Password discussion

[ralph]

I've been tasked to come up with password proceedures.   The thought being that we want more secure procedures than what we are currently using.   Things such as:
(1) When to change them.
(2) Formats - Random passwords, upper/lowercase, not alpha characters, etc.
(3) access control - who gets access to these passwords, when,
(4) when to change them.

What I'm looking for comments on is what are the rest of you doing for this.  Especially you dealers.
Some obvious issues is that when using unique passwords for every customer/site/system, how do you ensure that on-call techs have access when they need access?      It can be expected that a tech will try to keep a file on his/her laptop with the passwords of the systems they would normally need access to -can't stop that- so how do you protect this detail in the event that the laptop is stollen or compromised?

Just looking for comments.   Need to figure out what "Best Practices" are for our environment.

Ralph

[bobcheese]

We have company wide username and passwords that are applied to all our sites. The techs know the password but are not aloud to store them on their laptops. we have a connection database in the office which stores all connection data & password which must be accessed if passwords are required. Everytime a tech leaves the company the passwords are changed.

[ralph]

Everytime a tech leaves the company the passwords are changed.

So one username and password for all systems?   How long does it take to touch all of your systems to update them?  Do you get pushback from your customers about changing them? - assuming you allow customer access to the systems.

Ralph
www.statewidetelecom.com

[bobcheese]

no they have their own logins so that we can trace logins via maintenance logs if there is a dispute about programming errors. + they dont have root access.

We dont do them all straight away. its done over a couple of days by a few techs. Whoever is free 

[ralph]

Ah!  So each tech has their own login and password for every system.   I assume that someone in your office has root access to be able to reset everthing.
Do your techs have some sort of access control on their laptops for securing IP address and passwords in the event their laptop is stolen?

Ralph

[bobcheese]

no we have one uniform login for all tech's on all system. Everytime a tech leaves we change this password on ALL systems. Customers have a their own login which THEY are responsible for. The Tech login has root access and the customer have a custom login that allows access to tel dir etc.

The laptops have connection details for the sites stored on them (dial up connections to 7100, or VPN & MSTSC) but they do not store the mitel login/ip addresses on them. They are housed on a database in the office.

[Mattmayn]

On our new installs we have assigned individual credentials to each tech. They also have different levels of access depending on their skill level. This hurt some feelings when it was implemented but has cut down on screw ups due to inexperience.

[tecniq]

At my shop instead of the oneuser=onepassword method, which we used to do. Now, we have a username|password convention for everything we do. So that the username|password is unique to each customer and at the same time any mitel tech at our shop can connect to the system, but if you remember the convention. And if all else fails, we have another "ROOT" user that is documented for the JIC.

For example:

Customer Name: A company - user: apple pw: red

Customer Name: B company - user: banana pw: yellow

Customer Name: C company - user: cherry pw: red

Something like that.

[ctmedina]

I would like to implement soemthing on our devices. I came up with 2 accounts that I ask to be created on each system, but I always fallback to other password. Our dealer does not really have a system, or if they do they did not use it on us. Since we have a local partner, but we have a national presence, they use local authorized dealers wherever our office happens to be. So the installs are sometimes different from one to the other. That gets on my nerves, but I am trying to provide them with a consistent setup, but the local guys always want to do things thier way!

This is from an End User perspective.

If I was a dealer, I would have a std username with a convention for the password. Like the username would always be ETCTech if my company name was ETC. THen the password would be like customer name and address number with a symbol (if allowed). The more complex the better.

Username = ETCTech password = allied3606

That limits the options of changing it on a periodic basis, but then you need to have remote access to every system. Wow, this is way more complicated than I first thought. Need to give it more thought.

Carlos Medina

[ralph]

I've settled on what I'm recommending to our company.
3 levels of passwords
  End User Owned - root level-  Vendor never get password
  Vendor Owned - root level- no one else gets passwords
  Contractor - root level - vendor owns, contractor has access.

Very complex passwords.   Will be using this site to gen:  www.grc.com/passowrds  or another client side password generator.  Idea here is to create passwords that are completely random and not guessable.

Passwords (vendor and contractor) to be changed at least once a year or under special circumstances.

Passwords to be given to techs only as required and encypted on tech hard drive.

Ralph