[Closed] IT security/Sys admin peeps...employer and password question

When I worked on some 'sensitive' stuff we were assigned logins and passwords - policy was very strict. Mind you the whole system was firewall and air- gapped so we really couldn't go anywhere - you couldn't even print documents.

I know nothing about security TBH, but might they want to dictate the password if the software is running on hardware that their admins cannot otherwise access - i.e. the employees own pc/laptop?
🤷🏻‍♂️

Interested to hear the opinions.

In the grand scheme of things, there's nothing remotely "sensitive" about our software (though that doesn't prevent users from mis-using it and putting a whole load of sensitive data where it doesn't belong!)
I'm not sure what other software their employees use, so I suspect this is to keep in step with their other policies.

Sort of defeats the objective though as, if I was accused of doing something wrong, I'd deny it and blame the sys admins for the breach 😉

only one works this way

Edge case. Straight in the bin.

Or tell them it's going to cost a million quid.

only one works this way

Edge case. Straight in the bin.

Or tell them it’s going to cost a million quid.

My thoughts exactly!

I once worked for a small company where the senior management team (boss, boss's wife, boss's wife's brother) had the passwords changed on two of our email accounts so they could log in and read our mails. What a fine place that was.

An element of security is the concept of non-repudiation ie a user has an individual account to which only they have access meaning that any action taken on that account has to be made by them (or the account has been hacked). If anyone else knows the password then you don’t know who else can use the account and you might as well have no passwords. It’s fine for employers to enforce password policies ie length, complexity, format etc and possibly even provide automated suggestions which only the end user sees. However, for the employer to dictate the password and record it is poor security practice from my perspective regardless of the complexity of the system being protected.

(Passed Certified Info Sec Mgr exam last week so I’ve been reading up on all of this recently)

Tell them to piss off.

I'll elaborate when I've eaten something.

I'm a cyber security person for one of the big vendors, and if what you are talking about is a domain password (probably AD?) I can tell you confidently that not only does this break many compliance guidelines, its generally a terrible idea on just about every front. In fact its so bad I don't really know where to start, so off the top of my head:

-breaches often start with weak passwords. A weak password is one that can be guessed, or bruteforced, etc. There's no way here to strengthen passwords, as they're known to >1 user.

-if said passwords do get leaked, how can you perform a meaningful audit or threat hunt to see where it happened? Was it the user? Was it the admin?

-this breaks many compliance guidelines for IT security and would be an instant fail for even any of the basic frameworks

Thats me offering a quick concerned response. As a customer, this company is not one I'd care to do business (commercial) with. And as an potential employee, they clearly don't trust staff.

With my engineering head on I'd be asking: why? Is there some legacy system that can't be setup with SSO or something? Just why?

I know my company wouldn’t do business with them! A lot of our systems are now 2 factor with pingID or Microsoft authenticator app needed on your phone. Those systems left with pure passwords are a minimum 12chars, letters, caps, numbers and special chars mandatory and it can’t be easy to guess (checked against exposed password lists) or one of your 5 previous passwords! Oh and changes every 90 days.

If your software interfaces with any payment systems PCI would have their arses in slings. The standards for that specifically state no shared passwords (which is what this is however the client dresses it up).

Oh and changes every 90 days.

There will be lots of post-it notes with passwords in your offices or peoples purses/wallets. This is also poor practice.

What cody said and a bunch of other stuff.

This is also poor practice.

It's outdated practice. But this is an entire other argument.

Oh and changes every 90 days.

There will be lots of post-it notes with passwords in your offices or peoples purses/wallets. This is also poor practice

That, every time.  It seems like a great idea but in reality is terrible.

The non-repudiation thing is important. In my area of industry, someone probably performed an insider fraud in the 1990s in Zimbabwe then got a job in SA and did the same. He was not prosecuted for either because it couldn't be shown that he was the only person with the password.

A secret shared is not a secret.

I can't remember the last time I used my password. Well over a year. Windows Hello for biometric authentication, enrolled device with TPM as the second factor, Authenticator app for an additional factor if needed - triggers on a risk-based model. SSO on pretty much everything - we did have a third party mileage capture tool that needed a password but they've dropped now.

OK.

Like CB I'm a Cybersecurity professi... well, I work in Cybersecurity. Howeve,r I've spent a long time in support and his final question would be my first:

With my engineering head on I’d be asking: why?

I've seen variations on this shit countless times and it's almost always born of catastrophic ignorance, people who don't understand how something works. Random example, at a previous employer I did a site visit and the branch manager had a printout of everyone in the building's Windows password. After I'd calmed down I asked, "why would you do that?" and got told, "well, what if someone's off and we need access to their work / computer / email? So I sat down with her and explained basic network concepts; how all the user accounts could log on to (most) computers in the company; how we had network shares for files (aside: the default document location was on a server and part of our backup policy, crap dumped randomly elsewhere was not, and she'd mandated everyone use their desktop as document store 'so she could find it'). I then instructed everyone else in the building to say 'no' if she asked again, and if she got shirty then they'd to contact IT and we'd talk to HR about security breaches. I could list dozens of other instances, likely hundreds, and it's because no-one provides sufficient IT training.

Now, let's talk about passwords.

First up, I'm not going to talk about the OP's specific system as I don't know it from a cheese sandwich. This makes answering questions like "is it legal?" difficult. Compliance is a very messy and complicated subject. There are many standards that you or they may or may not have to comply with from PCI-DSS as Cody says, to GDPR, to a library's worth of ISO accreditations. Depending on what the system does, the industry it's in and a whole raft of other factors it could be anything from "of course it's legal" to business-closing fines and someone going to jail.

But anyway. Passwords. What are they for then? This might end up being multiple posts, I really should start a blog.

Password verification is a means of providing what is known as AAA security. That doesn't mean they're ebay's A+++++ WUD SECURE AGAIN Greatness but rather we have here Authentication, Authorisation, and Accounting. What does this mean? Well, I'm glad you asked.

Authentication confirms your identity against a trusted authority. It's your name and photograph on your driving licence. It validates who you are, nothing more.

Authorisation states what access your authenticated user has access to. These are the car, motorcycle etc categories stamped on your driving licence. So for instance, if you're a member of Payroll then you likely have access to salary data.

Accounting (sometimes AKA Auditing) logs what you're doing.

Are we starting to see yet why sharing passwords is a really ****ing bad idea?

If everyone knows your password then you lose trust in Authentication and so you might as well have a driving licence written on the Jack of Clubs by your mate Dave.

Once you lose Authentication then you inherently lose Authorisation because if Brian in Sales wants to see what his arch-rival Jennifer is earning then he just logs in as Geoff in Payroll.

Once you lose Authorisation then you lose the ability to prevent Brian from accidentally (or maliciously) bollocksing up Jennifer's wages payment for this month.

And once you lose Accounting you no longer have any visibility of who did what, so when Brian cancels Jennfier's BACS payment we look at the system and can see that it was Geoff who did it but he can't reliably (or morally) be held accountable because literally the entire company knows his password by order of De Management.

This is drum I have been beating for decades and it is a hill I will choose die on. There is (almost*) NO reason for ANYONE else to know your personal password and if anyone asks for it ever you say no. Because if you don't then there is next to no point in you having a password at all.

I would argue that if your account is associated to something bad then it is your fault, end of.** Either you did it, or you were negligent in giving away (or otherwise failing to secure) your password to whomever did. This is basically the house key / insurance argument from earlier today.

(* - there are rare cases where this isn't really true but this is mitigatable and again that's a tangent for a different post.)

(** - hacks aside but again, tangent.)

☝🏻 What he said.

There are many standards that you or they may or may not have to comply with from PCI-DSS as Cody says

Apologies, reading back that was Sandwich not CB.

I work in identity management system integration. I get asked to implement this kind of crap all the smegging time. I’ve almost given up ranting at them now. Here’s some examples from gigs over the years:

“Can you only allow three letter passwords from a dictionary file?”

“Can you prevent the user from setting too complex a password?”

“Can you send their manager their password?”

“Can you send their password to anyone they define?”

“Can you write the password into a person object or ad object attribute?”

“Can you capture their password if they change it, before it’s hashed and store it in an AD attribute?”

“Can you prevent them from setting up a password reset question and answer profile and just send them a sms TFA request?”

