Administering Passwords

**cryingvalor** · 05-24-2007, 08:44 PM

Hey guys is it advisable to let users set their own passwords on a network environment office?

crazijoe · 05-25-2007, 07:12 AM

Yes it is fine. In fact it is usually recommended. Make sure you set complexity requirements in GP and have it force them to change it frequently (I usually do 45 days and remember up to 10 passwords so they don't use the same passwords.). You, as an admin, can always change the password when ever you need to.

**cryingvalor** · 05-25-2007, 07:59 PM

Should the admin must have a copy of the passwords set by users. what if the admin wants to access their account to check something.

**Go The Power** · 05-25-2007, 08:06 PM

The admin does not need to have a set of the passwords, because they can change the user password if they want to!, and yes he admin will be able to access their account.

**Cellus** · 05-26-2007, 12:40 AM

The official/unofficial policy regarding passwords in an office environment is to push the secrecy of a user's password as much as possible at the user. No writing it down on a sticky and hiding it under the keyboard, no password that's "password", and never ever tell anyone. The last point is important, and is doubly-important when regarding IT personnel. The IT people in the company never need to know a user's password, and as IT you should never be placed in a position where it is revealed to you for three reasons:

1) Security. As a principle, knowing a user's chosen password goes against having the security when you have the power to change and basically do anything the user can. (Addendum: There's a lot more to it regarding security ethics, however for the purposes of this discussion, knowing there's a principle is what is primarily important.)

2) Liability. If you are in the position of knowing user passwords, you are liable for any questionable actions that may occur due to a users abusing and damaging resources and information. While it's true you can be liable anyways in being in a position of power/authority, that is a different type of liability. Compounding it is not recommended.

3) Social Engineering. Users need to be informed and trained never to give their passwords to anyone, including IT. This is because it is not uncommon for people with malicious intent to impersonate IT and try to get users to divulge information that doesn't belong in other hands. This policy is completely justifiable and expected - administrators have greater authority in regards to access control to resources anyway and should never need a user's password.

If a particular thread of troubleshooting and/or repair requires direct access to a user's account, there are alternative actions available. The most common and preferred method in gaining access to a user's account while logged in (in session) is to use Remote Administration. Need to tweak their Outlook settings? Establish remote administration (RDP, VNC, whatever your preferred/required flavour). You can also, if in cases where you can not remotely administer a user and must interface locally, change the user's password administratively, do your thing, then reset to another temporary password and force the user to change it privately.

By the way as a side note, make sure you note these administrative actions in your service log. Do not record any passwords used in the log. I know some like to use certain standard passwords while servicing due to convenience (not recommended security-wise but it's common), that information should be stored in a secure location and not in a log, even if your logs are not shared to non-IT personnel. It isn't good practice.

**cryingvalor** · 05-28-2007, 01:33 AM

You all have shed the light, thanks for the replies

**TheMatt** · 05-29-2007, 04:51 PM

One thing to note with the password complexity. Make it so it is complex, but not to complex that a user will have to write it down on a piece of paper. This is a big security risk.

Also, inform your users that they should under no circumstances disclose their password to anyone, even other employees. The Domain Admins will not need their password, and if someone calls and says they are from the help desk and need their password, they are likely not legit.

Also, it is useful to set the minimum password age as well. If someone discovers a user's password and wants to lock the original user out, then they will change the password before it expires. You can prevent this.

Also, was minimum password length mentioned?

EDIT: Oops, it looks like Cellus already mentioned the part about people pretending to be from the help desk. I guess that goes to show how common it is.

05-24-2007, 08:44 PM	#1 (permalink)
cryingvalor TSF Enthusiast Join Date: Nov 2006 Posts: 510 OS: XP2,WIN03,UBUNTU,CentOS,Bayanihan,FEDORA 8	Administering Passwords Hey guys is it advisable to let users set their own passwords on a network environment office?

05-25-2007, 07:12 AM	#2 (permalink)
crazijoe Registered User Join Date: Oct 2004 Location: Omaha, The Center of the Universe Posts: 7,632 OS: WinXP, Win2K3 My System	Re: Administering Passwords Yes it is fine. In fact it is usually recommended. Make sure you set complexity requirements in GP and have it force them to change it frequently (I usually do 45 days and remember up to 10 passwords so they don't use the same passwords.). You, as an admin, can always change the password when ever you need to. __________________ Microsoft MCSA + Messaging, MVP, A+, Network+ http://i16.photobucket.com/albums/b3...other/Help.jpg Do you want a real Republican? HDD diagnostic tools / HDD data recovery software

05-25-2007, 07:59 PM	#3 (permalink)
cryingvalor TSF Enthusiast Join Date: Nov 2006 Posts: 510 OS: XP2,WIN03,UBUNTU,CentOS,Bayanihan,FEDORA 8	Re: Administering Passwords Should the admin must have a copy of the passwords set by users. what if the admin wants to access their account to check something.

