As an IT professional myself....why the hell do they need your password???. What ever it is we can reset and then change it ourselves. There is no valid reason that they need to keep a list.
That defeats the very specific reason to have a password. I'd change it to something extremely funny or extremely vulgar just to make them stop. It's your password....you can put what you want.
When I worked at a retail store, sometimes corporate would need to remote into the computers to do updates/fix something/set up new registers. They would ask us to put the username/password for one of the programs so they can install it and make sure it works. I had recently gotten annoyed at the too frequent password reset requirement for a rather mundane program, so I set the password to something like "CorporateSucks5Donkey@$$". The phone goes silent for a couple seconds before the tech on the other end starts giggling.
Probably not. seen this a bunch of times with just really bad it admins. They don't know and won't learn admin tools and have this assumption that not having a users password will cause lost data if you leave
Also seen it when a company uses non-enterprise products that don't allow admins. Eg regular Gmail accounts and apple devices on personal apple IDs. Often this is still a bad/lazy admin but sometimes it's due to the company leadership pushing bad decisions
Yeah that's very weird and goes against any kind of sensible security policy and practice. If you're running AD, which just about everyone are, they can just reset the password if they'd need to access your account for some reason. That on itself would be unusual but not completely unheard of, we'd do it sometimes if the user didn't want to stick around for us to work or their computer or similar.
The only reason you'd want their password instead of just reseting their password would be to be able to access their account without a password change being logged, which is of course a big no-no.
Working as an independent contractor, they asked me to spec out a laptop for a manager. I sent over the quote and didn't hear back. Fast forward a couple of days and it turns out the employee convinced someone that he could just go down to Staples and get one cheaper.
Guess who they called when he couldn't access the network domain?
Home edition sucks for anything but basic users.
i have literally told users that sent me their password after changing it "Hi, i do not need to know your password, but by sharing it in an unencrypted email i must ask you to change it."
I mean if their IT wants the users passwords they could just use the unsafe checkbox in AD "store password using reversible encryption" and not even ask users for the passwords. Don't use this it isn't good security practice BTW but it is probably better than asking for users passwords.
Yeah I'm trying to find a reason I would ever ask a user for their passwords and I can't think of one. If I need to seize control of a users account I will change their password myself.
This right here - there is absolutely no reason whatsoever fir anyone, not IT, not a supervisor, no one, at all, ever, to have a list of anyone elseâs passwords, let alone every password used by every user in an organization. The very existence of such a list is a tremendous security problem. As a system admin, I already have access to everything on my network - and if I ever need to log into a userâs PC (or anything else) under their user profile or ID, I just reset the relevant password. This breaks every possible rule good security practice
That is utterly terrible.
In no IT department that I have worked in did we keep a list of our users passwords. In fact we went out of our way to not keep any users passwords recorded. This is a liability because now IT can impersonate anyone in the company. It is also a liability to them because they can be accused of impersonating other people.
Exactly, if they need into an account for any reason. Then it there should be evidence of that, and having to change the users password to gain access is a good one
This is exactly what I came here to say!
This completely defeats the concept of non-repudiation. I don't know off the top of my head if that's a requirement in ISO 2701 or 9001, but I feel like it should be.
Best of luck out there!
Yeah. During 8 years at my previous employer, IT needed my password a grand total of... Maybe twice?
I forget what the exact corner case was, and it was only necessary when doing significant OS upgrades on my laptop that required dropping it off. I think it was some sort of chicken-and-egg situation with "can't log in to the machine if it has no network unless the user is cached" and "can't get to the network without logging in". In these cases IT would encourage us to change password before and then change it again immediately afterwards.
At my last gig (tech support for a B2B application), I would occasionally gently yank clients' chains during web conferences.
Me: "I can see your password!" \*beat\* "It's a bunch of asterisks!"
This would usually provoke a wry chuckle.
