[unisog] End User Passwords and Technical Support Issues

pukanecz at exchange.vt.edu pukanecz at exchange.vt.edu
Tue Jan 15 13:55:21 GMT 2002


> 
> Our University's Computing Acceptable Use Policies state that computer
> accounts, passwords and other authorization codes should not 
> be shared with
> others.  Do other university's have similar statements in 
> their Information
> Systems Acceptable Use Policies?
> 

Most AUPs I've seen have something along those lines.  It's a good idea.  I
always tell my users:

Passwords are like Kleenex.  If you ever share one with a friend you never
want to use it again!

> Our administrative network is locked down using Windows NT. 
> The technical
> staff states that they must have the end users password in order to
> troubleshoot, diagnosis and/or setup new machines.  How do 
> you manage the
> technical staff's need without violating the acceptable use policy of
> "sharing passwords"?  
> 

Totally unnecessary and potentially dangerous.  Unnecessary because the
technical staff can be delegated the appropriate authority using NT group
membership, NT user rights, etc.  Dangerous because it opens the mindset in
your user community that sharing passwords is OK, especially if it is with
the technical staff.  This leaves them wide open to masquerading type social
engineering attacks.  e.g. A hacker from Brazil calls the Dean's secretary
and says he's with the IT department and needs her password.  She tells him
and is now open to all sorts of hi-tech abuse.

Or if a clear-text database of ids and passwords is maintained that is
different set of issues.  Who has access?  How is access restricted?  How is
the database maintained?  How is it audited?  What if something happens on a
user machine?  How can they be sure it was legitimate administrative access?
How is that audited?  What if the database gets compromised?  Will all users
have to change their passwords?  What are the legal implications for the IT
staff?

I never want to know my users' passwords.  I think this is a case of the IT
staff saying they "need" something when what they mean is it would be
"convenient" to have it.

_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT_VT

Todd Pukanecz  MCSE, GCWN
Virginia Tech, AHNR IT
Blacksburg, Virginia
---
The object and practice of liberty lies in 
the limitation of governmental power. 
- Douglass MacArthur 


> Thanks in advance for any suggestions you can provide.
> 
> Margaret Lampton
> Associate Director 
> University Computing and Telecommunications
> University of Houston-Clear Lake
> 2700 Bay Area Blvd.
> Houston, TX  77058
> 
> 281-283-2954
> lampton at cl.uh.edu
> 



More information about the unisog mailing list