Password change management

Dear Experts,

I am a network administrator/IT help desk for my company, and in order to enforce stronger data security, we are starting to enforce policies about the user passwords, such as having to change it every 3 months, creating strong password, etc.
My issue is, I need to know everyone's passwords at all times, because there are times that my supervisor needs certain info from the user's machine, or I need to perform updates/maintenance, and the user may not be there.  I don't want to reset passwords for them for these purposes.
I would be happy to keep the passwords in my encrypted database, however, I am not sure how I should request the users' passwords when they are changed.  Is asking them to send it via email secure enough?  (We have Exchange)  I feel like if we want to make our system secure, then inputting the passwords into my database should be done securely as well.

I understand that as an administrator, I should not have the users' passwords, only the ability to reset them, however, that is not my option. That's the reason why I feel like I am doing something extremely odd.
Please advise.
Who is Participating?
pony10usConnect With a Mentor Commented:
"Thank you for your reply, perhaps what I did not make clear is that sometimes I am ordered to get into someone's mail via OWA.
Can System Administrator do that without resetting the user password? "

Yes as an administrator you can access another users OWA without knowing their password. You just need to have full access to the email account which again as a domain admin you would hav

Open ADUC so that you see the Exchange tabs
      Locate the user in question and open properties
      Select the Exchange General tab
      Make note of the Alias (this may be different than the users login name)
      Open your browser
      In the address bar type https://<server>/exchange/<alias>
Are these machines in an Active Directory Domain?  If so then a domain admin account can perform all the actions that you describe as necessary.

If not then I suggest that you set up an account on all the machines as a local administrator that would then permit you the same functions.

Both of these options do not require you to have the user's password.
I agree with pony10us, with an Active Directroy Domain setup, you can easily manage all of your desired needs specified above, without a need of having the users passwords.

As for emailing for passwords, even though you manage your own exchange servers, still not a good practice to email passwords around just in case a laptop or mobile device gets stolen/lost the sent history has this password, irregardless of the password potentially being reset.

I know from my past experience, I had both local and domain admin's accounts and was able to anything and everything needed to run and manage a windows infrastructure.
WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Rich RumbleSecurity SamuraiCommented:
Yes, you're doing the opposite of what you should be doing. The passwords are supposed to be separate, the main reason being accountability. If you know all the passwords, you could easily set someone up, or if the users knew each others passwords, they could set each other up and get those people fired.
As stated (twice) above, if your the administrator you can do the administration (hence the name) that you need. The only times you "need" a user's password is to do something as them, for them, and again that removes the accountability. If you were doing something as them, and it broke something else, unless you confess to doing it as the user, that user is the liable person.

Password policies should start out stating that the sharing or divulging of passwords is not to be done. Those old rules about having your password change every 3 months are probably not short enough these days, unless you're passwords are going to be 14 or more characters:

Thank you for mentioning the password change interval.  I was so concerned I skipped right over that.  In our environment it has been suggesed by auditors that we set passwords to expire every 30 days. Management has compromised and had us set it at 60 days (the users want 90 or longer)

We also require complex passwords, Upper case, Loser case, Numeric and special characters with a minimum of 8 characters and remember the last 6. Also, we don't permit recurring patterns so someone can't use johndoe1 and change it to johndoe2, etc.
Rich RumbleSecurity SamuraiCommented:
it's all relative to length, the policy seldom works the way it was intended (except when you are forbiding repeated passwords). It's easy to get a weak password past a policy, but the longer the better, and if you can forbid certain weak passwords, stuff in the dictionary, all the better.
A policy for example doesn't reduce the keyspace an attacker has, unless you make a lot of restrictions on what the user can do...

You're policy (4, Upper, lower, num, spec) reduces the key space an attacker has to use more than if you had only 3 restrictions, by roughly 45% when the password is 8 characters long! So that's 55 out of 100 they'd have to try as opposed to 95 out of 100.

You need length, of course diversity, but the single best thing you can do is length. It decreases the likelihood of success from the attacker more than the policy does itself.

Passwords are easy to crack, so the recent remedy is to make them slower to check against. It's good for the person who is authorized, because checking the correct password takes what seems like no time, but checking the incorrect passwords takes much much longer. 7zip and WinRar for example, a single CPU machine will maybe guess 7-8 per second. With a GPU maybe 200-300 per second. That's much lower than LM/NTLM which will be in the Millions and Billions per second category on a single CPU.

Password "strength" not only depends on the password itself, it can often depend on the hashing algorithm used. Windows is no salt, Unix (crypt) has 1024 possible salts, now Unix has PBKDF2 and bcrypt.

So if no one has the SAM database or the NTDS.dit file from your domain, then the way they can test for your password is to try login, which will likely lock them out, so they don't get to try much, unless it's against the local administrator account (note that local admin can be disabled and or locked out in windows 7 and beyond)

So the attack vector can also hinder. But if a challenge-response is sniffed, or a kerberos ticket perhaps, then offline hashing will provide the attacker the fastest methods, and if the key-space is reduced by 50% then there is even less work to be done! We made 12 or more mandatory for users 5 years ago. We made 15 or more mandatory for Administrators and Operations folks a year before that.

Just for clarification, if I understand correctly then our policy actually would result in 94.56% approximately.

8    3    6273401614552800    94.56%

Since we require at least one character from 3 of the 4 that I mentioned?
Rich RumbleSecurity SamuraiCommented:
Ii see, yes, 3 of the 4 at length 8 that is. The longer the better (I won't go there) still. If it's 4 of 4 @8 then the policy hurts more than helps :)
Thank you,  We are preparing to alter our password policy now that we have finally moved our AD to a 2008 R2 functional level.  That site will come in real handy.

Sorry to get this thread slightly sidetracked.  There is lots of good information provided here however it still comes down to what I stated in my first reply. There really should be no need for you to have everyone's password.
yballanAuthor Commented:
Dear Pony10us,

Thank you for your reply, perhaps what I did not make clear is that sometimes I am ordered to get into someone's mail via OWA.
Can System Administrator do that without resetting the user password?
yballanAuthor Commented:
Dear jmellinger89,
Thank you for your reply.
Yes, I did feel like what I was doing is opposite of getting more secure.  You have reminded me about the loss of mobile devices.  That is a definite possibility.

Having said that, I still need to know everyone's password.  I must say, I understand the risk of that.  I have to come up with a way to clear myself if there is ever a information breach.
yballanAuthor Commented:
Dear  richrumble,

Thank you for your reply.  After reading much about this issue, I do agree with what all of you Experts are saying.  However, I have to get into OWA for some of the users.
The users are told at the time of hiring that the administrator (really, my supervisor) has the rights to all of their e-mails, so it is not a secret, but still, I need to access their accounts via OWA as my supervisor demands.
Is there a way to accomplish that without knowing their password?
yballanAuthor Commented:
Thank you, that is the information I did not have!!!
Not a problem.  This does still leave open one of the issues mentioned earlier. I will let you think that one through.   :)

We use this procedure for setting OOF for people that for one reason or another are out of the office without having set it themselves. Ex. sudden illness/accident or just forgetfulness.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.