I am a computer technician for a large company, and I'm continually pressured to issue passwords for the PCs I service. I feel this puts me in a compromised position. If someone feels something is not right with their PC, or with the sensitive information stored on it, he or she could point the finger at me. Should someone who never has physical PC access handle passwords, or am I just too strict?
Your concerns are completely legitimate and valid, and you're not being too strict. Passwords should be provisioned centrally, say, from your company's help desk. In the event of a network break-in or incident, your company's incident response team might consider you a suspect. That's a headache you don't want, but you're also in a no-win situation. Sometimes the business has emergency needs and, as an employee, you must comply. There are times when you'll have to reset an occasional password for someone in a pinch.
Here are some tips on the proper password issuing procedures that outline what you should do if you have to issue a password yourself.
First, your help desk should issue, reset and cancel all passwords and be the central clearinghouse for logging all password requests. The log should include the name and user ID of the requesting employee, the date and time it was requested and the reason for the reset. The logs should be analyzed regularly to check for anything abnormal, such as frequent resets from the same user or unusual patterns of requests during off hours and from remote locations. The frequency of analysis should be based on the size of your company, the number of employees needing user ID and password access, and the risk level of the system they need to access.
The help desk can also verify that the requestor is a legitimate employee and not a social engineer. The help desk should have an employee directory containing vital statistics about the employee, so they have the ability to ask random questions to verify the user's identity. Such information might include the employee's name, location, title, phone number, supervisor's name and employee ID number. That way, in case of deception, the incident response team has a paper trail they can use to trace and (hopefully) catch the offender.
The help desk should issue only a temporary password for any resets. It should be good only once and then expire if not used after a limited time. Once the logs with the temporary password are used, the user should be asked to create a permanent password to replace the temporary one.
So, what do you do if the inevitable occurs, and you have to reset a password? First, if possible issue a temporary password that the user can only use once, until they can create a new one. Then, report everything you did to the help desk -- provide the user's name, date and time you issued the password and where the password was issued (the user's desk or a remote work station). Having the help desk keep a record of what you did leaves you off the hook as a suspect during the investigation of an attempted break-in or incident.