Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account



Photo

Should I give my password to IT?

- - - - -

  • Please log in to reply
4 replies to this topic

#1
KenJackson

KenJackson
  • Member
  • 3 posts
  • Joined 22-March 08

Whever I ask corporate IT to do something, inevitably they ask me for my password.  Is this normal practice?

 

I suppose IT administrator passwords can access everything anyway, but any method of giving it seems like a security violation: emailing it, writing it on a sticky note or saying it out loud.

 

I'm just wondering about the way things are normally done in other companies. 




How to remove advertisement from MSFN

#2
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,318 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

I'm just wondering about the way things are normally done in other companies. 

 

In my experience "anything goes".

 

I have seen companies where the user is free to use his/her own devised password (the same BTW that he/she uses for Facebook, Gmail and to access online forums), which is evidently wrong, and that given the user is called John Doe and is born in 1978 ends up in any of "johnny78", "johnnyiscool78", "mabel08202006" (mabel is the daughter of John Doe, born on 20th August 2006), etc.

 

This password is usually asked by the IT Admin for *anything* even when it is not at all needed, and not only it is exchanged by telephone, e-mail, sms or post-it, but it is jolted down, together with the identification of the machine/workstation/terminal to which it belongs and with the login/user on either a blackboard or on a notes on the IT Admin desk, in the IT Admin office (which is accessible by everyone inside the building).

 

I have seen companies where the user passwords are actually issued by the IT Admin and the user CANNOT change them (which is more or less the way the thing should be managed) but among them I have seen *anything*:

  1. the password is (given that the user is called John Doe and is born in 1978) "jdoe78".
  2. the password is (for the same user) generated by a pseudo-random-hyper-mega-secure-algorithm and is "=)#§rWtGGoo04056-/66xA+"

In case #1 there is an Excel Spreadsheet listing all machines/login/users and passwords on the corporate server in a folder open to everyone and a printout of the same worksheet either on the IT Admin desk or pinned to the blackboard in his room.

 

In case #2, since the user cannot possibly remember it, the password can be found neatly handwritten on a post-it in the left-hand folder of the user's desk.

 

Once every three to four months a document accessible exclusively from the given user PC is urgently needed and since the user is on holidays or the like, the password is spelt (spelled :unsure:) c-l-e-a-r-l-y and very aloud on the telephone, and jolted down on a post-it that is pinned on the user monitor until he/she comes back and removes it.

 

Of course exist a lot of "security oriented" companies, which manage the matter more properly, usually adding to a good password management some hardware form of authentication, like badges, fingerprints or similar, but they are not usually the "norm". 

 

jaclaz


  • dencorso likes this

#3
Tripredacus

Tripredacus

    K-Mart-ian Legend

  • Super Moderator
  • 9,852 posts
  • Joined 28-April 06
  • OS:Windows 7 x86
  • Country: Country Flag

Donator

An experienced answer is... it depends on the company and how they are doing things. An outsider may view their practices as being incorrect. Another answer is that "your account" (if it is a domain or email account) is not really yours, it is owned by the company.

If it were me, I would say that there is no reason to know a user's password.

I feel that writing down passwords is fairly secure... maybe not so much on a sticky note.

MSFN RULES | GimageX HTA for PE 3-5 | lol probloms
tpxmsfn1_zps393339c1.jpg


#4
jaclaz

jaclaz

    The Finder

  • Developer
  • 15,318 posts
  • Joined 23-July 04
  • OS:none specified
  • Country: Country Flag

Before I forget, OT but not much ;), look what happened recently to  TV5 Monde:

 http://arstechnica.c...g-tv-interview/

please note how, besides being posted on the blackboard, the password for the YouTube account was a very complex one, i.e. "lemotdepassedeyoutube",

and now, for NO apparent reason, a PASSWORD CLOUD  :w00t:

https://web.archive....swordscloud.png

 

jaclaz


Edited by jaclaz, 20 April 2015 - 05:50 AM.


#5
arablizzard2413

arablizzard2413

    Member

  • Member
  • PipPip
  • 106 posts
  • Joined 08-April 04

Well I know for us, if a user reports a problem with some program on their pc (Excel, Outlook, Firefox, etc.) we can only see the error if we're on their screen looking at their desktop. Really irritating to come to a computer only to find it locked and we have to wait for them to come back.

 

We have hundreds of other admin passwords to remember. Trust me, when IT has Active Directory access anyway, we don't care or remember what your password is. (unless you're a very vocal CEO who complains that we don't know it)


Perhaps the Most Truthful: on Microsoft marketing:
"There won't be anything we won't say to people to try and convince
them that our way is the way to go."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users