What are your thoughts on this password issue?

[SkinnyT]

I'm taking an online class where we have an open forum going on the following:

You have been sent to a local sales office for your company. You discover that all users have the same username and password. The justification for this is that "it is easier to remember."

What arguments would you give to convince the office that this is not a good practice?

My initial opinion was as follows:

The first argument I would give is that this is a good set-up for a social engineering attack. This non-technical approach can be as simple as someone calling the office and asking for the password. I'm sure that in this kind of environment with such a lack of a security policy in place that the users are very complacent and would easily give out the information without a second thought. Also, it only takes one disgruntled employee to get fired and get back at the company by making that info public knowledge. Another point to consider is that any employee with highly sensitive information in this office has opened themselves up to leaking this info.

One of my classmates replied with:

This company and its members are considered loyal and upstanding. The office staff here at the local sales office have been working together to make the success of the company a priority. Having the same username and password allows the team to confide in each other and share the network and information openly. This ideology works for us as it allows for all to collaborate in a much more fluid manner without need for restrictions. The point of view of the sales office staff is that we should consider each other as trustworthy and by beginning to doubt each other by justifying set restrictions only creates an uncomfortable setting where paranoia breeds conflicts of interests.

I couldn't think of any rebuttal on this if everyone is so trustworty of one another. Does anyone here have any additional insight they'd like to add? Thanks!

Sr. System Support Analyst
Washington, DC

 

[sleipnir214]

My first question to the proponent of the "one big happy family" interpretation is, "So I take it, then, that you can personally guarantee no employee in this office will ever become disgruntled?"

Computer security, like the locks on the door of your house, doesn't exist to protect against the best of times, but rather to protect against the worst of times. All it takes is for that sales office to have two or three quarters in a row where they have to scramble to meet their sales quota, and nerves will fray. Add to that mix an implicit threat from the main office of reducing the size of the sales force, and the sales reptiles in that office will switch from a strategy of cooperation to a strategy of competition. Then those common passwords will become a liability.




Want to ask the best questions? Read Eric S. Raymond's essay "How To Ask Questions The Smart Way". TANSTAAFL!

 

[Prattaratt]

in a situation as this, My comment would be that unique Logon ID's and Passwords allow for successful tracking down of the cause in the event of a security breach. There is no such thing as a 100% secure environment where networking is concerned. If everyone has the same login, how do you know which person's computer access is being compromised?
I would also remind them that "Loose lips sink ships." While everyone in the office is trustworthy and can be relied upon to not become disgruntled, what about the office manager's wife best friend, or the employee's kids? They may not realize what they are letting slip during their gossip sessions, and to who. While the employees themselves are "above suspicion," Individual Logins would give investigators a starting place. Also remind that IF the system were to be compromised, the ensuing fuss would destroy all trust in the office from all the finger pointing back and forth.

 

[eyec]

Your first response might have been;
"Hey, I just got a call from one of our major customers and they saw our holiday party pictures on the internet? Who uploaded them?"

 

[bchizary]

i had to read this twice, i thought it was an actual situation in an office...! (altho saying that im sure there are plenty office where it is the case!)

I agree with the previous posts, everyone in the office is trust worthy, sure, but their friends, or teenage would-be-hacker son, are not! Also its a sales office. I imagine this would mean that they hold information on customers, transactions, and maybe even credit card details? i think if thats the case you may find there is a legal requirement to have this secure, and part of secure will be having a strong password policy which is enforced.

If it is indeed a legal case, which you would have to check out, there is little comeback anyone could offer on that!

Your classmate is right, user will be disgruntled, in the same way if you told them to delete all their MP3s or controlled their web access... but its just a case of getting used to it.

 

[m4ilm4n]

I don't think you'll make any headway with those arguments; people will not change their basic nature of operation unless there's a real good, hit-em-over-the-head reason. My personal favorite, especially if it's a public company, is "we'll never pass an audit unless you change your ways." Nothing hits quite as hard as telling someone they'll have to justify to upper management why they were the reason for an audit failure.

 

[gb0mb]

-If everyone shares the same username/password I am assuming all users then are admins on your network.
-You now have a bunch of people with one wrong click that can hose your network, server, file server, email, ect..
-One worker turns unhappy and everything you have is at their control(Show me a place were one person isn't disgruntled).
-Centralized user management does not inhibit collaborative work. They could put everything on a network share and have access to everything (and you can track access to those objects for legal/security reasons)
-One virus can now hop from machine to machine because it already is operating as the only user in the environment.

I could go on and on with the flaws of this.
But I will only add one more:

The FBI shows up at your local office. It seems that one trusted employee (maybe a hacker) has downloaded Child Pornography.

Through interviews with all the workers the FBI agent finds that everyone had access to this illegal material.

What do you think happens:
A:> FBI cannot pinpoint exact user so it drops case
B:> FBI arrests everyone and lets the courts figure it out.

Now that your local office is being added to the Sexual Predator list, how do you go about tracking user actions on that network to prove your innocence.



Gb0mb

........99.9% User Error........
Ubuntu -- African for I can't install Gentoo

 

[trollacious]

My reaction to this is summed up in two words: naive, foolish. Depending on the data on the server, it could also be illegal.

Think of the reactions of the clients to finding out that all their information is available to ALL the people in the sales office (not just their own sales person) at any time with no way to see who's done what with the data.

Sales staff personnel are usually competitive, which means that sabotaging another sales person's account(s) for personal gain is a very real possibility. A contest between the sales people could expose the vulnerability pretty easily when (true or false) claims of changed sales records come up that could affect the outcome of the contest.

Lee

 

[jet042]

No matter what the sales reps use as their justification, I would bet they signed an acceptable use policy when they started their employment with the company. I don't know about the one this fictitious group uses, but the one where I work strictly forbids sharing login information. All you have to do then is remind them that their continued employment is in jeopardy and you'd probably convince a large number of them to secure their workstations.