Security Corner

Jan 31 2015   9:48PM GMT

What was that password?

Ken Harthun Ken Harthun Profile: Ken Harthun

Tags:
Access Passwords
Administrator password
Password management
Security

crosswordpasswordI read with interest Jeff Cutler’s column The Lesson of the Bike Lock and Security Methodology. Great analogy, and I find this quite fitting: “The lesson today is not to have a lock you can’t use.” He’s referring to a combination lock with the combination known only to his father who had passed away: “Bike lock inaccessible. Useless. And no known plan to revive access,” he says. Who in IT hasn’t been confronted with taking over the post of a predecessor who failed to document (intentionally or otherwise) the password for a critical network device? In this case, it’s not quite as bad because there is often a procedure, albeit an arduous one, to reset the password and revive access. Still, it involves system downtime.

And that’s where today’s security lesson comes in. As much as we harp on folks to secure their data, computers, systems, personal effects and facilities, we haven’t offered much of a solution for recalling or securing the keys to the locks that keep your stuff…and your organization’s stuff…safe.

It’s not that solutions don’t exist; rather, I think it’s because we don’t take the time to properly implement them and educate people on how to use them.

What’s the best method for remembering a password? Do you just keep IT on speed-dial? Do you write it on a sticky not [sic] and put it under your keyboard? Don’t tell Ken that’s your plan…his eyeballs would pop out of his head!

Indeed! More likely that my head would completely explode, Jeff. These days, there are many ways passwords can be safely stored and passed along to successors without relying on sticky notes. I’ve advised estate planners and attorneys on simple methods for accomplishing this and I’ve written two posts, How will you pass on your passwords when you pass away? Part 1, and Part 2 that discuss this issue. Those posts don’t address procedures for an organization, so let me describe something that works quite well and isn’t complicated.

In my organization, there are four network administrators and a corporate office spread across three states. Any one of the net admins could be called upon to help out at another location or the corporate office in the regular guy’s absence, so having access to the passwords is vital. Here’s what we came up with:

  1. Each net admin created a password-protected spreadsheet containing all login information for every relevant device and service account for their location.
  2. Each campus president and office manager was given a copy of the spreadsheet and the document password for their location.
  3. Copies of all of the spreadsheets are in the custody of our IT manager at the corporate office.
  4. These spreadsheets are routinely updated as passwords are changed and old versions are retained.

How does your organization manage passwords?


Follow Ken Harthun on Twitter
Follow me on Twitter

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: