Link to home
Start Free TrialLog in
Avatar of John Mahoney
John Mahoney

asked on

Password Policies and Written Records

We have a strong password policy. But I'm wondering about best practices around managing and storing passwords for an organization in written form? Many times as the network admin I will need to log onto someone's system as the user in order to access and fix a problem.

In the past at our organization there was a password book where a record of all passwords were kept, sometimes a user would need to log onto another person's account when that person was out or sick, and of course they could find the password in the safe stored in the password book. But as we've grown and today we force password changes every 6 months that book can easily and quickly become outdated and I'm wondering if it's even a good idea to keep a  written record?

 So my question is what is the best practice around storing a written (or online) record of employee passwords?

Do you keep password books in your organization? Is it a best practice from a security position? Do you use online resources (Google Docs or another system).

We are bound by HIPAA rules but I couldn't find anything that references this particular issue.
Avatar of gheist
gheist
Flag of Belgium image

Best is to establish central authentication. In case of Cisco it is TACACS or radius.
Tacacs = Cisco ACS
Radius is included in w2008R2 onwards
But you can always set small machine with freeradius.

For cases that does not work we use keepas/pwdsafe and the likes.
Avatar of Mahesh
Download Microsoft security best practises guide and check there
http://www.microsoft.com/en-in/download/details.aspx?id=38785

This will resolve your query hopefully
Avatar of John Mahoney
John Mahoney

ASKER

Perhaps I'm not being clear or I'm not fully understanding your responses. My question has to do specifically with the practice of storing employee password in a written 'password' book?  Do you keep employee passwords in a book? We are a medium sized  nonprofit. We have and use a small business server. thanks
SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
thank you. And this question was posed in response to management's request to keep an updated written password book. I haven't used a password book for a long time but when I reply that I don't think it's a good idea I like to reply with some authority and references and i couldn't find anything except that I felt this was not a good idea.  

I do need very occasionally to log onto a user's account to fix a problem specific to their system (they lost access to a printer etc) and logging on as admin doesn't work. Thanks much.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks for the help on an issue that plagues small organizations "Security" and "Accessibility"
https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act#Security_Rule

Basically having password book undermines identification of employee completely.