+ Post New Thread
Results 1 to 13 of 13
Educational Software Thread, Password manager for our users in Technical; Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, ...
  1. #1

    Join Date
    Nov 2013
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Password manager for our users

    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    15,940
    Thank Post
    886
    Thanked 1,693 Times in 1,472 Posts
    Blog Entries
    12
    Rep Power
    447
    What are you importing them into? Active Directory? Open Directory?

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords
    Seems like your policy is slightly flawed on that account then?

    Ben

  4. #4

    Join Date
    Nov 2013
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    @ Plexer - I wouldn't say 'flawed', but our current policy is not as 'tight' as it should be, hence the overhaul and the introduction of a new policies and data protection training. We have been quite relaxed in the past and this is about to change.
    @FN-GM - We have all of users' usernames, these can be exported from AD. I was thinking that we could maybe then import them into some app / software which will then generate random passwords which we can then issue to our end users. And should a user forget their password for example, we can simply look them up and either email or give them a reminder in person.

  5. #5
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    463
    Thank Post
    44
    Thanked 73 Times in 68 Posts
    Rep Power
    19
    There is a script you can use on r Mueller site that can store these in a excel file. We use it to generate the initial passwords at year start.

  6. #6

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,460
    Thank Post
    646
    Thanked 1,614 Times in 1,444 Posts
    Rep Power
    419
    You shouldn't be storing users passwords in any reversible format.

    Ben

  7. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,793
    Thank Post
    1,789
    Thanked 2,180 Times in 1,615 Posts
    Rep Power
    771
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.
    Your network manager can change passwords as needed. He/she does not need to know passwords in order to change them. Passwords should not be known by anyone other than the account owner... that is the whole point of them.

    That said, it is not unusual for the master network administration passwords to be locked in a safe in case the NM is 'run over by a bus'.

    I would read and reread that policy, because I cannot believe that it says that everyone's password must be known by someone else. I would argue that you are in breach of the DPA if you do.

    @GrumbleDook will be able to give you chapter and verse if he is around
    Last edited by elsiegee40; 22nd November 2013 at 06:33 PM.

  8. #8

    Join Date
    Jul 2010
    Posts
    565
    Thank Post
    67
    Thanked 24 Times in 20 Posts
    Rep Power
    14
    Agreed, I would be seriously questioning anyone that wanted my password or knew my password if i was a normal user. From a data protection point of view it is so wrong.... whats to stop you logging on with on of the passwords and doing something nasty?
    Yes as a Network manager you can change a password but then the user would know as they wouldnt be able to log on unless you reset it exactly to what it was?

    Our policy is we set a password initially for the staff when they first join... but set it to be changed on first log on.

  9. #9

    Join Date
    Mar 2009
    Location
    Cambridge
    Posts
    34
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I would like to know who wrote such a policy and what qualified them to do so. I must say that it sounds absolutely absurd. No self respecting IT professional would ratify such a proposal if it was put in front of them, surely?

    There are various routes to issuing initial passwords to users (to be changed ASAP), but to even conceive of storing live passwords long term beggars belief.

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    17,680
    Thank Post
    516
    Thanked 2,451 Times in 1,897 Posts
    Blog Entries
    24
    Rep Power
    832
    By doing this, you'd be introducing a giant gaping hole into your network. It'd mean you'd have to ban users from being able to change their own passwords too.

    The whole point of passwords is that only the user using them should know them. Otherwise, you can never be sure that only that user is on that account. So, you'd have no accountability should something go wrong.

  11. #11

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Chapter and verse is as follows ... or at least one careful perspective

    To meet DPA principle 7 you should take all reasonable organisational and technical measures to secure data.

    Normally this would mean that the only people who should know the password of a user is the user themselves. The school should have the ability to change the password or prevent the user change their password, should they need to complete any legitimate investigation of use or breach of school policies.

    This is done through this methodology so that the school is reasonably sure that any activity on an account is from that user, and there are no or few opportunities for others to use the account. If others have access to the account you cannot be sure who has done anything with it, risking principles 2, 5 and 7, as well as making it difficult for law enforcement agencies to investigate any breaches of the law (computer misuse act, child protection investigations, etc).

    There are times when you might want a need a list though, and these should be considered appropriately. In some schools the class teacher may be required to have ready access to the password for users in their class, due to the age or ability of the learners. This should be treated sensitively by that teacher. The teacher might not be given trusted delegation to change passwords as this can be deemed an admin task and outside of the teacher's role / work. A central list might need to be maintained to be a trusted person within the school for this to be referred back to. The storage of this central list must also be treated sensitively.

    The main reasons you don't tend to have the central store is audit and accountability.

    Other reasons why schools seek to have the list is to allow any designated member of staff to have access to specified user areas. This might be provided alternatively by the use of permissions on file storage. If you are operating on an cloud based solution that does not offer this level of delegation then again the central list might be deemed the appropriate way to manage risks.

    Key to all this? Risk analysis, and taking justifiable and appropriate actions, and ensuring that any changes to risk are dealt with accordingly.

    I am not saying that the central policy is right, just that it needs to fit around *your* analysis! and that of the SIRO in the school.

  12. Thanks to GrumbleDook from:

    elsiegee40 (22nd November 2013)

  13. #12

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 283 Times in 217 Posts
    Blog Entries
    1
    Rep Power
    175
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.
    Do NOT do this. If I may be so blunt, your Academy's new data protection policy should be renamed to the data LOSS policy.

    Instead, do this.

    1. Create a password policy in AD that requires a minimum of 8 characters and strong passwords, as well as a password change at least once a year (more frequent is better, but I understand it is teachers and students you're dealing with).

    2. Install a password manager such as the ones from Netwrix or ManageEngine. These will enable your users to setup security questions they can answer to reset their own passwords if they forget them and a delegated admin account you could provide to any techs or even the librarian to reset user passwords securely. These also work great for tablet users who never or rarely log onto a computer on the network to receive alerts about expiring passwords. Netwrix also provides software that will send reminder emails to users when their password is expiring to give them a heads up.

    3. Document the new password policy and how to use the password manager and reset passwords. Advertise the heck out of it to your users.

    4. Burn the Academy's current Data Loss Policy and create an actual Data Protection Policy based on what you've just implemented. Sometimes it's better to beg forgiveness than ask permission. Especially when you're begging forgiveness for ignoring bad policy and implementing a solution that actually works.

  14. #13

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,933
    Thank Post
    1,339
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Out of interest, does this academy group manage primary, secondary and special school?

SHARE:
+ Post New Thread

Similar Threads

  1. Password Manager - For a group
    By glennda in forum General Chat
    Replies: 7
    Last Post: 22nd June 2013, 07:09 AM
  2. Replies: 3
    Last Post: 11th November 2008, 04:45 PM
  3. Changing passwords for SIMS users by script
    By academic_mwnci in forum MIS Systems
    Replies: 2
    Last Post: 3rd September 2008, 12:02 AM
  4. Password policy for remote users
    By cookie_monster in forum Windows
    Replies: 4
    Last Post: 18th May 2008, 03:46 PM
  5. Replies: 12
    Last Post: 12th September 2005, 10:47 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •