Discussion on:

Members share password horror stories

Here's the dilemma. Our Director of Corporate IT (who's also responsible for creating/maintaining user accounts) has used a program to crack all the employee's passwords in order to figure out which one's still have "password" as the password. This is the assigned password upon account creation. Users are told that they're to change the password after their initial login (he apparently doesn't know how to expire passwords immediately).

So, he now has each user's password and has full reign over the system. Files that were locked (i.e., personnel, accounting, contracts, source code, etc.) are now available to him if he logs in as a trusted user. This issue has been brought to his boss, but to no avail. (The response was that no employee should expect privacy on their company owned workstations.) That I can agree with, however, what about giving someone full reign over the system? He could potentially log into the system as user x, download some porn, and then nail user x fordownloading porn, thereby causing user x to be fired (according to our company policy). He could also log in as user y and access his own personnel records. Finally, he could log in as a vp/manager and send out an e-mail that looked as if it came from the vp/manager. The list of breaches (ethical and security) could go on and on.

What are the policies at your companies? Similar? Different? How does one go about showing the boss what kind of pandora's box has been opened by the IT director's actions? Suggestions? Thoughts? Feedback?

This is slightly offtopic but just wanted to see if anyone could offer advice.

Well at my company we (my partner and I) are the only IT people in the plant. We do know how to expire passwords when a user acount is created, but we usualy asign the acount a password that he user wants when he/she starts working for the company. Nither one of us were here when the inital acounts were set up for the existing employes so i can't say how it was done on a large scale here. Oour bigist concern here is not realy usere passwords but screensaver passwords. when we have to perform maintance on a users pc when he/she has a screensaver password and is not around it is agrevating to us as well as risky to users open files. (on bad days we just restart the machine with out finding the user..mean i know but what are you going to do?) We curntly try to keep up with these passwords ourselvs buy storing them in a record, but then the usere changes them. Does anyone have an idea on how to buybasethe passwords when the screensaver is running? The OSs we use are win9x. I have found a company that makes a legal cracking program for this matter where all you do is incert a cd and it autoplays and cracks it, but very few computers here have cd-roms so this does us no good. If anyone has any advice pleas let me know thanks.

You should implement system policies and disable access to the screen saver page.

I would do that if there was a way to keep them from just enabling the password. we need the screensavers. we already have some moniters around here that have a faint image burnt into them. Alot of the people around here don't always stay at there computers so they set a screen saver to keep from messing up the monitor and since they are woried that someone around here is going to mess with there computers they set a password. Now we tried just getting them to turn off there monitors but that lead to buttons on monitors wearing out (now they are always on even at night when no one is here) or people thought there computers were off and went to turn them on, which actualy cut them off) and that lead to more problems. (as everyone can imagen) So any more sugestions?? please if you can tell me how to just disable the password option i belive that would be good enought. thanks.

I think you're are going at this from the wrong angle. Password protected screensavers are an important security tool. You need to make sure people don't leave important files open when they leave there computers.Explain the need to save word docs etc as you will log them off when you need their computer. That way they know only you can access their computer and they understand the danger of open files.

You need a policy that users must not leave files open when away from their desk. This includes peer-to-peer databases. Not just California is subject to unexpected power outages. Users have to assume that power may be lost at any time. Save Early, Save Often.

Let your users know that unattended systems are subject to being forcibly powered down by maintenance personnel, and make a few examples. But remember that you need buy-in on this from the very top, so explain to upper management why this policy is needed, and why "fire drills" should be performed.

Within several networks I have managed (small and large) I have used a screensaver app called Neighborhood Watch. It works with WinNT and better yet with Novell?s NDS. A group of users can be given screen saver override rights, and the current userhas override. This works well for wks in hoteling setups, as multi users are not sharing a single screen saver password.

Additionally it cuts back on desktop techs ending up with user passwords, given to them by users to unlock said screensavers. The techs use their own passwords to unlock.

Lastly on this discussion, I would add that screen saver passwords could be a big part of security. Many locations have wks in areas that are accessible to public (banks, retail). In the case of anoffice, a commissions clerk pc, who runs to the bathroom, could be seen by a file clerk.

Password policy is a long discussion. My thoughts are that it takes MUCH work to make a good system, and in the end co. MUST trust the IS staff. I could cause catastrophic damage to any network I run. Users password protecting their word doc does little if I wanted to cause trouble. Find and hire trustable people, treat them well.

