4

I have noticed that it is common practice when setting up a user account (Windows users accounts and Google Apps user accounts in my case) to require new users to create their own password immediately after their first log on. In searching for an answer to this question, I have found many posts explaining how to require new users to change their password, but I can't find anywhere why this is considered "best practice." What problems are created if I generate and assign a unique password to each new user and they don't change it?

To clarify, I'm not asking why it is good practice to require users to change passwords periodically. My question is what are the risks if brand-new users keep using the password I set for them instead of creating their own password?

It would be convenient for me to have them keep their initial password because I am in a smaller business setting, and if I know their password I can set up Google Drive Sync and Google Apps Sync for them, instead of having to write instructions for them on how to do this themselves.

browly
  • 2,100
  • 2
  • 13
  • 21
  • 2
    You only want users to know the password. Having an admin with a list of all user passwords stored in the clear would be bad in the event of a breach. Or an angry administrator who just want to get back at the company. – RoraΖ Oct 23 '14 at 16:22
  • 2
    Not to mention the most frequent implementation I've seen involves the admin assigning *the same* new password to every new user. Which means the adversary has a huge crib for password guessing. – MCW Oct 23 '14 at 16:26
  • 2
    The user, and only the user, should be uniquely and wholly responsible for any action taken with that userID. If you know the password, you share responsibility if that account is used (for example) to commit a felony (or merely to sexually harass the office cat). – MCW Oct 23 '14 at 16:28
  • Most systems contain a facility where a administrator can "take Control" of a user account (eg login as the user account without password by specifying the administrator username, administrator password, and the username to logon as). On windows systems, a administrator can Always "RunAs" as a user with less privilegies. So no, initial password change is not to prevent admin abuse. Admin abuse is prevented by employing well vetted, TRUSTED administrators and not employing randoms. Initial pw change is enforced to prevent default admin-set passwords like "changeme" to compromise security. – sebastian nielsen Oct 24 '14 at 00:25
  • 1
    There are several issues. The generated password may be compromised during transit from admin to end-user if sent via insecure media like email. The password may be the only method of user authentication and identification and if that secret is shared then that's no longer true. You cannot claim to be who with 100% certainty you are if someone else knows your credentials. It also violates the non-repudiability principle of user authentication. The user must be identified so securely that that he cannot deny any actions done using his/her credentials in case of criminal investigation etc. – Jari Huttunen Oct 24 '14 at 07:28
  • @sebastiannielsen - I don't know much about those setups, but presumably actions undertaken that way are at least logged. Heck, even base desktop support may have remote control facilities, who are probably trusted far less than any admins (at minimum, every person you add increases the risk of one of them doing something undesirable). – Clockwork-Muse Oct 24 '14 at 10:34
  • You need to see it that the issuer of the credentials is who does authenticate you, and thus the issuer may know the credentials without compromising the "non-repudiability". Look at for example banks, they have a secure token, but the system administrator does have access to the seed to be able to program the tokens. Of course, in the criminal investigation, the system administrator must be well vetted too, since if the administrator is unthrustworthy in the terms of witness, then the whole non-repudiation system fails regardless of if the admin knows password or not. – sebastian nielsen Oct 24 '14 at 10:47
  • Also for example, in many juridicsions, a username/password can only incur financial liability, not criminal liability. So if I share my facebook password, and its used for uploading childporn, then I might have to pay damages to facebook and the victim, but are never sentenced to any charge. Remember that system administrators can write to logs too, thus changing/erasing them. In criminal investigations where usernames/password/logs are part of the evidence, then they will check if the system administrator had any reason to subdue the system - for example if he was about to be fired or such. – sebastian nielsen Oct 24 '14 at 10:52

3 Answers3

8

It would be convenient for me to have them keep their initial password because I am in a smaller business setting, and if I know their password I can set up Google Drive Sync and Google Apps Sync for them, instead of having to write instructions for them on how to do this themselves.

This is exactly why it is good practice to require them to change passwords after first login; they should be the only ones who know their passwords. It eliminates any potential for administrative abuse, or the perception of abuse even if none exists. Additionally, passwords they choose are less likely to be forgotten and require reset, or to be written down where they can be stolen and (again) abused.

Your second question about period password changes has already been answered in the following question: How does changing your password every 90 days increase security?

Community
  • 1
Xander
  • 35,616
  • 27
  • 114
  • 141
  • 3
    It also insures that a person's activity is linked to them. They're responsible for their account and their actions. – RoraΖ Oct 23 '14 at 16:29
2

Forcing users to select their own password at initial logon, (the first time they authenticate), ensures that NOBODY else knows the password for the account once it has been changed.

This is a control process called single-control. Single-control means an resource or access to something is maintained by a single-individual. Since the userid/password combination is maintained under the user's single-control, it strengthens accountability in that we can identify with a fair degree of certainty who logged into what and when. If the password is compromised, (no longer under single-control because multiple people know the password), then we have less accountability because we cannot be certain who logged in with the userid/password.

Single-Control practices also protect those who do not have access to the resource or credentials in question. Since you should not have access to the user's password information, it keeps you safe in the event of a breach. If you do not force password changes, it is possible that you could be viewed as suspect, even if you have done nothing of the sort. EDIT: (This is called risk exposure, where not following the single-control process results in exposure to additional risk)

It is imperative that we enforce and maintain control-processes so that everyone stays safe and secure, and we don't expose them or ourselves to unnecessary risk.

Desthro
  • 1,007
  • 5
  • 5
-3

Initial password change is mostly used to prevent the "default password" problem. When setting up accounts, especially a large amount of accounts, administrators tend to use passwords like "changeme1", "changeme2", or such default easy passwords. By requiring password change, the "default password problem" is eliminated.

If you generate SECURE random passwords, you can safely disable "Require initial password change".

You as a administrator does have access to user accounts anyways, in windows systems you can for example Always, as a administrator, RunAs as any other lower privilegied account. So it does not matter if you RunAs as your fellow user from your administrator account, or if you directly login to the user's account. You have same access to files and items anyways. So the potential for abuse and liability does still exist. That potential can only be prevented by employing good admins, in other Word, a administrator should be a TRUSTED indivual which is well vetted (request a rap sheet from the speculant Before employing his as administrator).

In some high security schemes, a 2-fold login system is used for administrator instead, where 2 administrators need to collectively login with their own usernames and password within a 30 second delay to give admin access, so they could Watch each other so no one abuses admin rights.

in these systems, the admin should not know any user passwords since it would bypass the 2-fold system.

The only case where only user should know the password is in the 2 fold system, OR if theres some encryption that only the user should have access to. But its pretty uncommon for encryptions to use the windows credentials, rather they normally use their own login dialog and own systems.

sebastian nielsen
  • 8,799
  • 1
  • 19
  • 33
  • 2
    There is a *major* difference between using auditable and accountable methods such as Windows RunAs and logging directly into the system as the user. Namely, that RunAs is auditable. Each admin can run as any user, but anything they do it logged. It's clear that User Adam didn't sabotage the system, as the logs show that Admin Eve logged in as the user before doing it. The whole point of passwords is that **only** the user knows their password. – Chris Murray Oct 24 '14 at 11:02