Tuesday, September 2, 2014

You Don't Want to Know Your Employee's Passwords

Regularly when setting up a new system for a customer, the owner or manager will want a list of all the users' passwords. We then will explain they do not want the passwords.

Administrative Override

First reason: You don't have to. Most modern systems will allow an administrator to reset a user's password so you can get access. Why add to your list of responsibilities?

Responsibility in the Right Place

Consider this: two people have regular access to the same user account. One of them does something inappropriate, how do you know which one did it?

If you have a policy where all staff must be the only one to know their password, anything that happens with their user account must have been them. If they say someone else had the password, they have violated the password policy. Either way, they are solely responsible for their account.

What about the ability for the administrator to reset the password? The user will know. When the administrator changes the password, the user will not be able to get in until the administrator provides them with the new temporary password.


Posted by Unknown at 8:39 AM
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)