Security in win9x in nonexistent no real need for screensaver passwords to begin with.

A good place to find info on fixing registry problems is www.regedit.com. I have found what you need. With a little tweaking you can create a .reg file that would turn off passwords and set it so they cant set any more. Look into this web page for "Hideing the Screen Saver Settings Page" After you do the fix on this page you can export the new setting to a .reg file and run it anytime you go to a machine. Or better yet set it in the starup folder and it will run everytime they login. I would also search the registry for the setting for saveing the password and put it into the .reg file. All would be taken care of then. Good luck. http://www.winguides.com/registry/display.php/170/

I support the action of resetting the machine and I tell all my users.
1. Don't leave your machine logged in for long periods of time.
2. If you do and I need to get in I will reset the machine and remove the password.
I have been called a BOFH.
Lastly I have taken to using Net Support Manager for support and Snadboy's Revelation to reveal passwords in emergency. ie it's the Director's PC and I don't want to lose the work or the job.
As a matter of policy I do not record any password I reveal (use and forget).

If they are on a network why not just change thier password at the server. In NT you would use the User Manager for Domains and in Novell you would use one of the Novell admin utils. The screen saver password generally is the same as their network password.This can be done from an administrator's box.

Unfortunately, the screensaver passwords aren't tied to the network passwords. They only exist on the local machine, and can be (and often are) different than the network logon.

If you are a Windows 9X system you should be able to use CTRL-ALT-DEL to end task on the screensaver. If you are using NT/2000 you can unlock the workstation by using the domain administrator account (although this will close any programs they haveopen.

What I implemented in an open area was a winexit.scr program I found on technet and also on cnet.com (if I remember correctly). You can set it up so that if no keyboard or mouse movement is detected it logs the user OFF. It works really well, you can also use regedt to change the parameters for the default user. Hope this helps a little

If anyone cares, then they'll change their password often to one that's harder to crack, or complain until it gets fixed. Conversely, if anyone does download porn, they can blame the Sys Admin and get them fired. Or a VP could execute a CYA and blame them for a stupid memo. Nothing is truely secure - we have to trust each other

I'm the administrator for Unix and NT systems at our company. The only passwords I know are the ones for my account and the root/administrator passwords. If you've got the root/admin passwords, you don't need to know the others - you can just set them to a known value if there's a valid reason to get into an account. I don't WANT to know their passwords - if I don't know the password, I can't be blamed for the problem! The only passwords that are supposed to be documented are the root and admin passwords, plus any outside accounts (AOL, MSN, etc.) that the company pays for. Best of all, the chore of keeping that information up to date falls to our company controller, so all I have to do is document my new root and admin passwords, hand them to her (not email, not put it in her inbox, etc., but physically put it in her hand!) and it's no longer my problem.

If a company is serious about security, overriding passwords should be a rare and specific kind of event (death or termination of employee for instance). We've learned this lesson in the legal field, requiring warrants before wiretaps, similar principles belong also in organizations.

If there is a backup password list it should require access through another trusted person (for example multiple key encrypted files) with every access to the password file (naming individuals and reasons) logged.

A really administrator does not need all passwords and does not want them. If access is needed the admin can reset the user password to get access or take ownership. Knowing everyones password is a power play by your admin.

Our Director of Technology is one of those IT guys who still believes in hiding all he can from users, making him the "god" of IT. He uses a password cracking program on all of his IT personnel, just to "keep us in check". He uses the cracking software to try and crack our password, and if he cracks it he makes a big deal about it and comes and repremands us for having such easy passwords.

Treat him the same way. Crack his password and see how he likes it. May get you in trouble, but it could cause some fun on your part.

Does he have a need to know? In my place of employment, if we run password cracking programs, we will have security standing by our desks with an empty box to escort us off of the premises. Also receive a side trip to the coporate lawyers.

We have a policy here that the Admin (ie, me) does not know the users passwords. In the event that I must obtain them for valid reason, the user is asked, and they are told to change the password as soon as I have finished my task. The passwords shouldn't be crackable anyway - if they are, the security has a problem to begin with!!!

