Password Security?

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

It's only so surprising since they know that you have his password and can do that. It's not surprising that you won't do it, but for them to assume that that is a primary reason for why you keep his password is not really much of a stretch.

You're confusing users with domain administrators. I have access to all company data because I'm the IT manager. Users don't because they're users. There's a very clear distinction. You're treating them the same.

Am I? In what way? They know that you have the user's password. They want you to act as the user. What does this have to do with the domain admin?

scottalanmiller

@Carnival-Boy said:

@Dashrender said:

Also, while this is outside the scope of this conversation, why didn't Bob setup someone to have access to those emails, or put rules in place, etc to allow things to be taken care of during his absence? (short of unexpected illness)

This is what annoys me. I go to a lot of effort to make sure everything is covered when I go on holiday, yet other managers do nothing when they go away (out of laziness in all probability). Yet when the shit hits the fan, I'm expected to sort everything out. I have to organise my own holidays and everybody elses.

Sorry, rant over.

Yeah, not exactly fair. HR should keep that on a more even keel. But, bottom line, you are probably more critical than normal staff.

Carnival Boy

@scottalanmiller said:

You try to scare them yet when we pointed out the risk in this thread, you dismissed it. Why do you dismiss it with you sharing their passwords and not with them sharing with each other?

I'm not dismissing anything. I started this thread saying I'm seeking to be proven wrong. I'm skeptical of the legal risks and since none of us are legal experts or have any real world examples, I remain skeptical.

What I do know of the law (mainly learnt through reading John Grisham and watching Law & Order) is that a defence has to be not only technically possible but credible. It's possible, for example, that the IT Manager logged on to your PC and downloaded loads of porn, but is it credible?

Answer me this, why is the defence "the IT Manager knows my password because I told him it therefore he could have done it" acceptable, but "the IT Manager knows my password because he used a brute force attack to find out what it is" not acceptable? Both are technically possible. I've seen penetration tests where user passwords are discovered in like 5 minutes.

Bill Kindle

@scottalanmiller said:

@Carnival-Boy said:

@scottalanmiller said:

Why is the domain admin password written down? Is this a break-glass system for turning over admin access to a third party?

Essentially, yes. I've read tons of stories of networks getting compromised, usually as part of a penetration test. I haven't actually done a pen test here, but I've no doubt that our network could get compromised. What I haven't heard though, is networks getting compromised via a Keepass database (or similar password management tool). Those products seem pretty robust. That doesn't appear to be the weak link in our security.

Keepass is pretty secure. But how it is used is what matters. Are you the only one with access to it? If so, isn't that a point of fragility? If not, that's a lot of password exposure. Are you confident that no one is writing down the Keepass password?

Keepass is great, I just wouldn't keep the one master domain password there.

I keep a few passwords in the one I maintain. The break-glass plan as you put it earlier for me is a sealed envelope in a fireproof save that I check regularly. Even has a break seal attached so I know if it's been used without my knowledge.

Bill Kindle

@Carnival-Boy said:

How does your break-glass system work? I'm not sure whether it's a good idea to publish my security policy on a public forum, but sod it. I may delete this post in a couple of days:

I have 3 Domain Admin accounts. One is for my use. One is used by our MSP (which they write down, I don't know where they write it down exactly), and one is for emergency use (eg I get run over by a bus). The emergency one is stored in Keepass. Two other people have access to the Keepass database, and the Keepass password is written down (yes, it is written down!) and stored in the safe.

I used to just store the Domain Admin password in the safe, but it occurred to me that we have lots of other accounts that would be a real pain to recover if I ever disappeared. So it seemed better to just give my emergency users access to my Keepass file - that way they have everything.

If you use your attorney (as in your example), how do they remember the password without writing it down?

The Domain Admin accounts are configured to e-mail me whenever they are used, so if they are ever used when I'm not expecting them to be, it immediately arouses my suspicion and I may go into lock-down mode.

I'd be interested in any improvements to this. I don't like writing anything down, but I just haven't figured out a way of working without it (yet) and nothing on this thread has so far demonstrated how I can get away without writing anything down.

I sort of do this as well, but the KeePass credentials are not the same as the network / domain passwords. That info the person whom is instructed to open the fireproof box does not know until they break the seal on the envelope to obtain the most recent password for that KDB file. And that password is even changed every couple of months.

