13

I'd like to know pros and cons.. reasons for and against the idea of sys admin’s maintaining user account lists with passwords.. and additionally not allowing those users to change their passwords.

I understand that systems like Windows seem to encourage the idea that users should maintain their own password security and be allowed to change their password at will. I can appreciate the need for privacy and users having alibis to protect themselves in the event that a colleagues word disagrees with the system's logs. But at the same time i can also see how some people might justify having user’s passwords on file in the event that access is required to some of the materials that users may want to keep private.

I'd really love to be educated on this idea.

cottsak
  • 505
  • 6
  • 20
  • for the record: i'd like to quote pgs below and say that "everything inside me also says NO". i agree virtually with all points raised here and sincerely appreciate the comments. this is exactly the reinforcement i was after. – cottsak Jun 07 '09 at 04:39

17 Answers17

30

A sysadmin should be able to access any files a user has, unless they're encrypted, in which case the user's Windows password won't help. Having the system knowing the passwords means that you can never know if a user did something, or a sysadmin did, which could cause a lot of problems if you ever get into a dispute. The passwords would have to be stored somewhere, which means there's the potential for them to be lost. Finally, users will find it harder to remember a password they didn't create.

The pros are that there's no need to reset passwords, but you'll have to remind users of them. It also makes it easier to login to users accounts, but outside of testing or diagnosing a problem, this isn't needed, and you can get the passwords on a case by case basis then.

There really isn't any reason to do this, it creates a lot of problems, for no real gain.

Dentrasi
  • 3,672
  • 23
  • 19
  • +1 pretty much the same answer as mine. – David Pashley Jun 06 '09 at 18:17
  • 12
    It is very bad practice to be asking users for their password. If a sysadmin requires access to their account for some reason then they should reset the users password. You should be training your users NEVER to give out their password and encouraging this by NEVER asking for their password. -1 until "and you can get the passwords on a case by case basis then." is removed. – pipTheGeek Jun 06 '09 at 19:10
  • 8
    The security term is nonrepudiation. Nonrepudiation is where a person cannot deny he/she did something. When the sysadmin has the password, you lose nonrepudiation. That's a terrible position to be in because it eliminates a lot of the legal avenues in case you do have a user cause damage. ("But I didn't do it. And I'm not the only one with my password!") – K. Brian Kelley Jun 07 '09 at 05:10
  • @K. Brian Kelley: that's fantastic.. u could see i was struggling to find a word like that. cheerz – cottsak Jun 07 '09 at 06:15
  • In most systems, the sysadmin can just break into the account, password or not. In a Unix, it's just "su - user". I'm sure there's a Windows equivalent. – Bill Weiss Jun 07 '09 at 06:17
  • Yeah, the windows equivalent would be OphCrack, physical access to the machine, and about 10min. ;-) – KPWINC Jun 07 '09 at 06:22
  • +1 for actually listing pros, tentative though they may be, in accordance to the question asked. Going against every instinct that screams "NO, DON'T DO THAT", just to answer a question, that takes guts. – goldPseudo Jun 07 '09 at 20:55
  • The methods of impersonating a user in the system can be logged, and system logging can send log data to another machine which requires a different sysadmin's access. If you need to be very legalistic or you don't trust all your admins, you can set up distributed activity logging to watch them. – Mnebuerquo Feb 10 '10 at 20:15
  • Much as I prefer Unix, stock, this is one place Windows has an edge, no su with out the users password, no way to read a file you don't have permission to read with out taking ownership of it (and you cannot give it back). Now, you probably can write code to get around that, and you can always restore from backups (but of course, you can keep the tapes and account away from the normal admin users), but it is quite a bit more work to avoid detection in windows. – Ronald Pottol Jul 14 '10 at 18:54
  • @Ronald Pottol I can see your advantages with the ownership thing but i really don't prefer it hey. The idea that you need to "take ownership" first seems like a wasted step to me. I'd probably assert that there isn't a real need for accountability on the admins part as they should have full trust from the organisation. This step to me seems to just get in the way. I think i prefer the unix approach. – cottsak Nov 01 '10 at 08:12
  • You are clearly not off your meds. I'm a Unix guy, but I keep my eyes open, you can learn things everywhere, even from Windows. Think about financials for a large corp, for instance, like payroll data, how do you keep the admin from reading all the data? – Ronald Pottol Nov 03 '10 at 00:17
  • And if you do want to get paranoid, read Reflections on Trusting Trust . Everyone should. Good luck sleeping after! Classic computer security paper, short, simple, nightmare. – Ronald Pottol Nov 03 '10 at 00:20
24

There is no justification. A sysadmin can change the password if needed but they should not know or store it.

There are only cons.

What about my private information that I expect HR to keep private?

Finding out where I live because I took their parking space... posting my salary on the internet... passing on information to an ex.. emailed porn to the management has my name attached...

I'd be surprised if a company has such a policy written down.

gbn
  • 6,009
  • 1
  • 17
  • 21
  • 1
    I completely agree, and you make an excellent point illustrating the HR aspect of it. – Greg Meehan Jun 06 '09 at 18:25
  • A sysadmin would probably have access to most of this, and if not, it would be trivial for them to gain it through the use of keyloggers, software or hardware. – Dentrasi Jun 06 '09 at 18:41
  • 11
    If you can't trust your sysadmin you've got bigger problems. – David Pashley Jun 06 '09 at 18:59
  • @David, that's very true. as a sysadmin, we should be very aware of the importance of confidentiality to earn that trustfulness. – kentchen Jun 06 '09 at 19:13
  • 6
    Religiously avoiding knowing or seeing user passwords is one way sysadmins encourage trust. – Mnebuerquo Feb 10 '10 at 20:12
  • If they are a domain admin or email admin you probably have access to the HR files and the HR emails. Unless the sensitive data is encrypted which incidentally is a good idea. Same with ERP system as there is probably an account that has access to the database for maintenance purposes. – JamesBarnett May 27 '11 at 14:34
  • LOL @ the parking space comment. You trust an admin with the entire IT infrastructure but not with the location of you parking space. – JamesBarnett May 27 '11 at 14:35
  • seriously though all the info you expect HR to keep private you also expect IT admins to keep private, they essentially have the same level of access to that sensitive info. – JamesBarnett May 27 '11 at 14:36
19

Don't mix up authentication and authorization.

A password proves to the system who you are (authentication)

Group membership and filesystem permissions typically dicates what you can do (authorization).

To give a trusted admin access to files that are owned by someone else, you bump up their authorization level. You do not let them log in as if they were the other person.

James F
  • 6,549
  • 1
  • 25
  • 23
7

Administrators can always change a user's password. They have no reason to know the user's password. If there is a problem or the user is away and someone else needs access to files, then a manager can ask for the password to be changed for the day and the user can set their password back the next time they are in.

There is a benefit in administrators trying to crack users' passwords to prevent weak passwords being used.

David Pashley
  • 23,151
  • 2
  • 41
  • 71
  • If you need files, then admin can always use HIS OWN elevated priveleges to read those files without logging in as the owner of the files. He can then copy/move those files if someone else needs them, or change their permissions to allow the needed access. Cracking of weak passwords would be done at the time the user tries to set their password, and would simply reject the new password. That should be part of the login system. – Mnebuerquo Feb 10 '10 at 20:19
4

As others have already noted here: No good reason for IT to know user's password, instead the access of user's password might serve a negative situation in a few forms.

In addition to what has already been said, if you do need to know a password is local administrator's password for the machine (or root), and the master encryption password for the System. Anything having to do with user profiles should be considered off-limits, unless there is an administrative request to query these files (there are tools for that)

l0c0b0x
  • 11,697
  • 6
  • 46
  • 76
4

Keep in mind that if you go for having written down username/password combos, you have a very important list. Losing that list, or, worse yet, having someone copy that list without you knowing that a copy was made, would be a big big problem. And you really really do not want that in a file one some disk somewhere, which would be the common solution.

This is one of the many reasons why one does not write down passwords in clear text.

Bruce ONeel
  • 401
  • 2
  • 1
3

Everything inside me says "No!"