I guess it depends on the type of person in that position. If your IT Director isn't trustworthy, or users don't feel he is, than why is he in this position? That sounds like your company's problem....there should be no Pandora's box to even worryabout, let alone open! In my system, I maintain all accounts and have the same abilities as your IT Dir. (except I don't keep passwords, just change them if need be to a temporary one) but there are no problems whatsoever..I see it as part of my job description to earn and keep the trust of users.

In my opinion, there needs to be at least one person who has control over the entire system because it's when jobs are broken down throughout the system that problems will arise....even with good coordination, I've seen it happen! Either that or downtime becomes a huge problem if one techie goes to fix a problem and doesn't have access or rights or whatever, the user has to wait for another to come along that does! Who knows when that guy/gal will be able to look at it? What do you all think, am I right? Wrong? Why? Why not?

Happpy Teching......

Our company's situation may be different because of our small size (approx. 35 computer users), but I don't want to know the users' passwords. The less I know, the more responsible the users are for the security of their own files. The only time Ineed to override or take ownership of a users' account/password is when they have left the company.
Because I am the only IT personnel here, I do keep a copy of the Admin password in our company safe, so that in case I get hit by a bus they can access the system.
I do spot check users once in a while, by attempting to log in as them, to make sure they are not using an obvious password, like their name, but otherwise their passwords are just that, THEIR's.

The only reasons an admin could have for holding onto a user's system password are either a complete lack of knowledge, a power trip, or the desire to do "untrackable" things with the users' accounts.

Since the SA presumably has root/admin rights to the system, they could reset the user's password to anything they need to if they need to access that person's account. The "problem" with this is that the user will have to be notified that their password has been reset.

It's pretty basic admin knowledge to reset a password. The only thing knowing the users' pw does is allow them to mess with the account without the user's knowledge.

No admin needs to know what a user's password is. They are the Admin, meaning they have the ADMINISTRATOR passwords (root, etc.) to their systems (don't they?). Any work that they need to do as Admin should be done under that accounts' authority.The admins should also have personal accounts that only they have the password for to do their "user type" tasks. Documenting passwords in any way is a security breach and shouldn't be done, not on post-its, not in a safe, not anywhere. In the real world, the risk of documenting master or admin passwords should be assessed by Company (or Corporate) management and a business decision should be made as to the "proper" procedure. As far as "cracking" passwords, this practice might be a good ideafor an administrator to do from time to time to ensure security of the network that they administer. It should never be done just to discover user passwords. Security is only as good as its practice. If users post their username/passwords for theworld to see, it is a business issue and should be reported by the admin to the appropriate business party.

Our company is a 40 user company and IT (2 people) have everyone's password. How do you test a new machine set-up without logging in as the person? Often times we are here early or late to check on problems. If the problem is central to a profile, how do you test? For example, one user recently had a problem with corruption of his normal.dot file. I would have never been able to see the problem if I was not logged in as him.

Also, there are more than one person with the Admin account password. In case there is an emergency and I'm not here.

I honestly never gave this much thought. When working on a users machine that was running NT I would often ask for their password so I could work in the correct profile. ( Ie. setting up email, browsers)

Also, I knew many of the passwords because I created them for the users when they got hired and we had no policy for how often they had to be changed. Most people never changed then at all.

For me in the desktop arena, the toughest thing about not knowing the password is when a user requests I check out their machine but they've got it locked when I stop by and they are know where to be found. I can log them off as an admin but I might kill an open file.

At least at the two companies Ive worked at most people are comfortable giving us the password to work on their machine. I let them know they can always change it.

If you need the user's password to work on the machine, you need the user there. And ALWAYS force change of password on next login when creating an account.

To avoid the problem of users not being at machines for tech assistance (that they asked for) try to get a time when the user will be there, so the tech doesn't waste time looking for a user. In addition, if the user walks off while the tech is there, and a reboot is required, the tech reboots and walks away, if the user isn't back by the time the system has rebooted. Then, when the user calls, mad becuse the install or service isn't complete, they are informed that the tech needed their password to finish the job, and a time, usually several hours later, is set for the completion of the task. This can reduce the number of users who vanish during service; nothing, short of handcuffing them to their chair, will eliminate the problem completely.

The sysadmins don't want, or need, to know, users' passwords. In all cases, the sysadmin can reset a password, in the case of users who die, or are otherwise unavailable, when the work must go on. Then, when the original user returns, they can change the password and be "secure" again.

