Proper way to document a password leak?

[acemcmac]

The password that controls the local administrator account on what I'd guess to be more than 60% of the local adminstrative machine accounts in my institution is almost common knowledge. It was used to gain remote access to a machine with very sensitve information on it over the weekend. What would be the proper way of spelling out in an email that XXXXXX password has been breached badly without actually writing out the password and looking unprofessional?

 

[IamElectro]

Change it and when people start asking questions tell them why and give them the new one in person.

 

[brxndxn]

Don't ask; don't tell. Screw the institution! Fight the machine! Information wants to be free!

 

[Jzero]

Who is the recipient of the e-mail?

 

[SagaLore]

You could say something like "The Administrator password as of 10/12/05 will be changed immediately".

 

[cerebusPu]

whats teh passwd again?
XXXXXXX?

 

[kranky]

Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

 

[Phoenix86]

Originally posted by: kranky
Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

Why even mention it's changed unless you have a LOT of users with admin rights? Users generally don't need the password, and those that do, will call when the old one doesn't work.

Even then, don't give out that password, add the user to the local administrator group.

No one outside of IT needs to know that password changed as no one outside IT needs to use that password.

 

[Billzie7718]

Originally posted by: kranky
Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

That's a lot of Local Admin passwords to change. I am assuming that you are not talking about Domain Admin password, if you are, you deserve whatever you got.

 

[Jzero]

Originally posted by: Billzie7718

Originally posted by: kranky
Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

That's a lot of Local Admin passwords to change. I am assuming that you are not talking about Domain Admin password, if you are, you deserve whatever you got.

It's easy to script.

 

[Noirish]

"a common password has been compromised, it's been changed since, if you find yourself unable to login, please contact me for password?"

 

[Billzie7718]

Originally posted by: Jzero

Originally posted by: Billzie7718

Originally posted by: kranky
Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

That's a lot of Local Admin passwords to change. I am assuming that you are not talking about Domain Admin password, if you are, you deserve whatever you got.

It's easy to script.

If the user does not have admin rights, then wouldn't you have to at the least logon each PC with console or domain admin rights?

 

[Billzie7718]

"In a dedicated effort to maintain the highest standards, the I.T. department has implemeted several security upgrades and changes. If you experience any problems please call the helpdesk at XXXX."

This will also let you know who asks for the new password and you can find out why they need it.

 

[kranky]

Originally posted by: Phoenix86

Originally posted by: kranky
Just say the local administrator account on all machines has a new password effective xx/xx/2005.

Why even mention that anything bad happened? Just say it's changed.

If people need local admin rights to do something, add the user as a local admin on their own machine - don't give them the password that lets them become local admin on ALL machines.

Why even mention it's changed unless you have a LOT of users with admin rights? Users generally don't need the password, and those that do, will call when the old one doesn't work.

Even then, don't give out that password, add the user to the local administrator group.

No one outside of IT needs to know that password changed as no one outside IT needs to use that password.

Indeed, that's a better answer. Why even say anything at all. See who calls, determine whether they need to be added to the local admin group.

 

[Jzero]

Originally posted by: Billzie7718

Originally posted by: Jzero
It's easy to script.

If the user does not have admin rights, then wouldn't you have to at the least logon each PC with console or domain admin rights?

Well, yeah. Hopefully the machines are on a domain or the IT department has local admin accounts of their own on all machines....

Actually, you could probably use the compromised account to change its own password.

 

[Billzie7718]

Originally posted by: Jzero

Originally posted by: Billzie7718

Originally posted by: Jzero
It's easy to script.

If the user does not have admin rights, then wouldn't you have to at the least logon each PC with console or domain admin rights?

Well, yeah. Hopefully the machines are on a domain or the IT department has local admin accounts of their own on all machines....

Actually, you could probably use the compromised account to change its own password.

Actually, I just found this script. It will change the local administrator password on specified computer names. Alter it to fit what you need and implement.

Thanks for the idea Jzero.

strComputer = "atl-ws-01"
Set objUser = GetObject("WinNT://" & strComputer & "/Administrator, user")

objUser.SetPassword "09iuy%4e"
objUser.SetInfo

 

[acemcmac]

I had to minmize ATOT for a bit...

security just showed up. Director of Information Security and a police escort.... wow.... there were gaurds outside of my office... mabye they did realize that this was probably a HIPPA breach after all!

 

[Phoenix86]

Originally posted by: acemcmac
I had to minmize ATOT for a bit...

security just showed up. Director of Information Security and a police escort.... wow.... there were gaurds outside of my office... mabye they did realize that this was probably a HIPPA breach after all!

BUT YOU'RE RESEARCHING THE ISSUE!

HIPPA as in Health Insurance?

You can't imagine the amount of confidence you just instilled in me regarding the security of my medical records. :Q

 

[Billzie7718]

Originally posted by: Phoenix86

Originally posted by: acemcmac
I had to minmize ATOT for a bit...

security just showed up. Director of Information Security and a police escort.... wow.... there were gaurds outside of my office... mabye they did realize that this was probably a HIPPA breach after all!

BUT YOU'RE RESEARCHING THE ISSUE!

HIPPA as in Health Insurance?

You can't imagine the amount of confidence you just instilled in me regarding the security of my medical records. :Q

Do you think my reults for my herpes test might have been compromised? :Q

 

[acemcmac]

Originally posted by: Phoenix86

Originally posted by: acemcmac
I had to minmize ATOT for a bit...

security just showed up. Director of Information Security and a police escort.... wow.... there were gaurds outside of my office... mabye they did realize that this was probably a HIPPA breach after all!

BUT YOU'RE RESEARCHING THE ISSUE!

HIPPA as in Health Insurance?

You can't imagine the amount of confidence you just instilled in me regarding the security of my medical records. :Q

As long as you haven't been in any government run mental health research trials, you're probably fine

 

[Phoenix86]

Originally posted by: acemcmac

Originally posted by: Phoenix86

Originally posted by: acemcmac
I had to minmize ATOT for a bit...

security just showed up. Director of Information Security and a police escort.... wow.... there were gaurds outside of my office... mabye they did realize that this was probably a HIPPA breach after all!

BUT YOU'RE RESEARCHING THE ISSUE!

HIPPA as in Health Insurance?

You can't imagine the amount of confidence you just instilled in me regarding the security of my medical records. :Q

As long as you haven't been in any government run mental health research trials, you're probably fine

:frown: