• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Legality of decrypting passwords

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Chat

View previous topic :: View next topic  
Author Message
josh000
Just Arrived
Just Arrived


Joined: 30 Jun 2008
Posts: 0


Offline

PostPosted: Mon Jun 30, 2008 2:43 pm    Post subject: Legality of decrypting passwords Reply with quote

Hello,

I am having an argument with a coworker, who thinks it is fine to decrypt users passwords to migrate files, as it is faster and more convieniant than having the users resetting their passwords.

I am sure this is almost never necessary, is a horrible invasion of privacy, and quite possibly illegal.

Can anyone shed light on if this is legal or not, and if signing away your data to the company would extend to them having the right to decrypt your passwords?

Any legal cases would be extra useful

Cheers
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Jun 30, 2008 4:48 pm    Post subject: Reply with quote

You have reversible encryption on the passwords? That's certainly strange.

I can't provide qualified comment on the legal side. In my opinion though, it's very clear that the right thing to do is simply to reset the passwords...

Aside from the obvious moral aspects, which in themselves should be enough, there is also the aspect of accountability: for a given user account, if people other than its rightful owner know the password, then if that account does something wrong, you can no longer establish that it was that specific person who did it. The user will always have the argument that people other than him knew the password, through no fault of his own, so there will always be reasonable doubt.
Back to top
View user's profile Send private message
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Tue Jul 01, 2008 12:08 pm    Post subject: Reply with quote

I agree with capi.
Reset the user's password to something new, then get the user to change it to something else afterwards. Depending on your setup you can force them to change it at next logon, and depending on your policies they might be allowed to set it back to their old password, thus causing very little impact and not having a new one to remember.
By doing this you have an open and transparent process. The user knows you had access to the system as them for a period of time, and that you now (presumably) do not.
Routinely 'cracking' user accounts means that they assume you can always access stuff in their name, which is a very bad idea.
The CEO probably does not want you reading his email or personnel files - and certainly does not want you to do this under his logon without an audit trail. Sure, if you need admin access to move some stuff around or restore data, that's fine, but the logs should show exactly who did what and when.

You should also accept the reality that users may use the same or very similar passwords for several things in spite of the best advice - see this Technet magazine article by Jesper Johansson about passwords and security for some reasons why.
So if you crack the CEO's network password, which he also uses to access his online banking or share-dealing and investment sites, the first person he would accuse if anything strange happened on those sites would be the IT guy. Or rather, the swiftly EX IT guy.
Back to top
View user's profile Send private message Visit poster's website
graycat
SF Mod
SF Mod


Joined: 29 Apr 2005
Posts: 16777195
Location: London, UK

Offline

PostPosted: Tue Jul 01, 2008 12:31 pm    Post subject: Re: Legality of decrypting passwords Reply with quote

josh000 wrote:
.... who thinks it is fine to decrypt users passwords to migrate files, as it is faster and more convieniant than having the users resetting their passwords....


Personally, I can't think of one reason why you would need to know or reset password simply to migrate files. As an admin you have pretty much full control over your resources and as such can just migrate them without the user's interaction and if you use the right (free) tool or process then their security permissions and ownership flags will be exactly as before.

As has been said previously, I can't comment on the legality of it but I would guess there should be something in the IT handbook / policies that say when and why an admin could crack a user's password.
Personally, the only times we try to do anything like that is for password auditing and it's done by one person who presents the results (no passwords contained of course), actions are taken if required and then the audited info is deleted.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Tue Jul 01, 2008 3:29 pm    Post subject: Reply with quote

AdamV wrote:
You should also accept the reality that users may use the same or very similar passwords for several things in spite of the best advice - see this Technet magazine article by Jesper Johansson about passwords and security for some reasons why.

Nice article, Adam.

I've always had similar thoughts and loathed the absurd inhumane password policies some people tend to force upon the users, such as impossible complexity requirements for a password that needs to be changed every 4 weeks to another impossibly complex password, and you can't repeat old passwords, and it can't have dictionary words, and it can't have this and it can't have that. All of this is incredibly counterproductive and only serves to get in people's way, as well as cause insecurity when the users start working against the security measures instead of with them.

My ATM password is a 4-number pin, which is used to protect all my money. No stupid 40-character passwords containing 40 different characters that need to be changed every 10 days, nothing. And it works.

Technology should be serving humans, not the other way around.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Chat All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register