Submission + - How To Get Rid of a "Password List" 1
krinderlin writes: "This one requires some explanation, because the reasons why we have a list of all our users passwords in the first place is a bit convoluted...
Here's some background:
I'm interning at a small business over the summer. We have a windows domain, and our workers have a nasty habit of merely locking their workstations when they leave for lunch or to go home. People hardly ever actually log off of their machines. We've yet to get remote installations through SCE or any other means working, and we use a lot of niche software that doesn't have mass installation as a development priority. So most software updates are run manually.
Unforutnately, when I go to run these installations by remote VNC, I'm faced with a locked login screen. Entering in my administrative credentials will log the user out. However, there's another nasty issue. They don't save their work before locking their computer. In fact, the only reason it's locked is the computer was idle for 15 minutes. When I log them out, they lose about 5 chargeable hours of work for a client. This is a big deal. We either charge the client for an inordinately large amount of time, or don't charge them and drive someone's unchargable hours ratio through the roof.
What is my manager's solution? We maintain a list of everyone's password in a "locked" file share that only the Domain Administrators have access too. Before logging anyone out, I log in with their credentials and close down spreadsheets and the like ensuring everything is saved. He doesn't like it at all, either. However, he's been chewed by senior staff so much for the lost work and they refuse to accept training, best practices, or write a policy that would enable us to avoid this situation.
I'm sure that this is not only a massive security hole, but I'm concerned it's a legal liability. I've been doing some research, but can't seem to find a case or news story that I can wave around in management's face. I figure if they can't understand why something is bad in a technical security approach, I'll give them a legal approach. Legal liability is something I think they would not only take seriously, but would understand much better. Unfortunately, without some sort of precedent where a company suffered some sort of loss in the legal arena, I doubt they'll change policy. We have a lot of information that can lead to identity theft on our network.
So specifically, I need to know if anyone knows of a case where maintaining a list of current user passwords made a company legally liable for the loss of some client data. Even better, if said company was also financially liable for that loss, I'd have an ace in the hole.
Then again, I'm just an Idealistic Computer Science Student(TM). Should I just give up now on the fight?"
Here's some background:
I'm interning at a small business over the summer. We have a windows domain, and our workers have a nasty habit of merely locking their workstations when they leave for lunch or to go home. People hardly ever actually log off of their machines. We've yet to get remote installations through SCE or any other means working, and we use a lot of niche software that doesn't have mass installation as a development priority. So most software updates are run manually.
Unforutnately, when I go to run these installations by remote VNC, I'm faced with a locked login screen. Entering in my administrative credentials will log the user out. However, there's another nasty issue. They don't save their work before locking their computer. In fact, the only reason it's locked is the computer was idle for 15 minutes. When I log them out, they lose about 5 chargeable hours of work for a client. This is a big deal. We either charge the client for an inordinately large amount of time, or don't charge them and drive someone's unchargable hours ratio through the roof.
What is my manager's solution? We maintain a list of everyone's password in a "locked" file share that only the Domain Administrators have access too. Before logging anyone out, I log in with their credentials and close down spreadsheets and the like ensuring everything is saved. He doesn't like it at all, either. However, he's been chewed by senior staff so much for the lost work and they refuse to accept training, best practices, or write a policy that would enable us to avoid this situation.
I'm sure that this is not only a massive security hole, but I'm concerned it's a legal liability. I've been doing some research, but can't seem to find a case or news story that I can wave around in management's face. I figure if they can't understand why something is bad in a technical security approach, I'll give them a legal approach. Legal liability is something I think they would not only take seriously, but would understand much better. Unfortunately, without some sort of precedent where a company suffered some sort of loss in the legal arena, I doubt they'll change policy. We have a lot of information that can lead to identity theft on our network.
So specifically, I need to know if anyone knows of a case where maintaining a list of current user passwords made a company legally liable for the loss of some client data. Even better, if said company was also financially liable for that loss, I'd have an ace in the hole.
Then again, I'm just an Idealistic Computer Science Student(TM). Should I just give up now on the fight?"