Almost every NOS I know of allows password expiration upon login, forcing the user to change it, or else the account will be locked out. If such actions happened where I work, the IT director would be handed a pink slip and escorted out by 2 security guards. Enough said!

if you have a problem with company policy and offer up a solution and it is disregarded, you are free to leave the company. your sanity is the only one that matters.

When I need to work on a users computer I will try to contact them ahead of time and have them change their password to one that I supply them. Then when I'm done I leave a note reminding them to change it back. This includes boot,login and screensaver.

I don't know about NT systems, but I was a system admin for a UNIX system a few years ago and it wouldn't have mattered one whit if I had cracked user passwords or not. I was _root_.

I could have done any of the things you mentioned without the user's password (but I didn't.) I wouldn't even have had to change the user's password to a temporary one, as some posts have mentioned. The su (switch user) command didn't even prompt me for the password of the user I was becoming. And once I'dswitched, it looked to the system as if I _was_ the user I switched to.

Also, as root, I could have done any of those things without even entering the user's account. Download porn, copy it to the user's directory, do a chown (change owner) command on the file. And root could read any file on the system, personnel or otherwise. It would have been easy to stop the mail queues long enough for me to edit an outgoing message to make it appear as if it had come from a vp/manager.

Perhaps UNIX has addressed some of these issues since I last used it, but I doubt it, because all the methods I could have exploited were also crucial to me at various times just to keep the system running.

If you are running UNIX, your only hope is to find a simple UNIX admin handbook and give it to the director's boss to read, so that the boss might come to his senses about the power he gave the director when he hired him.

Eliminate using passwords by using SecureID cards. Then the issue of remembering passwords is moot. Instead of entering a password you enter a pin code and a randomly generated number (which changes every 10 seconds). If security is critical, thecost is worth it.

First, Administrators do not need a user's password. Unless it's an emergency, I wouldn't get into their system while their screen is locked. Updates and changes should be done when they aren't using the system.
Have a security policy of using mixed upper, lower and numbers in the password. Have a minimum of 8 characters. Take common words and substitute upper case and numbers. Example: Fl0at1ng
Have the security policy include expiration dates, keep track of old passwords. This shouldeliminate the necessity to use a password cracker, although if you don't trust your users, use one.

We probably need a wakeup call at our office. An example: My friend had his house broken into jewlery, firearms, cash stolen, He doesn't leave his home or car without locking up. The same applies for any security, it is only as good as the people monitoring the system and enforcing the laws. Yet a determined hacker or insider can be a formidable foe.

As an admin myself i personally avoid knowing such info. This would give the offender a resonable excuse to pawn off his/her offense on someone else. If i don't have a key i can't unlock the door. But there are many other ways to access info and leave a trail.

used to work for a mental health agency (Ileft about 2 months ago)that had incredibly lax security. Due to fed & state regulations, client confidentiality is very important. Unfortunately the Network Administrator couldn't get his act together to develop and set a security policy in place. The agency's only written policy was a script that said don't let anyone know your password when the user logged on. Of course nobody ever read that and I used to find the classic post-it note passwords written down everywhere.

Another bone-headed move the NA made,about six month ago, he read some article about security and decided to change the intruder lock-out status. Before when a user locked their account (usually when they were forced to changetheir password),they had 6 log in attempts (he change that to 3) and the account would be locked for 2 hours (he changed that to 2 weeks). All this was done with not only telling the end users but anyone else on the IT department! Needless to say I used to unlock a lot of user's accounts. I mentioned to him (the NA) that he probalby should have let the end users know that he was going to change things, but he never did.

Suppose he gets fired or decides to quit. If he leaves on bad terms he now has every username and password and a supposed reason to cause damage.

An administrator can do nearly anything on the computer or the files within, so I really don't think that him having the passwords is your worst fear. However, I also don't feel that he needs to know everyones password either.

A good administrator will try and run a password cracking program on their system every now and again. What it does is enforce that the Users' are using adequate passwords. I hope that he is following up with the Users' later on to tell them that their passwords are easily cracked (because it is the same as their first name, dogs name, boyfriend, son, pick your poison).

