How to work with password managers and UAC

How do I work with password managers and secure desktop?

We use a password manager but in Windows 10 because UAC prompt runs as a Secure Desktop, we can no longer paste passwords into the password field when we need to elevate privileges.

I know that there are ways to suppress this behaviour with group policy, but we are trying to work to security best practice and so that isn't ideal either.

However, these passwords are too complex for people to be typing in, so not sure how best to proceed?

Just wondering how other people are handling this kind of thing?


Jon
FriendlyITInfrastructure TeamAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Alex AppletonBusiness Technology AnalystCommented:
What about using Windows Hello with a PIN?  You can also use a smart card reader, facial recognition, fingerprint, yubikey, etc..
FriendlyITInfrastructure TeamAuthor Commented:
Thanks for the suggestions.  The problem is really relating to support tasks and things that we need to run as domain admin, so not sure any of those thoughts are particularly relevant in this scenario....
Danilo AndradeIT Systems AnalystCommented:
However, these passwords are too complex for people to be typing in, so not sure how best to proceed?
The problem is really relating to support tasks and things that we need to run as domain admin
So I'm assuming the password is not for the users to be entering themselves, and more of the administrator to be typing in?

Are you remotely connecting to the computers to input the password? If so, applications like teamviewer and screenconnect (connectwise control) would allow you to paste or send clipboard keystrokes.

If you are entering the password directly on the computer, have you tried pasting it temporarily in notepad and once done just closing it without saving?
Price Your IT Services for Profit

Managed service contracts are great - when they're making you money. Yes, you’re getting paid monthly, but is it actually profitable? Learn to calculate your hourly overhead burden so you can master your IT services pricing strategy.

serialbandCommented:
Don't create random gibberish passwords.  Make them long, but "readable" and somewhat "memorable" in some way.  I'm not sure password managers with randomly generated passwords are more secure than some long password, as long as they're not dictionary based.  It only needs to be complex enough that the password cracker can't crack your password in a "short" amount of time.  Eventually, all passwords can be cracked.  It's just a matter of time, and resources, but some passwords
McKnifeCommented:
As an alternative, let me help you getting an idea when to use strong accounts and how. In my opinion, the occasions where you need to switch accounts for doing administrative things can be eliminated almost completely. I have an approach for you that does not even need a password. It is limited to local resources, though.

So let me now how you go about and why you need to switch accounts after you read my article: https://www.experts-exchange.com/articles/24599/Free-yourself-of-your-administrative-account.html
FriendlyITInfrastructure TeamAuthor Commented:
Danilo Andrade - Yes - this is for administrators working on client machines - has historically been VNC (which haven't tested how it handles UAC prompts) also looking at Quick Assist for WIndows 10.  Pasting to Notepad I would say has additional attack vectors as then both keyloggers and screen grabs could pick it up so is probably not ideal.

serialband - Our current process is that all passwords have to be created by a password manager (we use Secret Server)

McKnife - Thanks - I will read that and digest
FriendlyITInfrastructure TeamAuthor Commented:
We are using VNC which allows you to paste into UAC boxes

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 10

From novice to tech pro — start learning today.