Passwords on Desktop Computers
From time to time the Desktop Support Group is required to set a password on a desktop computer or other resource. There maybe some instances where without this password the resource protected by it can be lost forever or would require extraordinary measures to recover. This is the type of password that we refer to as a "root" password. There is no higher password for that resource than the root password. A password is not a root password if a client can use another password to gain access to all the resources protected by the password in question. Passwords protect many resources such as passwords for system BIOS, passwords for NT Workstations administrator accounts, or password protected files.
Consequently the Desktop Support Group will adhere to the following policy when dealing with passwords used on our clients systems:
- Inform the system owner of what passwords have been used and where they have been used.
- Provide information to the system owner on how to change passwords if possible.
- Do not retain passwords any longer than is necessary to perform the required task.
- Remind the system owner that they are responsible for all passwords.
System owners are encouraged to log root password changes in some secure location. Managers are encourage to provide a safe and secure location to log root passwords of systems used by their staff. Upper management should treat root passwords as they would keys.