Security Basics mailing list archives
Fwd: login sheets
From: "Babu Kopparam" <babukopparam () gmail com>
Date: Wed, 3 Jan 2007 11:01:13 +0530
Hi! I would suggest you to write a 'Change Password' page for all four applications. Ask user for self registration to your system, (user provides his password). Approve this request. Redirect him to a page where he has to provide a new password for all the four applications. With this, password is more and more safe that even administrator is unaware of the same. Remember, as a administrator, if you know the password of business users, you can not claim for 'non-repudiation'. I know this solution requires some additional activites, but it is worth doing it. Thanks, -Babu. On 2 Jan 2007 22:51:54 -0000, krymson () gmail com <krymson () gmail com> wrote:
I like that idea, and did this myself when I did desktop support. Don't make this task too hard, as it really is not. Make up your sheet of passwords and deliver it to the new employee by hand. Don't keep your own copies either printed or electronic. If HR prefers, you can deliver it to HR to deliver to the user, but when it is your choice, hand deliver it to the user. Don't set it on the desk for their retrieval later, actually witness that they are in possession of it. Mention both verbally and on this paper that the information is highly sensitive and private to them. Your policies should dictate rules about giving out account passwords, and accidentally "sharing" them via a sheet left in plain site can be construed as breaking policy. Set as many of those accounts to require the user change their password on the first logon. Set as many of those accounts to unique, stronger passwords. This banks on the habit that people don't change their passwords unless they need to. So don't let them keep "password" as their intranet account for years. Also, don't use a predictable pattern like their start date and initials. If they lose it or your forget it, just remember you have the keys to change it to something else, so even you don't need to have it predictable. Always stress that those sheets should not be stored very long. Use that opportunity (verbally or on the page again) to show them how to change their passwords, and how to properly dispose of a sheet like that (shredded or secure disposal bin). <-snip-> Just wondering how people deal with giving new users their initial login details. Our users often have to know logins for four different systems in their first week and I wanted to give them a sheet with these details on them. Obviously each system will ask for a passphrase change when first logging in. Also, the sheet would have something along the lines of 'How to choose a strong passphrase that does not contain your cat's name or your favourire football team but is easy to remeber'.
--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- login sheets Murda Mcloud (Jan 02)
- Re: login sheets Michel Pereira (Jan 05)
- <Possible follow-ups>
- Re: login sheets krymson (Jan 02)
- Message not available
- Fwd: login sheets Babu Kopparam (Jan 04)
- Message not available