And of course the favourite of every IAM consultant:
“Can you mail the new user their password to allow them to log on?”

Seriously, automate whole businesses into oblivion should be our aim. Too stupid to survive.

In my area of industry, someone probably performed an insider fraud in the 1990s in Zimbabwe then got a job in SA and did the same. He was not prosecuted for either because it couldn’t be shown that he was the only person with the password.

This likely didn't exist back then but there is a concept in security called The Controlling Mind. Someone, somewhere, made a decision, and the absence of strong evidence that's your fulcrum.

There are (off the top of my head at least) three potential scenarios here outside of hacks:

1. It was his credentials, ergo he did it, therefore he's culpable.

2. It was his credentials but they were used by someone else who did it. So he was negligent in protecting his account (see above) therefore he is still culpable.

3. He was ordered to breach security by surrendering his credentials to someone else and had no choice in the matter* therefore as the Controlling Mind the person who ordered him to do it is culpable.

(* - and arguably this is often just a variation of 2 for not refusing to comply anyway.)

Man, I miss being able to edit posts after 15 minutes. I hate making typos.

But one of our clients has their IT department onboard their users and assigns a specific password (which they are obviously know!) and tells the users not to change the password!

Can I ask for clarification, as it's what I was railing against in the post I just deleted:

When you say "a specific password" do you mean a single shared password, like the company name with some letters switched to numbers (spoiler: the likes of M1cr0s0ft! is fooling absolutely no-one), or just that their individual password is known to IT?

@Cougar: at this point, I have no idea what clients reasoning for this is; the initial request has just been escalated to me via our support team. I'm getting them to enquire further...
Do you mind mind if I copy and paste some of your ranting (?) and send it to our client? 😄

I've worked in software for over 20 years in various roles. We sell a standard product used by lots of customers but have a programme of customer suggestions and improvements. We do get some really good suggestions that really improve the product. Other times We get some doozers like the OP's customer has come up with.

The standard response is that it's not something that would benefit other customers so we won't be implementing it. If the customer really wants it then they get a realistic price for the dev plus a support and maintenance uplift for being so bespoke which usually puts them off.

But in the OPs case we'd refuse as it would break our security accreditation for all the reasons that everyone has already stated.

I can see instances in manufacturing and retail where not being able to quickly get on a users machine is a pain in the arse (maybe they’ve saved a file locally, or have a locally attached device you need access to). Shared passwords, and no policy to force change is obviously a bad idea though.

If we really need access then we manage it with LogMeIn, which is much less invasive than resetting passwords and disabling 2FA if we need access for any reason (for the most part it’s usually just software updates and support issues).

The thing I’ve always found uncomfortable is knowing that the administrator can grant themselves full access to mailbox rights for any user in Exchange O365 and by default the person who ‘owns’ the mailbox gets no notification of that being done. Privacy, by default, doesn’t really exist.

I know just enough (self taught) to stop the boss risking his house (sole trader), usually I can hear Spengler saying "That would be a bad thing" as another bright idea is put forth.

It took long enough to stop passwords being buried in the file server on a password protected Word File! What could possibly go wrong?

I'm with JeffL and Cougar

It is against all good practice but to put in context...

An enterprise admin on Gsuite can set / change their user/employee passwords to anything they want at any time.

If the contract and their wallet is big enough it’s a case of your legal team doing what they need to protect you rather than giving a hard no. Sadly requirements like this are more common than you may think.

@sillysilly Our app is the same, an admin user can reset someones password if the self service, I've forgotten my password, functionality doesn't work for whatever reason. However the user is forced to reset the password when they login again.

It is open to abuse like any system but it's all audited that they've done this along with their IP address. So if an admin does this and then logs in with that account we have a pretty good audit trail of what's happened. Obviously IP address isn't foolproof but it all helps.

Saying that most customers use smart cards and MFA so it's only customers utilising username/password combos that have the challenge.

at this point, I have no idea what clients reasoning for this is

Then in the absence of any further justification I'd be referring to the legal precedence set in the case of Arkell vs Pressdram.

