View previous topic :: View next topic |
Author |
Message |
josh000 Just Arrived
Joined: 30 Jun 2008 Posts: 0
|
Posted: Mon Jun 30, 2008 2:43 pm Post subject: Legality of decrypting passwords |
|
|
Hello,
I am having an argument with a coworker, who thinks it is fine to decrypt users passwords to migrate files, as it is faster and more convieniant than having the users resetting their passwords.
I am sure this is almost never necessary, is a horrible invasion of privacy, and quite possibly illegal.
Can anyone shed light on if this is legal or not, and if signing away your data to the company would extend to them having the right to decrypt your passwords?
Any legal cases would be extra useful
Cheers
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Mon Jun 30, 2008 4:48 pm Post subject: |
|
|
You have reversible encryption on the passwords? That's certainly strange.
I can't provide qualified comment on the legal side. In my opinion though, it's very clear that the right thing to do is simply to reset the passwords...
Aside from the obvious moral aspects, which in themselves should be enough, there is also the aspect of accountability: for a given user account, if people other than its rightful owner know the password, then if that account does something wrong, you can no longer establish that it was that specific person who did it. The user will always have the argument that people other than him knew the password, through no fault of his own, so there will always be reasonable doubt.
|
|
Back to top |
|
|
AdamV SF Mod
Joined: 06 Oct 2004 Posts: 24 Location: Leeds, UK
|
Posted: Tue Jul 01, 2008 12:08 pm Post subject: |
|
|
I agree with capi.
Reset the user's password to something new, then get the user to change it to something else afterwards. Depending on your setup you can force them to change it at next logon, and depending on your policies they might be allowed to set it back to their old password, thus causing very little impact and not having a new one to remember.
By doing this you have an open and transparent process. The user knows you had access to the system as them for a period of time, and that you now (presumably) do not.
Routinely 'cracking' user accounts means that they assume you can always access stuff in their name, which is a very bad idea.
The CEO probably does not want you reading his email or personnel files - and certainly does not want you to do this under his logon without an audit trail. Sure, if you need admin access to move some stuff around or restore data, that's fine, but the logs should show exactly who did what and when.
You should also accept the reality that users may use the same or very similar passwords for several things in spite of the best advice - see this Technet magazine article by Jesper Johansson about passwords and security for some reasons why.
So if you crack the CEO's network password, which he also uses to access his online banking or share-dealing and investment sites, the first person he would accuse if anything strange happened on those sites would be the IT guy. Or rather, the swiftly EX IT guy.
|
|
Back to top |
|
|
graycat SF Mod
Joined: 29 Apr 2005 Posts: 16777195 Location: London, UK
|
Posted: Tue Jul 01, 2008 12:31 pm Post subject: Re: Legality of decrypting passwords |
|
|
josh000 wrote: |
.... who thinks it is fine to decrypt users passwords to migrate files, as it is faster and more convieniant than having the users resetting their passwords.... |
Personally, I can't think of one reason why you would need to know or reset password simply to migrate files. As an admin you have pretty much full control over your resources and as such can just migrate them without the user's interaction and if you use the right (free) tool or process then their security permissions and ownership flags will be exactly as before.
As has been said previously, I can't comment on the legality of it but I would guess there should be something in the IT handbook / policies that say when and why an admin could crack a user's password.
Personally, the only times we try to do anything like that is for password auditing and it's done by one person who presents the results (no passwords contained of course), actions are taken if required and then the audited info is deleted.
|
|
Back to top |
|
|
capi SF Senior Mod
Joined: 21 Sep 2003 Posts: 16777097 Location: Portugal
|
Posted: Tue Jul 01, 2008 3:29 pm Post subject: |
|
|
Nice article, Adam.
I've always had similar thoughts and loathed the absurd inhumane password policies some people tend to force upon the users, such as impossible complexity requirements for a password that needs to be changed every 4 weeks to another impossibly complex password, and you can't repeat old passwords, and it can't have dictionary words, and it can't have this and it can't have that. All of this is incredibly counterproductive and only serves to get in people's way, as well as cause insecurity when the users start working against the security measures instead of with them.
My ATM password is a 4-number pin, which is used to protect all my money. No stupid 40-character passwords containing 40 different characters that need to be changed every 10 days, nothing. And it works.
Technology should be serving humans, not the other way around.
|
|
Back to top |
|
|
|