Rules and policies are in place. Most organisations have a clean desk policy; if they don't, then you are correct they do need to put one in place. Everyone knows that we are not to write down any passwords and the such. Yet many IT shops in larger organisations work in isolation creating environments that are so complex people are not able to keep everything straight in their heads. For example one department I worked for some time back didn't have a single solution for human resource management, inventory, accounting, purchasing as well as a plethora of in house specific applications. HQ had groups working on each component. When these applications are deployed out in the field, it is up to the on-site IT teams to get them all working together. Often front line staff had to run several, if not all, of those applications. This may not be right, but it is what it is. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046 -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 03, 2016 09:31 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords Things might be different in Windows but, IMO, something is wrong if you even need a user's password. I haven't been able to get this policy in place in my department but if I was the boss, I'd make it against the rules for even an IT staffer to ask for a user's password. I would say an IT person could ask a user for their password but if the user gave it, the IT staffer should say, "HA! That was a trick question! You weren't supposed to give it to me." IMO, if an IT person has to act as an end user, he should use root privileges to change the end-user's password temporarily. The end-user can change it back afterword. The reason is that the first thing the police ask after a murder is committed in a locked room is, "How many people have a key to this room?" If an account is used for a crime, and even using someone else's account without their permission is a crime, the first thing you are going to be asked is how many people have that password. I can honestly say I know nobody's password but my own. So I don't think an IT person should be digging around on someone's desk for their password. Unless they are doing it so they can tear up those postit notes, burn the pieces, and scatter the ashes. On 08/03/2016 08:22 AM, vic.pereira@ssc-spc.gc.ca wrote:
Many departments we support have several systems. These all require their own passwords that expire at different times. They also have different requirements for complexity.
For some reason the people who develop policies around these issues feel that it is more secure keeping everything isolated than it is to have the tools in place to synchronise all the login accounts and passwords.
The tech guys who are our boots on the ground keep saying that these behaviours have made their jobs a lot easier. When they need to troubleshoot and resolve issues often the person putting in the request is not at their workstation. Because of all the systems being stand alone, it is amazing how often it is possible to find user accounts and passwords on posted notes under people's keyboards.
Vic Pereira
Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046
Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046
-- -- John G. Heim; jheim@math.wisc.edu; sip://jheim@sip.linphone.org _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins