl_it_dp?ie=UTF8&coliid=IRTDMJMH6JZF4&colid=1HJFQXMAPSSLB

I am confident in my technical skills, but would like to increase my knowledge of real world best practices.

blargoe

This is a horrible practice. I can say this as someone that worked for a company that followed this practice. We also didn't have password complexity requirements, and didn't allow users to change their passwords. It was painful to change, but we finally did... but the manager responsible for the previous policy was let go first.

JUST ABOUT anything these users request can be done without logging in as them. Not quite everything, but most. For example, your Exchange admin can delegate the rights to someone to connect to someone's mailbox, and that person can set people's out of office.

Maybe if you could find some stories or articles on how companies with lax password policies have gotten in trouble because of it... if you can attach $$$$$$ to it, decision makers will always listen.