On the Topic of Passwords

newer
Maintenance tools in Windows PE...

older
Extremely frustrated! error 500...

vic.pereira＠ssc-spc.gc.ca

3 Aug 2016 3 Aug '16

1:22 p.m.

Many departments we support have several systems. These all require their own passwords that expire at different times. They also have different requirements for complexity. For some reason the people who develop policies around these issues feel that it is more secure keeping everything isolated than it is to have the tools in place to synchronise all the login accounts and passwords. The tech guys who are our boots on the ground keep saying that these behaviours have made their jobs a lot easier. When they need to troubleshoot and resolve issues often the person putting in the request is not at their workstation. Because of all the systems being stand alone, it is amazing how often it is possible to find user accounts and passwords on posted notes under people's keyboards. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046

Show replies by date

Katherine Moss

3 Aug 3 Aug

1:45 p.m.

In regards to the postit notes thing ... drives me nuts. I love password managers. I'd love to do ethical hacking courses too, but then the temptation would be too great to mess with my techie friends. The issue then becomes, when does a harmless prank turn into a legal battle? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of vic.pereira@ssc-spc.gc.ca Sent: Wednesday, August 03, 2016 9:22 AM To: jheim@math.wisc.edu; blind-sysadmins@lists.hodgsonfamily.org Subject: [Blind-sysadmins] On the Topic of Passwords Many departments we support have several systems. These all require their own passwords that expire at different times. They also have different requirements for complexity. For some reason the people who develop policies around these issues feel that it is more secure keeping everything isolated than it is to have the tools in place to synchronise all the login accounts and passwords. The tech guys who are our boots on the ground keep saying that these behaviours have made their jobs a lot easier. When they need to troubleshoot and resolve issues often the person putting in the request is not at their workstation. Because of all the systems being stand alone, it is amazing how often it is possible to find user accounts and passwords on posted notes under people's keyboards. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046 _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Katherine Moss

1:45 p.m.

John G Heim

2:48 p.m.

But as a systems admin, you're running into way more sensitive issues than ethical hacking. For instance, a typical email administrator has way more temptations to deal with than you'd get from knowing how to hack into someone's machine. As the systems admin for the file server and the database server in my department, there is nothing I can't get to. I would never poke around in that stuff though. If I did that, I couldn't look at myself in the mirror every morning. Well, I can't do that anyway but I'd be like, "If I could see you, I'd be ashamed." On 08/03/2016 08:45 AM, Katherine Moss wrote:

...

-- -- John G. Heim; jheim@math.wisc.edu; sip://jheim@sip.linphone.org

Katherine Moss

6:41 p.m.

Support of a password manager would solve all of that, ideally anyway. The problem is that there are so many out there, and then in some cases, legal issues come into play as well. -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 03, 2016 10:48 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords But as a systems admin, you're running into way more sensitive issues than ethical hacking. For instance, a typical email administrator has way more temptations to deal with than you'd get from knowing how to hack into someone's machine. As the systems admin for the file server and the database server in my department, there is nothing I can't get to. I would never poke around in that stuff though. If I did that, I couldn't look at myself in the mirror every morning. Well, I can't do that anyway but I'd be like, "If I could see you, I'd be ashamed." On 08/03/2016 08:45 AM, Katherine Moss wrote:

...

Katherine Moss

6:41 p.m.

...

Billy Irwin

4 Aug 4 Aug

1:46 p.m.

Hi Guys, What would be a good accessible password manager? Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 3, 2016 10:48 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords But as a systems admin, you're running into way more sensitive issues than ethical hacking. For instance, a typical email administrator has way more temptations to deal with than you'd get from knowing how to hack into someone's machine. As the systems admin for the file server and the database server in my department, there is nothing I can't get to. I would never poke around in that stuff though. If I did that, I couldn't look at myself in the mirror every morning. Well, I can't do that anyway but I'd be like, "If I could see you, I'd be ashamed." On 08/03/2016 08:45 AM, Katherine Moss wrote:

...

Billy Irwin

1:46 p.m.

...

vic.pereira＠ssc-spc.gc.ca

2:01 p.m.

If you don't mind putting all of your eggs into one basket Microsoft's Active Directory is useable. But this ties you to all of their networks and systems. Our challenge is that we have a plethora of systems ranging from Microsoft to Oracle to Lotus Notes to Netware and the list goes on. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046 -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Thursday, August 04, 2016 08:46 To: jheim@math.wisc.edu; Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords Hi Guys, What would be a good accessible password manager? Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 3, 2016 10:48 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords But as a systems admin, you're running into way more sensitive issues than ethical hacking. For instance, a typical email administrator has way more temptations to deal with than you'd get from knowing how to hack into someone's machine. As the systems admin for the file server and the database server in my department, there is nothing I can't get to. I would never poke around in that stuff though. If I did that, I couldn't look at myself in the mirror every morning. Well, I can't do that anyway but I'd be like, "If I could see you, I'd be ashamed." On 08/03/2016 08:45 AM, Katherine Moss wrote:

...

