>> On February 21, 2009 14:34, Ed Gerck wrote:
>> In a business, one must write down the passwords and one must have a 
>> duplicate copy of it, with further backup, where management can access 
>> it. This is SOP.
>> This is done not just in case the proverbial truck hits the employee, or 
>> fire strikes the building, or for the disgruntled cases, but because 
>> people do forget and a company cannot be at the same time responsible to 
>> the shareholders for its daily operations and not be responsible for the 
>> passwords that pretty much define how those daily operations are run.

The idea that people should not write their passwords is thus silly from 
the security viewpoint of assuring availability and also for another 
reason. Users cannot be trusted to follow instructions. So, if one's 
security depends on their users following instructions, then something 
is wrong from the start.

Most organizations I interact with have an SOP that nobody should ever know 
another's password. The only passwords that are safe stored are those for 
encryption or the top level admin. You take on a degree of legal responsibility 
if you have the ability to logon as another user. Since the admin can easily 
change a user's password, what would be the necessity for this risk? All 
password changes should be audited.


Dave Kleiman - http://www.ComputerForensicExaminer.com 
4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to