Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



Sign in to follow this  
KenJackson

Should I give my password to IT?

Recommended Posts

Whever I ask corporate IT to do something, inevitably they ask me for my password.  Is this normal practice?

 

I suppose IT administrator passwords can access everything anyway, but any method of giving it seems like a security violation: emailing it, writing it on a sticky note or saying it out loud.

 

I'm just wondering about the way things are normally done in other companies. 

Share this post


Link to post
Share on other sites

I'm just wondering about the way things are normally done in other companies. 

 

In my experience "anything goes".

 

I have seen companies where the user is free to use his/her own devised password (the same BTW that he/she uses for Facebook, Gmail and to access online forums), which is evidently wrong, and that given the user is called John Doe and is born in 1978 ends up in any of "johnny78", "johnnyiscool78", "mabel08202006" (mabel is the daughter of John Doe, born on 20th August 2006), etc.

 

This password is usually asked by the IT Admin for *anything* even when it is not at all needed, and not only it is exchanged by telephone, e-mail, sms or post-it, but it is jolted down, together with the identification of the machine/workstation/terminal to which it belongs and with the login/user on either a blackboard or on a notes on the IT Admin desk, in the IT Admin office (which is accessible by everyone inside the building).

 

I have seen companies where the user passwords are actually issued by the IT Admin and the user CANNOT change them (which is more or less the way the thing should be managed) but among them I have seen *anything*:

  1. the password is (given that the user is called John Doe and is born in 1978) "jdoe78".
  2. the password is (for the same user) generated by a pseudo-random-hyper-mega-secure-algorithm and is "=)#§rWtGGoo04056-/66xA+"

In case #1 there is an Excel Spreadsheet listing all machines/login/users and passwords on the corporate server in a folder open to everyone and a printout of the same worksheet either on the IT Admin desk or pinned to the blackboard in his room.

 

In case #2, since the user cannot possibly remember it, the password can be found neatly handwritten on a post-it in the left-hand folder of the user's desk.

 

Once every three to four months a document accessible exclusively from the given user PC is urgently needed and since the user is on holidays or the like, the password is spelt (spelled :unsure:) c-l-e-a-r-l-y and very aloud on the telephone, and jolted down on a post-it that is pinned on the user monitor until he/she comes back and removes it.

 

Of course exist a lot of "security oriented" companies, which manage the matter more properly, usually adding to a good password management some hardware form of authentication, like badges, fingerprints or similar, but they are not usually the "norm". 

 

jaclaz

  • Upvote 1

Share this post


Link to post
Share on other sites

An experienced answer is... it depends on the company and how they are doing things. An outsider may view their practices as being incorrect. Another answer is that "your account" (if it is a domain or email account) is not really yours, it is owned by the company.

If it were me, I would say that there is no reason to know a user's password.

I feel that writing down passwords is fairly secure... maybe not so much on a sticky note.

Share this post


Link to post
Share on other sites

Before I forget, OT but not much ;), look what happened recently to  TV5 Monde:

 http://arstechnica.com/security/2015/04/hacked-french-network-exposed-its-own-passwords-during-tv-interview/

please note how, besides being posted on the blackboard, the password for the YouTube account was a very complex one, i.e. "lemotdepassedeyoutube",

and now, for NO apparent reason, a PASSWORD CLOUD  :w00t:

https://web.archive.org/web/20150202135829/https://xato.net/wp-content/xup/passwordscloud.png

 

jaclaz

Edited by jaclaz

Share this post


Link to post
Share on other sites

Well I know for us, if a user reports a problem with some program on their pc (Excel, Outlook, Firefox, etc.) we can only see the error if we're on their screen looking at their desktop. Really irritating to come to a computer only to find it locked and we have to wait for them to come back.

 

We have hundreds of other admin passwords to remember. Trust me, when IT has Active Directory access anyway, we don't care or remember what your password is. (unless you're a very vocal CEO who complains that we don't know it)

Share this post


Link to post
Share on other sites

Yes if he is admin of ur domain

but also if u like u can change it after he finished

but its doesn't matter really

there a secret / anti-spy agreement IT signed on

 

edit

but if its part of ur CC password or something i suggest change it and then give it

Edited by aviv00

Share this post


Link to post
Share on other sites

No. You never give your password to anyone. If this is an administrator of your company/network/IT then they can get access without needing to know your password. If it's a work issued password, they should still have access to it. Asking for it seems a bit odd in my opinion.

Share this post


Link to post
Share on other sites

While I STRONGLY agree that no one should ask you for your password - nor should you give it out - on the other hand, your IT guy might perceive a refusal as an attempt to make his life difficult.  Thing is, he has FAR MORE capability to make yours more difficult. 

 

So be very polite and say that you're embarrassed at what it says or something to throw him off guard.  And be prepared for the eventuality that you might end up in a hard place for a little while as a result of refusing to give it out.

 

Just to add another 2 cents to back up Tarun's good advice above, imagine if an IT guy wanted to make your life really miserable.  He could log on as you, using your password, and do something disruptive.  All indications would be that YOU did it.

 

-Noel

Share this post


Link to post
Share on other sites

Good passwords should never be shared. But if one must give it to a member one's work IT personnel, the best way out is to change the password first, then give the throwaway password created for the occasion, then change it back, as soon as possible. My 2¢ only, of course.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×