Carnival Boy

@scottalanmiller said:

Am I? In what way? They know that you have the user's password. They want you to act as the user. What does this have to do with the domain admin?

Best example I can think of - I'll give my banking details to my bank manager, but I wouldn't give them to my neighbor. I trust my bank manager with my bank details because that's kind of his job - to protect my money.

I'd also expect my boss to keep a close eye on me, as the keeper of data, for good governance. I don't expect him to have the same level of oversight with users, because they should have less access. The company knows I have access to all company data, and they mitigate the risks accordingly.

Carnival Boy

@Bill-Kindle said:

That info the person whom is instructed to open the fireproof box does not know until they break the seal on the envelope to obtain the most recent password for that KDB file. And that password is even changed every couple of months.

Same here.

Carnival Boy

Who down voted my post? I'm only kicking round a few ideas here, saying what I do, and trying to pick up a few tips on how I can improve. I'm not out to piss anyone off. There's no need for down voting, surely?

scottalanmiller

@Carnival-Boy said:

Who down voted my post? I'm only kicking round a few ideas here, saying what I do, and trying to pick up a few tips on how I can improve. I'm not out to piss anyone off. There's no need for down voting, surely?

Wasn't me. Does the activity feed tell you? I see when people upvote. Never paid attention but I bet downvotes are there too.

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

Am I? In what way? They know that you have the user's password. They want you to act as the user. What does this have to do with the domain admin?

Best example I can think of - I'll give my banking details to my bank manager, but I wouldn't give them to my neighbor. I trust my bank manager with my bank details because that's kind of his job - to protect my money.

I'd also expect my boss to keep a close eye on me, as the keeper of data, for good governance. I don't expect him to have the same level of oversight with users, because they should have less access. The company knows I have access to all company data, and they mitigate the risks accordingly.

Okay, I'll agree with that. Not sure about the bank manager bit, but the boss and oversight bit. A bank manager has strict monitoring and regulations that oversee him because they don't really trust him either. But that you are viewed as a risk and monitored extra because of that makes some sense.

scottalanmiller

@Carnival-Boy said:

What I do know of the law (mainly learnt through reading John Grisham and watching Law & Order) is that a defence has to be not only technically possible but credible. It's possible, for example, that the IT Manager logged on to your PC and downloaded loads of porn, but is it credible?

Very credible if the business wanted someone fired and needed a reason. Is it credible to think that someone would do that at work? They do, but it's pretty crazy.

If the goal is to commit a crime (steal money, defame a third party, etc.) using someone, anyone, else's identity can be very useful. It depends on the end action, surely. But in the US, at least, the difference between an account being an "identity" account and it being a "shared" account is pretty big. In this case, that's not "his" account but it is an account that he shared equally with you.

Carnival Boy

@scottalanmiller said:

In this case, that's not "his" account but it is an account that he shared equally with you.

Absolutely not the same thing at all. But if you're going down that route then your statement applies to every time the IT guy logs in as the user. Resetting the password makes no difference, you're still logging in as that user. The "IT guy did it" defence simply becomes "the IT guy must have reset my password, logged in as me, done the deed, then reset my password".

Every time any support guy makes a desktop sharing session to do some work he is technically logged in as that user.

Carnival Boy

@scottalanmiller said:

Wasn't me. Does the activity feed tell you? I see when people upvote. Never paid attention but I bet downvotes are there too.

No. It doesn't tell you. I can't be doing with this - I'm always very open and honest on forums but I'm just too sensitive I'll end up leaving the community, a pale shadow of my former self, my self-esteem shredded.

Dashrender

I'll just throw it out there - I wasn't the one who down voted it either. I'm surprised the system tells you who upvoted but not downvoted - are we going for the ebay way of positive only remarks.

Carnival Boy - We've given you the reasons why we think you shouldn't share passwords, even with IT personal (even worse, IT shouldn't write them down). Can you flip this on it's ear and show us how it's not a security risk by sharing?
The main thing I've picked up from pro password lists people is simplicity for themselves - but I ask, is that that job of IT? They don't want to have to deal with users calling to reset passwords, IT wants to work after hours, etc.