Do you mind mind if I copy and paste some of your ranting (?) and send it to our client? 😄

Feel free. If you like I can sanitise it slightly, the target audience was STW rather than your customers. As I said, I really think I want a blog, I'm getting tired of typing the same shit repeatedly in piecemeal.

I have part two sketched out in my head now where I explain why everything I just said is wrong. (-:

The thing I’ve always found uncomfortable is knowing that the administrator can grant themselves full access to mailbox rights for any user in Exchange O365

With the caveat that my knowledge is a little rusty here so I may be off the mark (I've been an Exchange admin for decades but never an O365 admin):

Technically they can but legally they cannot. The (oversimplified) rule here is that a company cannot read its employee's email by stealth. They must inform the staff that they are doing this, failure to do so would be in breach of the DPA.

Having just done a bunch of exports from Office 365 / Exchange Online revealing who has Full Access to which mailboxes, as well as just e.g. Calendar access, I could almost 'hear' the looks of astonishment / wtf / etc from our customer as I did a screenshare of the results in a Teams call.   Very revealing stuff, the trouble being that without auditing having been turned on previously, compounded by the past use of generic admin accounts, they'll never really know why a bunch of it was ever configured.

There was a time where admin access to all was default Exchange behaviour. It's unlikely but possible that a chunk of that is legacy if they've just upgraded in situ for years. It changed IIRC in either 2003 or 2007.

You shouldn't need to do that at a server level for personal mailboxes anyway. Users can delegate access to bosses, PAs etc via Outlook and have been able to do so for a very long time now.

But one of our clients has their IT department onboard their users and assigns a specific password (which they are obviously know!) and tells the users not to change the password!

Thats not a given that they know the password - though it may be likely. We automagically generate a temporary password and encrypt it on the database but its automated and only the recipient of the email gets the password. Obviously we force them to change it on first login but it may be that the IT dept don't know the pasword.

Thats not a given that they know the password – though it may be likely. We automagically generate a temporary password and encrypt it on the database but its automated and only the recipient of the email gets the password. Obviously we force them to change it on first login but it may be that the IT dept don’t know the pasword.

The first part of that scenario is highly unlikely to apply here and, beside which, our software has "show password" capability so even if they could paste in an unknown string, it can easily be revealed.
Plus, we don't force password change anyway...

our software has “show password” capability

That isn't a feature to be boasting about, it's really bad. It's a demonstration that you're storing passwords in a terrible manner. "Show password" isn't possible in a secure system*, password validation should be a one-way process. If you can "show password" then so can any hacker who breaches your system, for your entire userbase.

The only correct answer to "give me my password" is "I'd love to but I can't, instead you can click here to change it." If I were you I'd be having a robust conversation with your devs around their password encryption policies because it sounds an awful lot like they're being stored in plaintext.

(* - except in very particular circumstances)

...and why would you even want to 'show password' to someone who doesn't know their own password anyway? Under what scenario is that a useful process?

Microsoft Edge has show password functionality built into it. So you can check what you have just typed into a masked password field like mark is describing. Just click the little eyeball icon and asterisks become plain text.

Microsoft Edge has show password functionality built into it.

Only if you've already authenticated to it.

There will be lots of post-it notes with passwords in your offices or peoples purses/wallets. This is also poor practice.

Ype, use a lot of postit notes for passwords, mostly stuck on the bottom edge of my monitor.....

Text book and best practice fail the minute you walk out the classroom and into closing a Mn/Bn $ enterprise contract... Shouldn’t be that way but it’s sadly reality.

Complex passwords are also great until: https://arstechnica.com/gadgets/2021/04/hackers-backdoor-corporate-password-manager-and-steal-customer-data/

Hate to think how much Microsoft make saying yes to / supporting stupid features after explaining all the reasons why something shouldn’t be done to a customer.

Whereas I can think of lots of things that should be done to a customer.

Passwords at my (ex) work

Security needs to be tight given the highly personal info we have to deal with. However the IT passwords setup is such that it will always fail at the user end. Most of us have 4 passwords. One to log in to the terminal, one to log in to the data base, one to log into email. one for training / HR plus a few of us have more.

They all use different formats and these are the usual impossible to remember - must use a combo of letters numbers and symbols so you cannot use a memorable word. Main log in one has to be changed every 3 months. the others never. the users are mainly not very tech literate. the result is that almost everyone has their passwords written down often on post its on the desk!

