Do you know your users passwords ?

Forums › IT Pro and developers › Do you know your users passwords ?

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#108979 10-Sep-2012 15:21

Something has come up at work and I thought Id run a public poll to see what others thoughts are on it...basically, if youre a systems admin etc, do you know what your users passwords are ?

Poll is here : http://www.xpd.co.nz/?p=156

But happy for a full blown discussion etc to start here.......

Personally, I feel that sysadmins should not know/have record of users passwords - put some responsibility on the user.

Some people have said "But Im the sysadmin, I should know".... why ? Youve said it yourself, youre the sysadmin, you have the power to change the password at anytime.

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

1 | 2

Professional yak shaver
1599 posts

Uber Geek

Trusted

BitSignal

Lifetime subscriber

#683908 10-Sep-2012 15:24

User's passwords should never be stored in plain text, so no.

I do, however, keep a record of system passwords, like machine passwords and whatnot where I may be required to log in for maintenance.

"Roads? Where we're going, we don't need roads." - Doc Emmet Brown

mattwnz

20141 posts

Uber Geek

#683909 10-Sep-2012 15:24

xpd: Something has come up at work and I thought Id run a public poll to see what others thoughts are on it...basically, if youre a systems admin etc, do you know what your users passwords are ??

Poll is here :?http://www.xpd.co.nz/?p=156

But happy for a full blown discussion etc to start here.......

Personally, I feel that sysadmins should not know/have record of users passwords - put some responsibility on the user.?

Some people have said "But Im the sysadmin, I should know".... why ? Youve said it yourself, youre the sysadmin, you have the power to change the password at anytime.

If your users have the ability to manage and change their passwords, then you shouldn't know them. If they don't have the ability, then I presume you have some secured database that is storing them locally.

kyhwana2

2566 posts

Uber Geek

#683910 10-Sep-2012 15:25

No. Passwords should be hashed with a decent one way hash before they're stored. (Use bcrypt)

If you know your users passwords then they can be leaked/copied/etc. Or social engineered out of people "Oh, i'm the sysadmin here, whats your password again?"

Massive security vulnerability being able to/knowing users passwords.

almaznz

89 posts

Master Geek

#683919 10-Sep-2012 15:32

being a sysadmin sometimes users think i can login as them without needing to reset or even have their password, in events where the user has an issue but is not avaliable for any reason, i would reset the password and let them know that this has been changed, i then also apply the "user must reset password". otherwise i will get the user to enter the password to allow me in.

gjm

808 posts

Ultimate Geek

#683938 10-Sep-2012 15:54

I know some of them off the top of my head but dont maintain any type of list and we force people to change their passwords periodically. I don't have a problem with me knowing them as I can reset / change them anyway.

Out of interest, are you able to expand on the details of the situation at your work?

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

tatbaird

142 posts

Master Geek

#683949 10-Sep-2012 16:04

There are tons of reasons to login with the users account that I come across everyday, either at their local machine, RDP or on a test PC. I found that resetting their password every time was a real pain for both me and them. I have quite a few passwords memorized (easy as they are invariably dates, weatherconditions321 or name123 or something similair) Not a good situation, however.

stevenz

2802 posts

Uber Geek

#683953 10-Sep-2012 16:06

All our passwords are in ADUC, the only ones we know are those that we're told when doing reimages etc. We've got nigh total access remotely to their filesystems, registry and computer management, but can't do anything that actually requires a login (primarily email).

We enforce password changes every 3 months.

On an unmanaged network, then the admin still shouldn't need to know the users password as long as there is a "back door" admin login available to reset it if/when they forget and get locked out.

@KnightNZ

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#683961 10-Sep-2012 16:23

Hell, no.

coffeebaron

6231 posts

Uber Geek

Trusted

Lifetime subscriber

#683964 10-Sep-2012 16:25

I know most of my user's passwords; but I leave the choice upto to them. Obviously this is just their Windows passwords etc. I don't have this mass list of banking passwords to sell to the highest bidder :)

Rural IT and Broadband support.