-- -- John G. Heim; jheim@math.wisc.edu; sip://jheim@sip.linphone.org _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Billy Irwin

2:05 p.m.

Hi Vick, I am running an AD here but I agree with you. My web hosting business is all CentOS. I have many dedicated and virtual enviroments to maintain credentials for. I've not found one out there that does what I want as it regards sharing the access to these credentials. Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of vic.pereira@ssc-spc.gc.ca Sent: Thursday, August 4, 2016 10:02 AM To: blind-sysadmins@lists.hodgsonfamily.org Subject: Re: [Blind-sysadmins] On the Topic of Passwords If you don't mind putting all of your eggs into one basket Microsoft's Active Directory is useable. But this ties you to all of their networks and systems. Our challenge is that we have a plethora of systems ranging from Microsoft to Oracle to Lotus Notes to Netware and the list goes on. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046 -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Billy Irwin Sent: Thursday, August 04, 2016 08:46 To: jheim@math.wisc.edu; Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords Hi Guys, What would be a good accessible password manager? Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 3, 2016 10:48 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords But as a systems admin, you're running into way more sensitive issues than ethical hacking. For instance, a typical email administrator has way more temptations to deal with than you'd get from knowing how to hack into someone's machine. As the systems admin for the file server and the database server in my department, there is nothing I can't get to. I would never poke around in that stuff though. If I did that, I couldn't look at myself in the mirror every morning. Well, I can't do that anyway but I'd be like, "If I could see you, I'd be ashamed." On 08/03/2016 08:45 AM, Katherine Moss wrote:

...

Kelly Prescott

5 Aug 5 Aug

2:12 p.m.

I use YubiKeys and a encrypted storage space for all my credentials. I have to have a hardware token, and remember one long master phraise and then I can get into any of my other information. Yes this took me years to perfect, but it works well and I am not tied to one system. for example, I use public keys for ssh, certificates for vpn(s) and 2-factor authentication for most Microsoft systems I use. I use random password generators to gen long passwords, and as they are stored in my encrypted storage, I do not have to deal with some one elses cloud-based manager which might be compromised. I have several different keys and I have backups securely stored incase of disaster with my primary hardware tokens or credentials. kp On Thu, 4 Aug 2016, Billy Irwin wrote:

...

Darragh Ó Héiligh

3:04 p.m.

I have a few questions: 1. What hardware key are you using? 2. What do you use to administer that hardware key? 3. Is this a USB key or some kind of fob with a display? 4. Does the key expire after a determined amount of time? 5. How much has it cost you to implement this solution? 6. How much resources does it take? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Kelly Prescott Sent: Friday 5 August 2016 15:13 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords I use YubiKeys and a encrypted storage space for all my credentials. I have to have a hardware token, and remember one long master phraise and then I can get into any of my other information. Yes this took me years to perfect, but it works well and I am not tied to one system. for example, I use public keys for ssh, certificates for vpn(s) and 2-factor authentication for most Microsoft systems I use. I use random password generators to gen long passwords, and as they are stored in my encrypted storage, I do not have to deal with some one elses cloud-based manager which might be compromised. I have several different keys and I have backups securely stored incase of disaster with my primary hardware tokens or credentials. kp On Thu, 4 Aug 2016, Billy Irwin wrote:

...

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Billy Irwin

3:33 p.m.

Darragh, Very good questions. I myself am looking for something I can share these passwords with over the network. One of the places I worked used Remote Desktop Manager which is a 3rd party software not related to RDP. It was designed for any system. Sadly the newer version aren't accessible anymore. Thanks, Billy -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Darragh Ó Héiligh Sent: Friday, August 5, 2016 11:05 AM To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords I have a few questions: 1. What hardware key are you using? 2. What do you use to administer that hardware key? 3. Is this a USB key or some kind of fob with a display? 4. Does the key expire after a determined amount of time? 5. How much has it cost you to implement this solution? 6. How much resources does it take? -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of Kelly Prescott Sent: Friday 5 August 2016 15:13 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords I use YubiKeys and a encrypted storage space for all my credentials. I have to have a hardware token, and remember one long master phraise and then I can get into any of my other information. Yes this took me years to perfect, but it works well and I am not tied to one system. for example, I use public keys for ssh, certificates for vpn(s) and 2-factor authentication for most Microsoft systems I use. I use random password generators to gen long passwords, and as they are stored in my encrypted storage, I do not have to deal with some one elses cloud-based manager which might be compromised. I have several different keys and I have backups securely stored incase of disaster with my primary hardware tokens or credentials. kp On Thu, 4 Aug 2016, Billy Irwin wrote:

...

