Windows 2012 Domain - Password Sharing Issue - reluctant humans!
Posted on 2016-11-22
I have been looking at password complexity, expiry and all sorts of things best-practice-related and I have implemented a few additional policies on length, special characters, expiry etc..
...but I have a far more simple issue i would like to solve.... and i think it's a human one, but thought I'd check!
I have a department where the manager is insistent that it's easier for him to tell all his staff all to use the same password, Not the same user name, but same password for every user.
Let's say that password does meet our complexity requirements, and as an example it's 1M4r1@UR!1 (That is example only, not one of my passwords).
In the manager's view, if e.g. BOB is off sick, anyone else can log onto his PC and get to any work-in-progress, email etc, as any other user would know that all they need to do is put in the user name and then the password that they all know.
I can see his reasons, and I sympathise, but I don't agree with it.
In my view, this gives any user the chance to log on as anyone else and compromise their data and their email. This might not (hopefully) include any existing member of staff, but you never know what drives people, and especially : what if someone leaves? They may leave in anger, dispute, fired etc. This then gives them the ability to log on from outside on Outlook Web and randomly delete any other user's email inbox. This is especially easy in this manager's department as he insists on all staff using the same password, as I said above, but also when they change the password he merely adds a number sequence to the end of it, so for example 1M4r1@UR!1 becomes 1M4r1@UR!2, 1M4r1@UR!3 etc.
Yes, it's easier for his staff to remember BUT it's too easy for a disgruntled employee to guess/log on.
We are about to issue a company-wide policy on this but - just to check - can I enforce this in any way on Windows 2012? I don't think it's possible for the system to know if two users have the same password? It sounds more logical/secure that the system wouldn't be able to compare two users' passwords.
So, just to check before i send the written note out about this.
Over to you guys......