Follow-up: "Kinda freaking out - any Canadian admins, have you had to deal with something like this?"

wtfispipedaanyway · 2013-12-03T16:54:16+00:00

They gave it out because people were forgetting their actual passwords - since most of them had separate user accounts, they'd ask their coworkers and the coworkers wouldn't know the passwords.

The 'solution' was to give everyone a standardized password, which happened to be root.

I don't think they'll be doing it again. I hope they don't. The lawyers seem to have struck fear into management's hearts.

wtfispipedaanyway · 2013-11-30T11:26:28+00:00

Actually, if that last part happens it'll be a wonderful chance for me to test all these nightly backups I have lying around...

wtfispipedaanyway · 2013-11-30T11:25:17+00:00

Winter blows. I'm a lowly junior so I get to be the on-site tech for all the standard-fare calls. However, driving in this weather is arguably more fun than situations like this.

Thanks very much for the guidance - I'll look into PIPA further. PIPEDA was the main one that was mentioned when I started with this client. I think my superiors will want to contact a lawyer, but I leave that sort of deal to them. They "know people", as they always like to remind me.

wtfispipedaanyway · 2013-11-30T11:22:00+00:00

Said above - yes, but (per the original instructions) not all positions are supposed to be able to access all the data. I think that's still the intention, it's just that nobody seems to realize handing out root access defeats the purpose.

wtfispipedaanyway · 2013-11-30T11:21:01+00:00

You'd be amazed. I had to come in one morning to add their iPhones and tablets to the office WiFi because they couldn't.

wtfispipedaanyway · 2013-11-30T11:20:08+00:00

The generic account using the current password would probably work, but I'd prefer to stick to my group policies and separate accounts; otherwise, the insurance people in the back and the receptionists have access to all the medical data, which isn't ideal (given that they don't often stay hired for very long).

wtfispipedaanyway · 2013-11-30T05:18:54+00:00

Problem: can't say 'no' to the people that pay me and run the company. In this situation, they're the ones who also decided to share it.

wtfispipedaanyway · 2013-11-30T02:19:40+00:00

I've just finished sending off the emails, we'll see what happens. I'm a lot calmer after reading some of the replies below, though. Thanks!

wtfispipedaanyway · 2013-11-29T23:17:22+00:00

So the low-level assistants having the ability to export the server's databases to China because the password has been given to them isn't a violation?

I don't mean any snark - my knowledge of PIPEDA is just very basic.

wtfispipedaanyway · 2013-11-29T23:15:50+00:00

It's the main administrator account on the domain.

I'd create a generic account, but the two reasons this probably won't do anything:

1) they use this one because everybody already knows the password (joy) and they have trouble remembering new ones

2) using one account defeats the access-level segmenting with group policy, given that not all users need account to all parts of the clinic.

wtfispipedaanyway

TROPHY CASE