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins _______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Billy Irwin

3:33 p.m.

...

Darragh Ó Héiligh

3:04 p.m.

...

_______________________________________________ Blind-sysadmins mailing list Blind-sysadmins@lists.hodgsonfamily.org https://lists.hodgsonfamily.org/listinfo/blind-sysadmins

Billy Irwin

4 Aug 4 Aug

2:05 p.m.

...

John G Heim

3 Aug 3 Aug

2:31 p.m.

Things might be different in Windows but, IMO, something is wrong if you even need a user's password. I haven't been able to get this policy in place in my department but if I was the boss, I'd make it against the rules for even an IT staffer to ask for a user's password. I would say an IT person could ask a user for their password but if the user gave it, the IT staffer should say, "HA! That was a trick question! You weren't supposed to give it to me." IMO, if an IT person has to act as an end user, he should use root privileges to change the end-user's password temporarily. The end-user can change it back afterword. The reason is that the first thing the police ask after a murder is committed in a locked room is, "How many people have a key to this room?" If an account is used for a crime, and even using someone else's account without their permission is a crime, the first thing you are going to be asked is how many people have that password. I can honestly say I know nobody's password but my own. So I don't think an IT person should be digging around on someone's desk for their password. Unless they are doing it so they can tear up those postit notes, burn the pieces, and scatter the ashes. On 08/03/2016 08:22 AM, vic.pereira@ssc-spc.gc.ca wrote:

...

-- -- John G. Heim; jheim@math.wisc.edu; sip://jheim@sip.linphone.org

vic.pereira＠ssc-spc.gc.ca

2:37 p.m.

Rules and policies are in place. Most organisations have a clean desk policy; if they don't, then you are correct they do need to put one in place. Everyone knows that we are not to write down any passwords and the such. Yet many IT shops in larger organisations work in isolation creating environments that are so complex people are not able to keep everything straight in their heads. For example one department I worked for some time back didn't have a single solution for human resource management, inventory, accounting, purchasing as well as a plethora of in house specific applications. HQ had groups working on each component. When these applications are deployed out in the field, it is up to the on-site IT teams to get them all working together. Often front line staff had to run several, if not all, of those applications. This may not be right, but it is what it is. Vic Pereira Project Manager, Networks and End-Users Branch Shared Services Canada / Government of Canada vic.pereira@ssc-spc.gc.ca / Tel: 204-781-5046 Gestionnaire de projet, Direction des réseaux et des utilisateurs finaux Services partagés Canada / Gouvernement du Canada vic.pereira@ssc-spc.gc.ca / Tél: 204-781-5046 -----Original Message----- From: Blind-sysadmins [mailto:blind-sysadmins-bounces@lists.hodgsonfamily.org] On Behalf Of John G Heim Sent: Wednesday, August 03, 2016 09:31 To: Blind sysadmins list Subject: Re: [Blind-sysadmins] On the Topic of Passwords Things might be different in Windows but, IMO, something is wrong if you even need a user's password. I haven't been able to get this policy in place in my department but if I was the boss, I'd make it against the rules for even an IT staffer to ask for a user's password. I would say an IT person could ask a user for their password but if the user gave it, the IT staffer should say, "HA! That was a trick question! You weren't supposed to give it to me." IMO, if an IT person has to act as an end user, he should use root privileges to change the end-user's password temporarily. The end-user can change it back afterword. The reason is that the first thing the police ask after a murder is committed in a locked room is, "How many people have a key to this room?" If an account is used for a crime, and even using someone else's account without their permission is a crime, the first thing you are going to be asked is how many people have that password. I can honestly say I know nobody's password but my own. So I don't think an IT person should be digging around on someone's desk for their password. Unless they are doing it so they can tear up those postit notes, burn the pieces, and scatter the ashes. On 08/03/2016 08:22 AM, vic.pereira@ssc-spc.gc.ca wrote:

...

2967

Age (days ago)

2969

Last active (days ago)

List overview

Download

17 comments

6 participants

participants (6)

Billy Irwin
Darragh Ó Héiligh
John G Heim
Katherine Moss
Kelly Prescott
vic.pereira＠ssc-spc.gc.ca

On the Topic of Passwords

tags

participants (6)