Broadband troubleshooting and master filter installs.
Starlink installer - one month free: https://www.starlink.com/?referral=RC-32845-88860-71
Wi-Fi and networking
Cel-Fi supply and installer - boost your mobile phone coverage legally

Need help in Auckland, Waikato or BoP? Click my email button, or email me direct: [my user name] at geekzonemail dot com

Behodar

10501 posts

Uber Geek

Trusted

Lifetime subscriber

#683967 10-Sep-2012 16:28

I'd imagine that variations on "password" will work for several users here, but other than that I don't know their passwords. I did see "Wednesday$" written on one staff member's whiteboard; I *can't imagine* what that word could be used for!

gjm

808 posts

Ultimate Geek

#683976 10-Sep-2012 16:31

freitasm: Hell, no.

I lol'd. I'm guessing we are salted and hashed as well?

Do surveys for Beer money (referral link) - Octopus Group

Link for buying beer (not affiliated, just like beer) - Good George

freitasm

BDFL - Memuneh
79250 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#683986 10-Sep-2012 16:40

gjm:
freitasm: Hell, no.

I lol'd. I'm guessing we are salted and hashed as well?

I have no idea what your passwords are here on Geekzone. If you try the "Reset password" button you actually get a link so that you can reset your password.

The reason for this is mainly because people are dumb and use the same password in multiple sites, so if anyone download our database then at least it might not have a big impact, like LinkedIn storing plain text passwords.

We have links that allow you to logout from all your sessions in a single click, and offer an option to logout your session if your IP address changes. Not many people use those options at all!

I have toyed with the option of adding OTP via Google Authenticator to Geekzone, but some people said "it's just a forum, who cares?"...

Well actually if one hijacks a session, then you can see the email address and perhaps send an email to that address with a fake account reset link requesting the password - classic phishing. And then might try the same password to login in the email provider, bank, ISP and so on.

Seriously, people don't think enough about passwords.

Sysadmins should not have their users' passwords either because it will be very easy to fall to a social engineering scam and give up the password, or reset it.

Hell, I was approached by a "friend" on Facebook with the old "I need to borrow money to return to New Zealand" scam. The person obviously knew all about my friend because they had full access to the Facebook account with family details, workplace information, etc. Easily could have called a network admin or help desk and get some password reset done.

I have about 800 passwords and other records stored in a electronic wallet program, and use LastPass with OTP by Google Authenticator to store the most used ones.

People think too little about security.

kyhwana2

2566 posts

Uber Geek

#684005 10-Sep-2012 17:29

coffeebaron: I know most of my user's passwords; but I leave the choice upto to them. Obviously this is just their Windows passwords etc. I don't have this mass list of banking passwords to sell to the highest bidder :)

I bet you do now!

xpd

Geek @ Coastguard NZ
13765 posts

Uber Geek

Retired Mod

ID Verified

Trusted

Lifetime subscriber

#684213 11-Sep-2012 08:31

gjm:

Out of interest, are you able to expand on the details of the situation at your work?

Just an "internal" debate more than anything.... some people think we should know passwords and have them stored somewhere, and others (me) think we shouldnt keep record.

If we really need to get into someones account etc, we can just reset it and let the user know...

Gavin / xpd / FastRaccoon / Geek of Coastguard New Zealand

LinkTree

oxnsox

1923 posts

Uber Geek

#684217 11-Sep-2012 08:54

freitasm: Hell no.
I have no idea what your passwords are....
The reason for this is mainly because people are dumb and use the same password in multiple sites....

....some people said "it's just a forum, who cares?"...

Well actually if one hijacks a session, then you can see the email address and perhaps send an email to that address with a fake account reset link requesting the password - classic phishing.
And then might try the same password to login in the email provider, bank, ISP and so on.

Seriously, people don't think enough about passwords.

Sysadmins should not have their users' passwords either because it will be very easy to fall to a social engineering scam and give up the password, or reset it.

People think too little about security.

1 | 2