The ugly truth about Passwords

On February 26, 2005, in Rants, by

For all my talk about security I’m going to bare my soul to you all.  I do something very very dumb.

I do a very stupid thing.  One that my fellow Security gurus beat me up over [and rightfully so].

Like Gavin, there are times I need to log into “THE PROFILE”.  Not the admin profile, not a generic profile, but THE profile of the person that will be logging into that system come Monday morning.  So I need their password.  Yup, not too smart is that?

So either I have to do what my Security Guru’s do, like Gavin, force people into changing password every time I need to manually install something or ensure that an server deployment went as it should, or I have to figure out some other way of installing updates on a weekly basis, ensuring that the desktop experience is “perfect” and not jeopardize accountability in the process.  I’m still personally struggling with the right answer.  I mean I’m totally violating authentication here.  Yeah, I know, totally NOT smart, I’ll be the first to admit it.

Steve Friedl says this is something that is done all the time in the ‘Nix world…..and while many times if one OS has something the other OS has it too but this is one area that I’m not sure I can find a Windows equivalent.  Redhat does have the same ability to age passwords and force certain policies with addons and other built-ins.  So if you can login as an admin in Redhat [or similar ‘Nix distro] and then go into the profile experience of a user on that system…..sooooo…..why can’t we do that in Windows?  I’m the Administrator of my network …. so why can’t I get into the profile of that user without jeopardizing accountability in my network?

The real problem that “I” have, is exactly what Dr. Jesper Johansson says:

“The best practice is not to make the same person responsible for both security and system administration. “

And that’s exactly the problem I have.  I’m both.  I’m trying to make the desktop experience ‘automagically’ for my users, and at the same time, trying to keep us secure.

So I know that the folks that do consulting normally do force the user to change the password like Gavin does.  What do you do in a similar situation?

Me, I’m hoping some folks north of me will listen up and maybe in that OS that I’m tired of hearing about [pssss…. goes by the name of that cow with big horns that I’m tired of hearing about so I won’t even say it’s name], will do something about my problem.  Either that or maybe I need a upgrade in policies myself.

I think I’ll probably end up upgrading myself to the next paranoid version.  🙂


One Response to The ugly truth about Passwords

  1. Tony Su says:


    I’m in complete agreement with JPS’ response to Gavin in your "Gavin does" post.

    At least in my experience, although it’s necessary from time to time, thankfully it hasn’t been often where I <had> to see what the User was seeing and there wasn’t an alternative. But even then, today there are new ways of doing this (RWW/TS shared sessions).

    So, although you may not like it IMO it’s a fundamental pillar of MS Security dating all the way back to the earliest NT4 domains which is still at least as important as it was then.

    If there is anything to complain about, it should be your previous targets in your blog… Applications who just can’t get it through their heads that they need to play nice with Windows Security and Windows Objects. There is no reason why we SysAdmins should have to treat their apps as "special children who mis-behave."