However, there could be a downside to that. Yes, he could be hacking into HR records and putting in bogus data or modifying personnel records using another Users' name. There is no reason, however, to believe that he couldn't do this without having their passwords. For example, he has full administrative reign over the data. He could simply modify the data without needing to log on as the User. The average User doesn't know how to check who last modified a file, and furthermore, most of this activity is left untracked. As far as the file is concerned, it cares about who owns it and who created it, etc. There is no log of who last modified it unless you're logging it specifically (audits).

Again, his efforts may be either good or bad, and if they're used for the wrong purpose, then he's not a good administrator in the first place. If they're good, then your companymay be all the better for it in the long run against attackers.

Being one of the Admins at my organization, I actually have a LIST of everyone's passwords. I was in shock when, on my first day, the other admin asked me for my password as I was typing it in, and I turned around to see him adding me to the list.Being my first day, I just went along with it.
While it is convenient for me to have everyone's password, I still believe that admins shouldn't have that much knowledge. An administrative account can give access to most everything you need, so that you don't have to "pose" as a user.
Lucky for my users that I'm about as honest as Abe Lincoln.

There have to be other places to work for a qualified tech. And they'd be foolish to not tighten up security. Tell them you won't condon un-ethical or immoral behavior from your boss and fire the company. Oh, keep you're behavior beyond reproach,no MP3's or personal e-mail Jokes of the Day.

"You can't stop the birds from flying over head, but you can stop them from making a nest in your hair." - Martin Luther.

A friend of mine was doing a computer course during which she was expected to keep the files used in the exercises as they would be use in the final test and assignment and had to be available for inspection by the certifying authority. On the day that she was to do the final assignment she went to log on and was told that her password was incorrect, it was the same one that had been used for 18 weeks. As no one had the ability to access her files she was unable to take the exam and obtain the qualification.

The above experience duplicated in a firm would result in severe problems, hence the need for someone to be able to access all files. Yes, there are dangers: but if you do not trust the employee why did you hire him, or her.

Thisis not a new problem; it was always possible, and still is, for the telephonist to listen in to calls, or the secretary make extra copies of confidential documents.

It is absolutely unprofessional for the IT Director to know anyone's but System and his/her own password. See previous replies for work-arounds to accessing specific accounts.

As a systems trainer and training manager I instruct all my help deskand training people that passwords are sacrosanct and to instruct all users to never reveal their passwords to anyone, not even us.

When we need access to a user account, that user must enter the password, and a professional will never "snoop" for passwords.

As for screen saver passwords, they are, in a business environment, in all cases, unnecessary. Sensitive files and/or programs may be individually protected, and closed when the user leaves his/her desk. Screen savers are also not necessary on monitors manufactured after the mid-90s because screen burn-in is prevented by modern screen technology.

But those of us who will need to meet HIPAA compliance are mandated to maintain a central list of user passwords.

If the desktop is left open, all the securing of individual files in the world is of no use, since the "snooper" IS the authorized user.

Most users my not need password protected screen savers, but anyone on the fiscal or personel area should befired if they don't have one!

Your comments come down to one issue- your trust of the Director of Corporate IT.

I am one of those IT Managers that has complete control of all paswords in our company's IT systems. That includes the passwords for the Presodent and CEO.

I agree with you that the potential for mischief and outright malicious damage is great. I can't speak for other organizations that put this trust into their managers, however, neither our company, nor any of its employees, has anything to fear from me. I worked for many years with the company to build the reputation I have, and that has earned me this position of trust.

I would hope that your company's CEO has a full understanding of the importance that security issues have in todays information-based world, and that he can sleep soundly at night knowing that he has chosen the right person for the job.

Ours did.

Let sleeping dogs lie. As far as i can tell, no problems have arose because of the Director being able to access all accounts.

Your only argument seems to be if the director was a very dishonest individual, then he could cause problems. I suspect that if you had a director this dishonest, there would problems regardless of whether he could access user accounts.

My advice is to let the issue drop. There are probably some very real problems to be addressed with your network security thatshould be a lot higher priority than this battle.

I have read with interest the various discussions on passwords. Like it or lump it they are a serious drain on IT resources (financial and personnel). A real alternative is to use a biometric that works (and it just so happens ...).
We (unashamedly) push the Iridian iris biometric - however I am interested to see what sort of success/failure people have had trying to implement password replacement for NT networks.