The wrong way to keep list of passwords

¶ … Email Spreadsheet Dear Mr. Rocco, After conducting a review of some of your systems and files, I came across something that you should be aware of. In one of the share folders that is amongst your networks drives and storage, a file that contains the emails and passwords of your staff was present in the form of a spreadsheet with no apparent security measures present.

This is unwise and needs to be changed for a number of reasons, and they are as follows: • Having such a file present in an insecure area makes the file and its information potentially available for anyone that happens to find it. This is obviously something that cannot be allowed • Even if the file was only available for the IT staff that is doing password changes and the like, not even they should have direct and unfettered access to that information.

They should indeed be able to verify identity and reset password information. However, the IT users themselves should not have access to that information because there is no need for them to have it themselves and the IT staff could, in theory, use the username and password information to do things in the name of other people without detection. Generally speaking, the only person that should have access to a certain account and its password is that person, without exceptions for the most part.

• A middle ground that could be used is to have a default reset password that people use and then the person whose password is being reset must be changed right away. • Regardless of the system and procedure that is used, the passwords should never be in a share or a file that is completely secure and all of the personnel should be using the eact same procedure and systems to do password resets.

It should be available to the IT staff and other authorized personnel and that is it. • One consideration that should be kept in mind when it comes to a unified and secure solution is access to whatever solution and procedure is in question when the IT staff is away from the office. That is apparently at least part of the problem that must be dealt with.

• Once a revised solution is decided upon, absolutely everyone should be required to update their password, whether they are currently on the sheet or not. • The users who have been using that spreadsheet must be made to agree to the fact that further use and storage of username information on that or any similar files on local or network folders that are not authorized is clearly and unquestionably against the rules.

• If/when there is any further use of such files, there should be progressive discipline, up to and including termination. if needed. LdapMiner Information Mr. Rocco, As I mentioned to you earlier, the LdapMiner program could be used to monitor and look at your Netware and other systems and in a way that could endanger the security of your servers. With that initial data revealed, here are some more specifics that need to be shared with you.

• First and foremost, LdapMiner is something that anyone can download from the internet, and for free. Just one site that has the program easy for easy download is SourceForge. • LDAP stands for Lightweight Directory Access Protocol. • Its primary use is to access directory listings within an active directory or from a number of other services. • The directory reviewed is compiled in a logical or hierarchal form.

• It usually makes use of port 389 on the network • The syntax for the command switches allows for a number of things including setting the default port, setting the default user, changing the default user password, searching users or groups of users and then getting all information. • The type of server can be identified • The LDAP tool can be used in an anonymous way • All of the information above can be used to formulate attacks on the server that is being queried • This.