+ Post New Thread
Results 1 to 13 of 13
Educational Software Thread, Password manager for our users in Technical; Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, ...
  1. #1

    Join Date
    Nov 2013
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Password manager for our users

    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.

  2. #2

    FN-GM's Avatar
    Join Date
    Jun 2007
    Location
    UK
    Posts
    16,374
    Thank Post
    906
    Thanked 1,811 Times in 1,559 Posts
    Blog Entries
    12
    Rep Power
    468
    What are you importing them into? Active Directory? Open Directory?

  3. #3

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,689
    Thank Post
    756
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords
    Seems like your policy is slightly flawed on that account then?

    Ben

  4. #4

    Join Date
    Nov 2013
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    @ Plexer - I wouldn't say 'flawed', but our current policy is not as 'tight' as it should be, hence the overhaul and the introduction of a new policies and data protection training. We have been quite relaxed in the past and this is about to change.
    @FN-GM - We have all of users' usernames, these can be exported from AD. I was thinking that we could maybe then import them into some app / software which will then generate random passwords which we can then issue to our end users. And should a user forget their password for example, we can simply look them up and either email or give them a reminder in person.

  5. #5
    MordyT's Avatar
    Join Date
    Sep 2012
    Location
    In a computer
    Posts
    506
    Thank Post
    44
    Thanked 75 Times in 70 Posts
    Rep Power
    22
    There is a script you can use on r Mueller site that can store these in a excel file. We use it to generate the initial passwords at year start.

  6. #6

    plexer's Avatar
    Join Date
    Dec 2005
    Location
    Norfolk
    Posts
    13,689
    Thank Post
    756
    Thanked 1,715 Times in 1,526 Posts
    Rep Power
    438
    You shouldn't be storing users passwords in any reversible format.

    Ben

  7. #7

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,224
    Thank Post
    1,925
    Thanked 2,425 Times in 1,775 Posts
    Rep Power
    842
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.
    Your network manager can change passwords as needed. He/she does not need to know passwords in order to change them. Passwords should not be known by anyone other than the account owner... that is the whole point of them.

    That said, it is not unusual for the master network administration passwords to be locked in a safe in case the NM is 'run over by a bus'.

    I would read and reread that policy, because I cannot believe that it says that everyone's password must be known by someone else. I would argue that you are in breach of the DPA if you do.

    @GrumbleDook will be able to give you chapter and verse if he is around
    Last edited by elsiegee40; 22nd November 2013 at 07:33 PM.

  8. #8

    Join Date
    Jul 2010
    Posts
    685
    Thank Post
    74
    Thanked 29 Times in 23 Posts
    Rep Power
    15
    Agreed, I would be seriously questioning anyone that wanted my password or knew my password if i was a normal user. From a data protection point of view it is so wrong.... whats to stop you logging on with on of the passwords and doing something nasty?
    Yes as a Network manager you can change a password but then the user would know as they wouldnt be able to log on unless you reset it exactly to what it was?

    Our policy is we set a password initially for the staff when they first join... but set it to be changed on first log on.

  9. #9

    Join Date
    Mar 2009
    Location
    Cambridge
    Posts
    35
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I would like to know who wrote such a policy and what qualified them to do so. I must say that it sounds absolutely absurd. No self respecting IT professional would ratify such a proposal if it was put in front of them, surely?

    There are various routes to issuing initial passwords to users (to be changed ASAP), but to even conceive of storing live passwords long term beggars belief.

  10. #10

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,529
    Thank Post
    527
    Thanked 2,648 Times in 2,049 Posts
    Blog Entries
    24
    Rep Power
    925
    By doing this, you'd be introducing a giant gaping hole into your network. It'd mean you'd have to ban users from being able to change their own passwords too.

    The whole point of passwords is that only the user using them should know them. Otherwise, you can never be sure that only that user is on that account. So, you'd have no accountability should something go wrong.

  11. #11

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,889 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    Chapter and verse is as follows ... or at least one careful perspective

    To meet DPA principle 7 you should take all reasonable organisational and technical measures to secure data.

    Normally this would mean that the only people who should know the password of a user is the user themselves. The school should have the ability to change the password or prevent the user change their password, should they need to complete any legitimate investigation of use or breach of school policies.

    This is done through this methodology so that the school is reasonably sure that any activity on an account is from that user, and there are no or few opportunities for others to use the account. If others have access to the account you cannot be sure who has done anything with it, risking principles 2, 5 and 7, as well as making it difficult for law enforcement agencies to investigate any breaches of the law (computer misuse act, child protection investigations, etc).

    There are times when you might want a need a list though, and these should be considered appropriately. In some schools the class teacher may be required to have ready access to the password for users in their class, due to the age or ability of the learners. This should be treated sensitively by that teacher. The teacher might not be given trusted delegation to change passwords as this can be deemed an admin task and outside of the teacher's role / work. A central list might need to be maintained to be a trusted person within the school for this to be referred back to. The storage of this central list must also be treated sensitively.

    The main reasons you don't tend to have the central store is audit and accountability.

    Other reasons why schools seek to have the list is to allow any designated member of staff to have access to specified user areas. This might be provided alternatively by the use of permissions on file storage. If you are operating on an cloud based solution that does not offer this level of delegation then again the central list might be deemed the appropriate way to manage risks.

    Key to all this? Risk analysis, and taking justifiable and appropriate actions, and ensuring that any changes to risk are dealt with accordingly.

    I am not saying that the central policy is right, just that it needs to fit around *your* analysis! and that of the SIRO in the school.

  12. Thanks to GrumbleDook from:

    elsiegee40 (22nd November 2013)

  13. #12

    seawolf's Avatar
    Join Date
    Jan 2010
    Posts
    969
    Thank Post
    12
    Thanked 287 Times in 219 Posts
    Blog Entries
    1
    Rep Power
    176
    Quote Originally Posted by manamaga2512 View Post
    Hi all, in order to comply with our Academy's new data protection policy, we need to be able to manage, and have access to all of our users (staff and students) network account passwords and be able to issue / change them as we need. I wondered if anyone was already using or can recommend any software (preferably to run a Mac) whereby we can import all of our users and generate random passwords. We will also need to be able to change said passwords when needed should the user forget or want to change it later.

    Many thanks.
    Do NOT do this. If I may be so blunt, your Academy's new data protection policy should be renamed to the data LOSS policy.

    Instead, do this.

    1. Create a password policy in AD that requires a minimum of 8 characters and strong passwords, as well as a password change at least once a year (more frequent is better, but I understand it is teachers and students you're dealing with).

    2. Install a password manager such as the ones from Netwrix or ManageEngine. These will enable your users to setup security questions they can answer to reset their own passwords if they forget them and a delegated admin account you could provide to any techs or even the librarian to reset user passwords securely. These also work great for tablet users who never or rarely log onto a computer on the network to receive alerts about expiring passwords. Netwrix also provides software that will send reminder emails to users when their password is expiring to give them a heads up.

    3. Document the new password policy and how to use the password manager and reset passwords. Advertise the heck out of it to your users.

    4. Burn the Academy's current Data Loss Policy and create an actual Data Protection Policy based on what you've just implemented. Sometimes it's better to beg forgiveness than ask permission. Especially when you're begging forgiveness for ignoring bad policy and implementing a solution that actually works.

  14. #13

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    10,074
    Thank Post
    1,384
    Thanked 1,889 Times in 1,170 Posts
    Blog Entries
    19
    Rep Power
    614
    Out of interest, does this academy group manage primary, secondary and special school?



SHARE:
+ Post New Thread

Similar Threads

  1. Password Manager - For a group
    By glennda in forum General Chat
    Replies: 7
    Last Post: 22nd June 2013, 08:09 AM
  2. Replies: 3
    Last Post: 11th November 2008, 05:45 PM
  3. Changing passwords for SIMS users by script
    By academic_mwnci in forum MIS Systems
    Replies: 2
    Last Post: 3rd September 2008, 01:02 AM
  4. Password policy for remote users
    By cookie_monster in forum Windows
    Replies: 4
    Last Post: 18th May 2008, 04:46 PM
  5. Replies: 12
    Last Post: 12th September 2005, 11:47 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •