>> On February 21, 2009 14:34, Ed Gerck wrote: >> In a business, one must write down the passwords and one must have a >> duplicate copy of it, with further backup, where management can access >> it. This is SOP. >> >> This is done not just in case the proverbial truck hits the employee, or >> fire strikes the building, or for the disgruntled cases, but because >> people do forget and a company cannot be at the same time responsible to >> the shareholders for its daily operations and not be responsible for the >> passwords that pretty much define how those daily operations are run.
The idea that people should not write their passwords is thus silly from the security viewpoint of assuring availability and also for another reason. Users cannot be trusted to follow instructions. So, if one's security depends on their users following instructions, then something is wrong from the start. Most organizations I interact with have an SOP that nobody should ever know another's password. The only passwords that are safe stored are those for encryption or the top level admin. You take on a degree of legal responsibility if you have the ability to logon as another user. Since the admin can easily change a user's password, what would be the necessity for this risk? All password changes should be audited. Respectfully, Dave Kleiman - http://www.ComputerForensicExaminer.com 4371 Northlake Blvd #314 Palm Beach Gardens, FL 33410 561.310.8801 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
