Password Security

[mark]

What are your policies regarding passwords?

Who knows them, can know them
Who can use them

We have procedures in place, but I dissagree with the Head.

This is our policy:

Only Myself and the Head [by means of access to the safe where I keep it] can know the password. Then the ICT Co-ordinator and the Head of IT, in that order, have access in an emergency in my absence, and then only after consulting the Head before any action takes place, that action having to be documented.

Only I should actually use the password without prior permission from the Head.

If the password needed changing - this has to be AFTER consultation with the Head. I would then change it, and update the safe record.

I think I need to be able to change the password immediately, without consultation, should the need arise.

What safeguards can we add so that the risk of it being lost, come my sudden and trajic death, are minimised?

[ChrisH]

Create an extra admin account besides your own. Make it like 20-30 characters of random letters and numbers etc write it down on a piece of paper and stick it in an envelope. Then cleary mark the envelope and cover it in sellotape all over so its obvious if its been tampered with and makes it hard to get into. Bung it in the school safe. Sorted!!

[mark]

Genius!

[Geoff]

Here's a good article.

http://www.securityfocus.com/advisories/485

[mark]

That's very thorough Geoff - best one i've seen yet - i'll update the staff handbook

[Geoff]

Also, if you want to audit your users passwords grab a copy of L0phtCrack and install it on your domain controller.

http://www.reznor.com/tools/lc3setup02.exe