Password Security?
-
@scottalanmiller said:
I can steal my neighbour's car, but that's not the same as having stolen it.
It's more like you can replace the locks on your neighbour's car, drive it around a bit, then leave a note on the windscreen telling him you've used his car and he needs to replace the locks again.
-
@Carnival-Boy said:
@scottalanmiller said:
I can steal my neighbour's car, but that's not the same as having stolen it.
It's more like you can replace the locks on your neighbour's car, drive it around a bit, then leave a note on the windscreen telling him you've used his car and he needs to replace the locks again.
Yes exactly. That's a great analogy. You have a "master key" that removes the old locks and makes it impossible to hide the fact from your neighbour that the locks were changed. So while you can borrow the car, you can't borrow the car and not have him know. So he can report that it was borrowed or record it or whatever. That way you can access it when you have to, but he isn't on the line for how you drive it while you have it.
Then when you are done, he resets his "key" and takes responsibility back for the account.
-
@scottalanmiller said:
So there are two audits to catch you.
Are we trying to catch me or to catch him? He doesn't have to give me his password, or he can always change it if he's concerned I have it.
-
@Carnival-Boy said:
Are we trying to catch me or to catch him? He doesn't have to give me his password, or he can always change it if he's concerned I have it.
All perspective. You want to catch him. He wants to catch you.
In one case, you share culpability. So you are caught "together." In the other you don't share culpability, so you catch whoever needs to be caught.
The ability to catch you is the ability to catch him.
-
@Dashrender said:
But for my own piece of mind, and the fact that logs are really difficult to fake (destroy - sure, fake - not so much) I wouldn't do it.
The only potentially serious cases I've been involved in have involved me providing Squid logs of internet activity. These are very easy to fake, they're just text files. They also only list by IP address so are based on the PC not the user, so really don't stand up to any kind of scrutiny. In all cases, the employee admitted guilt, so I was never challenged.
-
Anyway, thanks for all the food for thought (and no thanks for the down vote!). It's made me consider my policies and working practices, which is always a good thing. I'm so busy I don't always think things through in much detail and it's great to have someone challenge me.
If I understand it correctly, the principal objection is that my company wouldn't be covered correctly during an employment tribunal. To a degree this is an HR issue, so I need to make sure that my boss (who is head of HR), understands our current practices and has the opportunity to change them.
The solution (reset password and let the user know what it has been reset to) isn't without its challenges. More so if the user is out of town or starts work when I'm not around - we work 24/7 but the IT department is only officially open 8 to 5, so there is a significant amount of time when users have no IT support.
A lot of the tools and practices that you would use to fix or configure a computer without logging in as the user aren't available to an SMB because they're either too complicated to learn or too costly (Office Configuration Tool, for example, is only available under Volume Licence, which SMB's don't always have).
-
@Carnival-Boy said:
@Dashrender said:
But for my own piece of mind, and the fact that logs are really difficult to fake (destroy - sure, fake - not so much) I wouldn't do it.
The only potentially serious cases I've been involved in have involved me providing Squid logs of internet activity. These are very easy to fake, they're just text files. They also only list by IP address so are based on the PC not the user, so really don't stand up to any kind of scrutiny. In all cases, the employee admitted guilt, so I was never challenged.
That makes things easy. That you had real logs, though, and potentially multiple witnesses to the validity of the logs or multiple reasons that they were in trouble probably added up. I doubt that the logs were the sole evidence?
-
@Carnival-Boy said:
If I understand it correctly, the principal objection is that my company wouldn't be covered correctly during an employment tribunal. To a degree this is an HR issue, so I need to make sure that my boss (who is head of HR), understands our current practices and has the opportunity to change them.
I would agree with this assessment, this is an HR issue. Clearly shared credentials have a place. The question is does it have this broad of a place in your specific circumstance and is HR okay with the pro/con of the situation. Several pros, several cons.
The biggest thing, I think, is that you have to not think of the login as being an "identity" anymore and more a convenience.
-
@Carnival-Boy said:
The solution (reset password and let the user know what it has been reset to) isn't without its challenges. More so if the user is out of town or starts work when I'm not around - we work 24/7 but the IT department is only officially open 8 to 5, so there is a significant amount of time when users have no IT support.
Because it is only a temp password, what about texting them the password? Texts are completely insecure (and I do mean completely) but as a side band alert to a reset, are fine.
Or what about using a personal email account for that kind of alert?
-
Yeah, I've used SMS for this kind of thing before.
-
@Carnival-Boy said:
Yeah, I've used SMS for this kind of thing before.
There is also password reset software that can be used. But normally not free.