[144273] in cryptography@c2.net mail archive
RE: Solving password problems one at a time, Re: The password-reset paradox
daemon@ATHENA.MIT.EDU (Dave Kleiman)
Mon Feb 23 15:34:56 2009
From: "Dave Kleiman" <dave@davekleiman.com>
To: <cryptography@metzdowd.com>
In-Reply-To: <49A0570C.7070102@nma.com>
Date: Mon, 23 Feb 2009 13:41:45 -0500
>> On February 21, 2009 14:34, Ed Gerck wrote:
>> In a business, one must write down the passwords and one must have a=20
>> duplicate copy of it, with further backup, where management can =
access=20
>> it. This is SOP.
>>
>> This is done not just in case the proverbial truck hits the employee, =
or=20
>> fire strikes the building, or for the disgruntled cases, but because=20
>> people do forget and a company cannot be at the same time responsible =
to=20
>> the shareholders for its daily operations and not be responsible for =
the=20
>> passwords that pretty much define how those daily operations are run.
The idea that people should not write their passwords is thus silly from =
the security viewpoint of assuring availability and also for another=20
reason. Users cannot be trusted to follow instructions. So, if one's=20
security depends on their users following instructions, then something=20
is wrong from the start.
Most organizations I interact with have an SOP that nobody should ever =
know another's password. The only passwords that are safe stored are =
those for encryption or the top level admin. You take on a degree of =
legal responsibility if you have the ability to logon as another user. =
Since the admin can easily change a user's password, what would be the =
necessity for this risk? All password changes should be audited.
Respectfully,
Dave Kleiman - http://www.ComputerForensicExaminer.com=20
4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801=20
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