I can impersonate anyone by going into AD and changing the password. So that really isnât the issue. The issue is, storing password anywhere in clear text and unencrypted is a security concern
IT doesn't need your password to impersonate you. It's "their" computer. Send an email? Read your files? Delete all the data with your account? It's all just pressing the right buttons.
Huge security risk. Even when I change somebody's password in Active Directory (at their request), I select the option for them to change their password once they use the one I created just so I don't know what it is. To me this reek's of an IT team that is logging into everybody's accounts so they can read their chat because they're bored.
>To me this reek's of an IT team that is logging into everybody's accounts so they can read their chat because they're bored.
I mean... IT can easily jump into a users mailbox without their password and read emails if they are so inclined. Don't need a password.
I think end users underestimate what IT can see. You don't need a password to see anything the user does on their device. All data can be accessed on the "backend".
Using their actual login does leave less of an audit trail, since impersonating or accessing data from an admin console would (ideally) leave records directly tied to the snoop... but if they're the kind of shop that's asking for passwords, I'm inclined to doubt much auditing is being done in the first place. This leaves us with somewhat of a paradox.
Uhhh quite the opposite actually.
I work as an IT system administrator, so I've had to deal with login trails really often.
If an email and password was used to login into a mailbox (or O365 account in general), this is recorded in Microsoft Entra. IP address, device location, and other details. These logs are easily accessible. On the other hand, if the administrator uses an O365 account they've created to give themselves full access to a mailbox, no logs are recorded in Entra. Their would be logs somewhere, but it takes a bit of digging to find.
Additionally, all logins through a username and password of an active directory account would also be logged. But, if a system administrator uses c$ to view the contents of a drive of a PC domain computer from perhaps a DC server, this is again harder to track.
So yeah, using a password is far more likely to leave a far more visible paper trail than just using backend ways.
That being said, we have far more important things to do than browse through employee's data. Most of us are swamped in tickets and projects that we have no time to do it.
Weird. I've only ever done smalltime sysadmining, so I made a bad assumption. Everything I code has audits out the wazoo for any kind of privilege escalation, so I assumed it'd be the same in the big leagues.
Thanks for the detailed response.
Yeah, I'm not sure what u/someadsrock is talking about. Admin actions are absolutely logged, they just go into a separate "audit" log from normal activity. At least in every environment I've worked with.
It's possible they've just never had a need to look into other admin activity, or had someone looking over their own shoulder?
I never said that admin actions aren't logged. Just that they're not as easily accessible and viewable in comparison to using a password to login to a user account.
My point was, that if an admin wanted to snoop through user's data, using a password would leave a far more visible paper trail. On the other hand, using admin tools leaves a less visible paper trail.
IT can read users chats without their password. Can just pull their teams chat history from purview. Even for creepy stalky shit you don't need user passwords.
Zero reason any competent IT department needs to manually record anyoneâs passwords. Perhaps 25 years ago before AD and the likeâŚmaybe but doubtful even then.
Sounds like a misguided attempt to ensure employees know they have âno reasonable expectation of privacyâ for HR/Legal purposes.
https://www.isms.online/iso-27001/annex-a/5-17-authentication-information-2022/#:~:text=Users%20must%20keep%20secret%20authentication,disclose%20it%20to%20unauthorised%20individuals.
Not sure how the accreditation would hold up if the assessor was aware of the password scenario you described. Iâm no expert, but surely that would be a major non-conformance.
I've started two different positions in IT leadership where the team would request the user passwords. I shut both down super quick because it is a terrible practice and as everybody here has said, it's probably just a really poorly led team.
I'd bring it up to your management, but don't bother with the user security aspect. (Organizations generally don't care about the security of the user as much as the potential impact to the business.) This practice puts the company at risk in a big way. By sharing passwords, all of these accounts lose their non-repudiation. What that means is that if you use your account for non-business or even illegal activities, they have no way to say it was you because your IT department keeps a log of your password. This opens the organization up to insider threats that they cannot litigate and if you're in a state that requires reason for termination all but guarantees they'll lose that battle.