If you think you need it then you probably don't understand the tools and authorisations available to you as a sysadmin, as pointed out in the other answers.

Let me also point you to the SAGE Code of Ethics.

Edit: Was this a manager's idea? Either way some education is in order: for yourself, so you know what can and can't be done, technically, legally and ethically; for management, so you and they can develop a policy that meets business needs; and for users, so they know what they can expect.

cutrightjm
  • 344
  • 2
  • 13
pgs
  • 3,471
  • 18
  • 19
  • that link is fantastic.. i'll sure be using that. thanx heaps – cottsak Jun 07 '09 at 04:35
  • this was a managers idea.. i was so so against it. like so fundamentally. but i had a think and thought it would be good to have lots more good reasons. and there's heaps here - it's great. – cottsak Jun 07 '09 at 10:07
  • Dilbert fodder... submitted. ;-) – pgs Jun 07 '09 at 11:09
3

Accountability is the issue.

If users are ever questioned about activity conducted from their login they have an automatic out if it is standard operating procedure that someone else can get into their account without first changing the password.

Don't risk losing the accountability of your sysadmins and/or your users.

I see no pros.

Shawn Anderson
  • 542
  • 7
  • 14
3

I'm gonna go off on a tangent a bit.

The point is that if the administrator is 100% ethical it doesn't matter if he knows user passwords, likewise if the administrator is not 100% ethical, then it doesn't matter if he doesn't know the password. He has root, he can get the password without anyone else knowing. (He is root, remember, the ruler of the machine. There is nothing he cannot do on that machine, including cleaning the logs, blocking ports, running whatever tool he wants, etc.)

There is no one that is 100% ethical in the eyes of HR, therefore you must assume that the admin always has access to the user passwords.

If you think the admin cannot do that because he lacks the skills, please replace him/her with someone who does.

So having a policy that the admin should not have access to the user passwords is a waste of printed Policy & Procedures paper, since it could not be possibly be enforced. At best it offers a false sense of security, and that is the worst kind of security.

Christopher Mahan
  • 139
  • 3
  • 1
    good answer: "..false sense of security.." – cottsak Jun 07 '09 at 06:38
  • 1
    If passwords are stored using non-reversable encryption then the admin won't be able to crack them. Not that it matters since there are other ways into users information without them knowning which are far easier. – SpaceManSpiff Jun 07 '09 at 10:58
  • +1 for mentioning ethics...good point – cop1152 Jun 07 '09 at 15:54
  • 1
    Admin doesn't have "access to their passwords" any more than any other user on the network does. There's a big gap between "access" vs. "cracking" – Kara Marfia Jun 07 '09 at 21:34
  • 1
    There is no repudiation for the admin of a unix system. If the user says he didn't do it, it always possible for the admin to have done it. Normally it's user's word versus admin's word and the admin is normally trusted above the user. However, when the user in question is the Executive Director of Operation for Europe and the Mid-East, the admin, no matter what he says, will be in trouble. There is no repudiation possible by the admin. – Christopher Mahan Jun 10 '09 at 04:53
  • -1 for mentioning a waster a paper, gives the wrong idea. Non-repudiation is a best practice and in some cases a compliance/legal issue. – JamesBarnett May 27 '11 at 14:40
  • @Christopher Mahan re: executive users: that's a political problem not a technical one. You could set the root password lock it in a safe with the head of HR along with the hash of that password. If the password is changed the hash won't match. Then redirect sudoer logs to a printer in the head of HR's office. It's not 100% but it's closer. There's no such thing as 100% where computers are concerned. – JamesBarnett May 27 '11 at 14:43
2

I didn't see this mentioned here, but I only skimmed the answers. A lot of users use the same passwords for EVERYTHING. If you have their network password then chances are you have the password for their personal email, photobucket, facebook, whatever.

I think it's a bad idea. A rogue sysadmin could cause a lot of trouble.

Dennis Williamson
  • 60,515
  • 14
  • 113
  • 148
cop1152
  • 2,626
  • 3
  • 21
  • 32
2

In order to maintains systems, admins need the ability to do anything - access files, change them, etc. So there needs to be a way for an admin to access any file, but it doesn't have to be by having the users' passwords.

