Security Basics mailing list archives

Re: login sheets

From: krymson () gmail com
Date: 2 Jan 2007 22:51:54 -0000

I like that idea, and did this myself when I did desktop support. Don't make this task too hard, as it really is not.

Make up your sheet of passwords and deliver it to the new employee by hand. Don't keep your own copies either printed
or electronic. If HR prefers, you can deliver it to HR to deliver to the user, but when it is your choice, hand deliver
it to the user. Don't set it on the desk for their retrieval later, actually witness that they are in possession of it.

Mention both verbally and on this paper that the information is highly sensitive and private to them. Your policies
should dictate rules about giving out account passwords, and accidentally "sharing" them via a sheet left in plain site
can be construed as breaking policy.

Set as many of those accounts to require the user change their password on the first logon.

Set as many of those accounts to unique, stronger passwords. This banks on the habit that people don't change their
passwords unless they need to. So don't let them keep "password" as their intranet account for years. Also, don't use a
predictable pattern like their start date and initials. If they lose it or your forget it, just remember you have the
keys to change it to something else, so even you don't need to have it predictable.

Always stress that those sheets should not be stored very long. Use that opportunity (verbally or on the page again) to
show them how to change their passwords, and how to properly dispose of a sheet like that (shredded or secure disposal
bin).

<-snip->
Just wondering how people deal with giving new users their initial login
details. Our users often have to know logins for four different systems in
their first week and I wanted to give them a sheet with these details on
them. Obviously each system will ask for a passphrase change when first
logging in.
Also, the sheet would have something along the lines of 'How to choose a
strong passphrase that does not contain your cat's name or your favourire
football team but is easy to remeber'.

Current thread:

login sheets Murda Mcloud (Jan 02)
- Re: login sheets Michel Pereira (Jan 05)
- <Possible follow-ups>
- Re: login sheets krymson (Jan 02)
  - Message not available
    - Fwd: login sheets Babu Kopparam (Jan 04)