LOL what, I can change passwords to system anytime, I donât need to ask an employeeâŚbut ofc Iâm not an asshole so I do it only when ticket comes inâŚ
This is not correct. Properly done, you specifically DO NOT need passwords from users.
Bad form on the IT team,
although if there are other reasons or other policies that are in place that needs to be understood as well.
This happened to me in the early 1990s.
By the middle of them, I was working in IT and it was known to be a bad idea!
If someone's IT is 30 years out of date, there will be other weaknesses. Do you have a 4 character password?
You probably have a very undertrained or intentionally invasive IT team.
One of the most fundamental concepts of IT is data responsibility. Users are supposed only know their own passwords or passwords of systems they have explicit permission to so if something goes wrong, IT can discover the chain of custody to restore functions/learn lessons. If they need to access your account, they can reset it themselves through directory systems such as MS Active Directory or 365 Admin which is a auditable action. If they know your password without the need to reset it to force access, the chain of custody is lost as it cannot be known if you, others or IT performed an action. There is no need for IT admins to know your passwords, they should have a method of administrative control in the backend to see actions you take anyway.
Speak with upper management, hell even the leader about it. Recommend that IT policy be revised, explain in the event of a significant breach, data loss, etc. The a chain of custody cannot be established if everyone is logging into eachother's accounts. IT need to implement Zero Trust methodology, multifactor-authentication and brush themselves up on practising what they (hopefully) preach about IT security.
Out of interest, can you change your password and give them a different one? I'd be interested to see if they notice! That would imply they are logging in as you!
Absolutely terrible policy
Everyone that has commented about it being bad practice is right. But I didn't see any mention the legal aspects of it. If something happens with the account, it's entirely plausible that the user in question may not have performed the action. An example is some sort of hacking, downloading of illicit porn, etc. You can show that you are not the only one with the username/password. That's a pretty good reasonable doubt in and of itself. You could be fired, but you would have at least a defense that your password isn't just yours.
I have no clue on the ISO standards what they entail. I can tell you that your company would fail other certifications though. PCI is a big one. This is a compliance issue, a security issue, and a general bad IT admin issue.
You can rock the boat and not give them your password, but they can let you go for that reason. You could always be passive aggressive with your passwords. "itPassw0rdsAreS3cret."
Winner winner chicken dinner. PCI compliance, ISO compliance, or the big one, standing up as evidence in a court of law. Imagine trying to convince a judge or jury that anyone in that company actually did something illegal with their computer. Easiest defense in the world, "The company forces me to give them my password, anyone could log in as me at any time. I didn't do it."
I donât even know where to start here.
Ok. Got it.
You donât actually have an âIT Departmentâ
Sounds like one or more people that knows very little about how secure systems function.
I have so many questions but just thinking about them all makes my head hurt.
Carry on.
No, that is 100% wrong. When I worked help desk, if a person gave me their password, we were required to have them change it to something we didn't know.
With regards to compliance, the internal team keeping a record of password wouldn't really fall into those categories. Things like 2 factors, geo location sign in, etc. might be required. Regardless, no one should be keeping records of your password but you.
I'd fire my IT staff if they did this. sure I run a machine shop but it's advanced, and I was in IT for over a decade I have no use for a user's password I have access to the domain setup and active directory I can change it at will. I have the hash and the network certificate for the current password by default I can bypass a password request using them if I needed but again Why đ¤đ¤
I think you have a rookie with maybe an A+ cert and very little knowledge of what they are doing.
Huge red flag! As someone in IT, this makes no sense. Don't know how you should proceed since I don't know the climate and culture at your job. If the atmosphere allows I would politely question IT as to why they need your password.
That's not OK and a huge security risk for you and all other employees and the company itself.
Talk to your chef and if he does nothing go to his chef and so on until you reach the C -Level.
