The last time this got discussed, I thought the consensus was he was trolling -- the point being the correct answer is to explain why you don't have these (technical controls, hashing of passwords, etc.).<p>The other reason would have been if he wanted login access to servers to validate configs himself, but there are much better ways to accomplish that (I'd be very reluctant to give an auditor anything but read-only access to any production infrastructure, but it is valid to want to know that what is being given to you matches production; there are ways to accomplish both).
WOW, "A security auditor for our servers has demanded the following within two weeks:
•A list of current usernames and plain-text passwords for all user accounts on all servers
•A list of all password changes for the past six months, again in plain-text"<p>That right there would be a security breach/issue and for it to be created as part of an audit is unbelievable.<p>I have never met any security auditor who has done that or ever would and having done audits myself for FTSE 100 companies, well if I did that I'd be out of a job. Certainly audit the passwords, though there should be rules to prevent silly passwords and that is what should be audited.<p>In such a situation I would not panda to such a auditor and would approach a director about the security risk the auditor was and good night veanna for them. Such people should not be doing audits, ever and clearly not qualified in the role/task they have been given.<p>It would be a security issue too carry on supporting or allowing such a person to carry on auditing as they are clearly a security risk without a doubt.
This is a trick. The correct thing to say to them - we don't have passwords because they are hashed and salted. Then you successfully pass the security audit :)
This cannot be real, but sadly it appears as though it is. A "professional" security auditor request plain text passwords? A security auditor that thinks PCI is something you install onto your server? Wow. I am literally speechless.<p>Can we please get the name of this company somehow? This company should not be allowed to give anyone security advice whatsoever, they quite clearly do not know what they are talking about. I'd hate to think how many businesses have been affected and or are vulnerable as a result of their auditing practices and guidelines.
I read that and it read like a troll, or that the 'auditor' was socially engineering the firm (also possible). It is useful to have passwords explicitly unknown by anyone except their owners and run password cracking software on the password database continuously to weed out 'weak' passwords.
My heart sank as I read that. There are too many people in our field that don't have a basic grasp on the most fundamental concepts, and yet are in the position to direct those that have a clue.
I hope this is a troll and if it is not, you should read through your contract, look for a breach clause, and exercise that clause. Otherwise, you should eat the cost of getting a new security auditor. A good relationship with a qualified auditor can be really beneficial to your organization. If you don't have that, you are not getting any value out of the dollars spent.
This is either made up or the auditor has a mental health issue.<p>Either way nothing to see here unless you want to discuss mental health issues or truthfulness on the Internet and how to improve it.