[Cryptography] A two key file/program
Ángel
angel at crypto.16bits.net
Fri May 17 19:32:27 EDT 2019
On 2019-05-16 at 19:00 -0700, Allen Schaaf wrote:
> The goal for the credit union is to encrypt login information
> used by the staff.
No, no, no. Don't do that.
The login credentials of your users shall only be known by them. Full
stop.
Letting other people know the password of the users makes auditing
unnecessary hard.
Suppose you had a rogue employee, and you find out. You are suing him
for the amount of money he stole, while he sues you for improper
dismissal, claim it is all made up since the business needed a scapegoat
in order to please the shareholders...
The company shows evidence that someone logged in with his account
performed a number of fraudulent transactions.
Who could log in as such account? The employee... and his bosses.
The problem you really want to solve is «The manager/CEO and assistant
manager need to enable access to each account if needed»
How is every other company solving this very same problem?
You have a central authentication server (usually a Microsoft Active
Directory). Every time there is a need to log in into a host, it
verifies the credentials. This allows it to verify that passwords follow
the given policy about renewal, lock out bruteforcing attempts,
centrally log accesses, disable access for a user on just one place when
he leaves...
Now, let's suppose that Fred is away on vacation while there's a
pressing need to get a copy of the draft of a new policy stored on his
Desktop (while he was developing it), due to a new regulation requiring
you to implement it by the end of the week.
An administrator would then reset the password of this user to a new
one, allowing you to log in to his account, *with no knowledge of the
password he was using*. At the same time, this action would create the
proper audit trail showing who performed the password reset on the
account.
It's safer and much more simple.
Additionally, it's generally recommended that each user have only a
single login, rather than six or seven (!), which simplifies user
management.
Best regards
More information about the cryptography
mailing list