While I can understand we want to keep employees as productive as possible, rarely are they not responsible for whatever you're fixing on their machines. Having them around to answer questions and to learn what it takes to fix the problems they make should be beneficial to all, no?

scottalanmiller

@Carnival-Boy said:

@scottalanmiller said:

Absolutely not the same thing at all. But if you're going down that route then your statement applies to every time the IT guy logs in as the user. Resetting the password makes no difference, you're still logging in as that user. The "IT guy did it" defence simply becomes "the IT guy must have reset my password, logged in as me, done the deed, then reset my password".

No, it remains different, because it alerts the end user that their account has been reset. They can go to security and inform them that their account has been compromised. There is a security mechanism in one case to alert the end user, the other hides it from there. Even with the ability to reset and seize, there is a big difference between seizing an account and sharing it.

scottalanmiller

@Dashrender said:

I'll just throw it out there - I wasn't the one who down voted it either. I'm surprised the system tells you who upvoted but not downvoted - are we going for the ebay way of positive only remarks.

Carnival Boy - We've given you the reasons why we think you shouldn't share passwords, even with IT personal (even worse, IT shouldn't write them down). Can you flip this on it's ear and show us how it's not a security risk by sharing?
The main thing I've picked up from pro password lists people is simplicity for themselves - but I ask, is that that job of IT? They don't want to have to deal with users calling to reset passwords, IT wants to work after hours, etc.

While I can understand we want to keep employees as productive as possible, rarely are they not responsible for whatever you're fixing on their machines. Having them around to answer questions and to learn what it takes to fix the problems they make should be beneficial to all, no?

I'll side with CB on this point. I see huge value in the "sharing" method. I won't do it, but I see the value. I think that the risks to me personally outweigh any benefit to the organization. But I understand that it makes life so much easier for both IT and for the end users - until something goes wrong.

Carnival Boy

@scottalanmiller said:

No, it remains different, because it alerts the end user that their account has been reset. They can go to security and inform them that their account has been compromised. There is a security mechanism in one case to alert the end user, the other hides it from there. Even with the ability to reset and seize, there is a big difference between seizing an account and sharing it.

I'm afraid I'm just not getting the difference. In one case, I login as the user with password X, in the other case I login as the user with password Y. What's the difference? In both cases I am logging in as the user. Your argument would only make sense to me if you said I should never login as a user. It seems to me that as soon as I login as that user, his account is compromised, and my ability to discipline him based on his user ID is invalidated.

Carnival Boy

@Dashrender said:

Can you flip this on it's ear and show us how it's not a security risk by sharing?

It is a security risk. The issue is whether the risk outweighs the benefit.

scottalanmiller

@Carnival-Boy said:

I'm afraid I'm just not getting the difference. In one case, I login as the user with password X, in the other case I login as the user with password Y. What's the difference? In both cases I am logging in as the user. Your argument would only make sense to me if you said I should never login as a user. It seems to me that as soon as I login as that user, his account is compromised, and my ability to discipline him based on his user ID is invalidated.

Anyone can break into your house and make prank calls from your phone. There is a huge difference between someone breaking in and there being broken glass so that you know that someone broke it versus sharing a party line and having no way for the user to know that their account is "compromised."

As an end user (I don't do desktop support) what you are talking about is a major difference to me. In both cases you can masquerade as me, that is an unavoidable case. But in one case it is continuous and transparent - you and I always are peers under my credentials. In the other, I own my account and if you mess with it I know immediately and can report that my identity is compromised since the last time that I logged in and until now and I can reset the password and monitor for it to happen again.

Yes, you can hijack my account during that window. But there is zero denying that you, not I, had access to the account during that time. It literally switches the owner from me to you until we reset it again. At no time is it ever shared and the time when you are involved is know.

scottalanmiller

@Carnival-Boy said:

It seems to me that as soon as I login as that user, his account is compromised, and my ability to discipline him based on his user ID is invalidated.

Yes, as soon as you can log in that is. With a shared password, his account is never his account. It is always yours too. He never owns or controls it. He never knows how many people you have shared the password with. Nor you him.

With a reset, he knows that you don't know his password. Once you take over, you know that he doesn't know his password. The system is only compromised after seizure of the account takes place.