For myself, I see only negatives to having people passwords - loss of accountability being the main one. If I don't have anyone's password, I can't routinely access their files or emails, I can't pretend to be them and do something in their name. Our company president used to want us to have his password so we could easily work on his system, but after a lot of trying I convinced him to change it and NOT tell us what it was.

I can't think of a likely situation where an admin needs anything more than the ability to change a password so they can access files in an emergency. That, and temporarily knowing people's passwords was always enough. In cases where we had to do some work on a PC as the person, we'd either get their password and then change it after or we'd change it and get them to change it back.

Ward - Reinstate Monica
  • 12,788
  • 28
  • 44
  • 59
2

Server focused answer.

At a previous employer, the admin staff didn't have passwords set. We used only SSH authentication. After working there, I became a big believer in two factor authentication schemes, such as a passphrase protected client certificate or key (like an SSH key, or SSL client certificate).

jtimberman
  • 7,511
  • 2
  • 33
  • 42
2

The downside to letting the admin know all the passwords is that he/she might be quitting the organisation and taking all that data along. But the same may be happen to data located in network shares.

Whatever you do don't store the users' passwords in plain text. Like in "call us if you forget your password". That's a no-go. The user will be assigned a new password when showing up at the helpdesk personally and be forced to change their password before the first login.

For information that is truly confidential I suggest the users take additional measures like PGP or Truecrypt but then should be told explicitly that their data cannot be recovered by their trusted sysadmins.

Should the management worry about the admins being able to peek into every document then they should to the sysadmin work themselves. A system administrator is supposed to have nearly complete trust.

Signum
  • 1,228
  • 1
  • 12
  • 14
  • +1 Good point. Changing root pw and disabling admin's login is one thing, changing *every* user's pw another... – sleske May 21 '10 at 02:16
1

I tend to against the policy where sysadmin should know the password. It should be based on case by case. Whenever we as IT person need the users' password to do the work, we should be asking for them and advise the user to change them once we finish our work. And IT shouldn't store any passwords in any format.

However, I also have to admit that sometime having a password sheet is very handy, very very handy.

kentchen
  • 754
  • 5
  • 9
1

Work computers provide privacy from persons who are not authorized to access the owner's information that is stored on them. Employees have no privacy when using an employer's equipment, which is why your logon banner says that all activity may be monitored at any time, with or without cause.

(If you don't have such a logon banner, run — don't walk — to your corporate counsel ASAP, because it's a Really Good Idea.)

However, that's another question. I don't think I can say anything that hasn't been said in another answer, although I think it needs to be explicitly stated that a password is an individual identifier, and therefore any password should be known by exactly one person; generic Administrator etc. account passwords should be stored in a safe and changed after every use.

Brad Ackerman
  • 2,141
  • 2
  • 17
  • 19
  • sure.. the account should describe the individual rather than a role etc (eg. 'bursar', 'assistant-principal'). totally agree! – cottsak Jun 07 '09 at 06:24
1

There may be legal obligations too, in terms of data protection, use of personal information, and so forth. True, as an admin there is nothing technical to stop me changing a users password and accessing their account, but I would always get written authorisation from the HR manager (the person's own manager is not good enough) before doing this.

The big one for me is trust. If you have the power supreme, you are in a position where everyone from the lowliest grunt to the CEO has to trust you not to misuse it. Irrespective of the reality behind it, anything that helps to reinforce that trust will make things a lot easier for you. So making it well known that "we don't know your passwords and we can't access your account without changing your passwords (in which case you'll know about it)" is a good thing.

Maximus Minimus
  • 8,937
  • 1
  • 22
  • 36
  • Good points about legal obligations. In Unix world (and linux) the admin can access your account by acting as you without changing your password. sudo -u someuser – Christopher Mahan Jun 08 '09 at 04:57
0

Why are you resetting someones password when someone is away and another person wants/needs the work? almost every person stores non work related data in their accounts these days. You should be moving only the required data from their space and placing it into the space that belongs to the user that requires it.

p858snake
  • 439
  • 2
  • 6