If they allowed us to use a format that is easy to remember then this would happen less.

This is s system set up to fail

Microsoft Edge has show password functionality built into it.

That's you saving your password in edge though not a system storing a user's password. Edge (or Chrome or Firefox etc) have to store the password in a reversible form or they cannot pass it to the end system when required. The end systems should store a hash of the password (i.e. a form that cannot be decrypted it's a one way process).

That’s you saving your password in edge

No it isn't.

https://docs.microsoft.com/en-us/microsoft-edge/web-platform/password-reveal

But let's look forward to Cougar's blog on the subject.

I'm surprised they even bothered to document that feature. A password input is just a text input that shows a * for each character. There is no encryption.

It's a crap idea*, but if they're willing to pay** - then crack on.

* - I trained as an IT Auditor in the early 90's and I'm in an equivalent role now
** - I did run a software company for a while

I would though advise them that they were branching off the main design path and they could face considerable upgrade costs long term.

No it isn’t.

https://docs.microsoft.com/en-us/microsoft-edge/web-platform/password-reveal
/a>

But let’s look forward to Cougar’s blog on the subject.

Yes it is.  And you can do the same thing in any browser by going to 'inspect'/ 'inspect element' and changing the 'type' from 'password' to 'text'.

But all you're seeing there is the whatever you've just typed into the browser, not necessarily the actual password for the system.  From that link:

After a user has entered text in the password field, a user may choose the password reveal button

If your password is '0pensesame' and you type in 'iForgot' instead, then you'll see 'iForgot', not your actual password.

For more context, the client is UK based but the workforce is worldwide AND the software is actually running on the employees own workstation

What actually runs locally, a thick client for the app or the entire app? Assuming thick client is there no AD integration (or other identity source) integration possible? I personally hate apps that don't allow linking to an existing identity source - it's just another set of credentials for users to manage and another headache to the service desk.

If it's an entirely local app, what's the purpose of the credentials, does it use an encrypted local DB or something?

As lots of people have already said, it's crap practice to have anyone but the user know their password but the app itself doesn't seem to be helping matters in case

it’s crap practice to have anyone but the user know their password

Indeed it is - but its also common and crap practice to make the password system too difficult for users to use as in my example above

My thinking would be to try to find out why they want it this way ie what problem are they trying to avoid and then see if you can find another way to solve their issues

a thick client

We know this but should never refer to them as such, inside voice only 🙂

Not read the entire thread, but its not such a bad practice, depending on the system and how it is accessed. Setting one very complex password that you never have to enter or remember (eccept for the first time) is probably safer than one that changes regularly and is hard for a user to remember.

We know this but should never refer to them as such, inside voice only

I did once find myself saying 'fing moron' under my breath in a customer meeting. Luckily he didn't hear me. IIRC his network design was physically impossible as in broke many fundamental rules of physics but he kept insisting he was right. His business plan was dependant on it being possible, so he couldn't change the spec. At that point I realised he was indeed a 'fing moron'.

Several years ago I was in a conf call with a client making some ridiculous requests, a colleague in the room with me decided it would be amusing to take me off mute as I started ranting about what they were asking, luckily they only heard a couple of swear words before I realised :p

On browser passwords, I think you're at angry dolphins.

The 'show password' will swap the *s for whatever is actually in the password text box. The only reason it displays asterisks, as has been common practice in the history of every password entry ever, is to prevent shoulder-surfing. There's no actual security here.

However, browsers also typically offer a 'remember me' feature where they will store your credentials. Security here varies between 'not great' and 'none' depending on browser and OS. On Chome if I store them with the browser and want to view passwords then I have to enter a PIN first, which is something. But really, if you want this functionality then you're better off with a trusted Password Manager app.

Postit notes are old tech, I thought people just used the

Memorablewordn
Memorablewordn+1
Memorablewordn+2

system. Thankfully our passwords are slowly being integrated into our account so are being managed for us but the weak link is still log in. The frustrating bit is we carry RFID for physical access so could use that for 2FA! (off site we can use MS authenticator)

squirrelking - our work passwords would not let you do that.