Solving password problems one at a time, Re: The password-reset paradox
Dave Kleiman
dave at davekleiman.com
Mon Feb 23 13:41:45 EST 2009
>> On February 21, 2009 14:34, Ed Gerck wrote:
>> In a business, one must write down the passwords and one must have a
>> duplicate copy of it, with further backup, where management can access
>> it. This is SOP.
>>
>> This is done not just in case the proverbial truck hits the employee, or
>> fire strikes the building, or for the disgruntled cases, but because
>> people do forget and a company cannot be at the same time responsible to
>> the shareholders for its daily operations and not be responsible for the
>> passwords that pretty much define how those daily operations are run.
The idea that people should not write their passwords is thus silly from
the security viewpoint of assuring availability and also for another
reason. Users cannot be trusted to follow instructions. So, if one's
security depends on their users following instructions, then something
is wrong from the start.
Most organizations I interact with have an SOP that nobody should ever know another's password. The only passwords that are safe stored are those for encryption or the top level admin. You take on a degree of legal responsibility if you have the ability to logon as another user. Since the admin can easily change a user's password, what would be the necessity for this risk? All password changes should be audited.
Respectfully,
Dave Kleiman - http://www.ComputerForensicExaminer.com
4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list