05-25-2007, 08:06 PM	#4 (permalink)
Go The Power Moderator, Microsoft Support Join Date: Mar 2007 Location: South Australia Posts: 10,971 OS: Windows XP Home SP2 Blog Entries: 1	Re: Administering Passwords The admin does not need to have a set of the passwords, because they can change the user password if they want to!, and yes he admin will be able to access their account. __________________ Last edited by Go The Power; 05-25-2007 at 08:29 PM.

05-26-2007, 12:40 AM	#5 (permalink)
Cellus Moderator Networking Team Join Date: Aug 2006 Location: Canada Posts: 2,664 OS: Windows Vista Business SP1, Windows XP Professional SP3 My System	Re: Administering Passwords The official/unofficial policy regarding passwords in an office environment is to push the secrecy of a user's password as much as possible at the user. No writing it down on a sticky and hiding it under the keyboard, no password that's "password", and never ever tell anyone. The last point is important, and is doubly-important when regarding IT personnel. The IT people in the company never need to know a user's password, and as IT you should never be placed in a position where it is revealed to you for three reasons: 1) Security. As a principle, knowing a user's chosen password goes against having the security when you have the power to change and basically do anything the user can. (Addendum: There's a lot more to it regarding security ethics, however for the purposes of this discussion, knowing there's a principle is what is primarily important.) 2) Liability. If you are in the position of knowing user passwords, you are liable for any questionable actions that may occur due to a users abusing and damaging resources and information. While it's true you can be liable anyways in being in a position of power/authority, that is a different type of liability. Compounding it is not recommended. 3) Social Engineering. Users need to be informed and trained never to give their passwords to anyone, including IT. This is because it is not uncommon for people with malicious intent to impersonate IT and try to get users to divulge information that doesn't belong in other hands. This policy is completely justifiable and expected - administrators have greater authority in regards to access control to resources anyway and should never need a user's password. If a particular thread of troubleshooting and/or repair requires direct access to a user's account, there are alternative actions available. The most common and preferred method in gaining access to a user's account while logged in (in session) is to use Remote Administration. Need to tweak their Outlook settings? Establish remote administration (RDP, VNC, whatever your preferred/required flavour). You can also, if in cases where you can not remotely administer a user and must interface locally, change the user's password administratively, do your thing, then reset to another temporary password and force the user to change it privately. By the way as a side note, make sure you note these administrative actions in your service log. Do not record any passwords used in the log. I know some like to use certain standard passwords while servicing due to convenience (not recommended security-wise but it's common), that information should be stored in a secure location and not in a log, even if your logs are not shared to non-IT personnel. It isn't good practice. __________________ TSF Networking Team Virus/Trojan/Spyware Removal Help Donate! Last edited by Cellus; 05-26-2007 at 12:43 AM.

05-28-2007, 01:33 AM	#6 (permalink)
cryingvalor TSF Enthusiast Join Date: Nov 2006 Posts: 510 OS: XP2,WIN03,UBUNTU,CentOS,Bayanihan,FEDORA 8	Re: Administering Passwords You all have shed the light, thanks for the replies

05-29-2007, 04:51 PM	#7 (permalink)
TheMatt TSF Enthusiast Join Date: May 2006 Location: Boston Posts: 13,701 OS: Win 3.1, 98, NT 4.0, XP Debian 4.0, Kubuntu 6.06 My System Blog Entries: 3	Re: Administering Passwords One thing to note with the password complexity. Make it so it is complex, but not to complex that a user will have to write it down on a piece of paper. This is a big security risk. Also, inform your users that they should under no circumstances disclose their password to anyone, even other employees. The Domain Admins will not need their password, and if someone calls and says they are from the help desk and need their password, they are likely not legit. Also, it is useful to set the minimum password age as well. If someone discovers a user's password and wants to lock the original user out, then they will change the password before it expires. You can prevent this. Also, was minimum password length mentioned? EDIT: Oops, it looks like Cellus already mentioned the part about people pretending to be from the help desk. I guess that goes to show how common it is. __________________ - Matt M - KB1OSC - Folding@Home 85015 [url="http://www.techsupportforum.com/hardware-support/"] If TSF has helped you, please consider donating. If I have stopped responding to a thread, feel free to send me a PM with a link to the thread. It is advisable to subscribe to threads so you will receive updates when replies are posted. You can subscribe to threads from the "Thread Tools" Menu. »Memtest86 »Prime95 »UBCD »SpeedFan »NHC Personal »Everest »Sandra »PC Wizard »RivaTuner »ATi Tool Click here for Useful Articles and Guides Last edited by TheMatt; 05-29-2007 at 04:53 PM.