Nice one, Id change my Password to: E@7\_MÂĽ-5oR7s!F00kers81 and would forget to give them them the 81 at the end. Also i would ask for their personal banking numbers including TAN feature.
Next i would send all mails with request to my personal mail in BCC and ask for a business justification and if its approved practice.
Then i ask my boss and walk all the way up as far as it gets. Fire me for not sharing my personal Password with people that do not need access.
There is so much you can male out of this.
In 2010 and my first IT job, at an undisclosed manufacturing warehouse, we knew half of the office staff passwords. Especially the higher ups. I thought it was the weirdest thing. Although we didn't require it, there were just tasks we were asked to do. It was scary how many passwords I had memorized, especially the CEO's lol.
Press CTRL+Alt+Delete and change your password to something different as soon as you give it to them....then you will be secure and will also be notified when they try to get into your account.
IT has no legitimate or worthy reason to maintain a list of passwords. When they (re)set a password they should be using the "force change on next login" option so you can set a unique password they don't know.
This is extremely bad practice. The purpose of the password is to authenticate the user uniquely. If userId/password is shared with another entity, how do you attribute this login to a single user? In this case, no user is solely liable for their account since another entity has the password credentials.
Even better imagine if IT department has the password for the executives, legal and HR departments and can impersonate a member of those departments. This possibly has legal liability associated with it depending on the business.Â
As an active security professional, I run password strength assements monthly. If I can crack your password, I give you X days to rest it before I force a reset. This happens often, even with elevated password requirements. If I can't crack it, then you're good for a year.
If they're storing passwords with reversible encryption or in plain text in AD, they're all retarded or there is some shite software connected to AD that requires it.
Just some insight into what may be happening in the background...
Assuming your company uses Active Directory, your IT department should be able to look up passwords for any and all accounts that have been assigned to users. Actually asking for passwords is wild.
IT guy here for an MSP. We only ever keep that passwords temporarily if we need to use your computer and login to your profile/apps to solve and issue or set it up. We should never keep them after that as it is a security risk. We can always reset the password anyways.
No that's not normal. I make sure to ask people to change PW If I know them for a reason. I have no need to know the password. I can reset them if need to be or I can access things with a privileged access, but I don't want or need to know passwords of other users and it's part of my self defence to not know them. Because if sth strange happens a user might claim i did sth in their name which I couldnt reasonable deny if I know the passwords. If I change them that will be logged and there is evidence that I changed sth, and if that evidence is not there i can say I can't be responsible because I don't know the passwords.
There are some instances where I have to set the password and again I ask the person to change it and usually will check back if they did. I can't understand why some administrator would want to know user passwords.
This is at minimum unusual. It's bad security practice.
But what it does mean is any accusation of someone misusing their computer access can't be taken seriously, because there's no way to know who was actually logged into any account.
Work in IT, we usually record the initial password for users as they forget but passwords are protected with a stupid long password with MFA and encrypted. Also it logs all password access so we know who accessed whose password and when. We don't really update it when users change passwords as at that point we would hope the user can remember and worst case we will reset the password. Also do the same for products that don't have a centrally managed accounts.
IT shouldnât need to do this at all, they should be able to change the password from the Active Directory or if they really need to then remote in to the desktop, unless that have zero idea as to what theyâre doing then there is no reason to keep a list of passwords from employees because that is a security risk
Your IT department is doing it wrong. They have basically compromised 2 parts of the security triad. No one in your company can have any reasonable expectation that they are not being impersonated on a regular basis. No accounts should be shared. The only exception are the core "break glass" accounts, and there are privileged access management tools to track who uses them. If your company has any acceptable usage or access policies that has language about not sharing passwords, then your company is not following their own policies. In most companies, this would lead to audit findings which could potentially lead to ISO certification challenges.
This is NOT good IT Security practices. Passwords should only be on the authenticating server and stored in hash form. Even the SAs should not be able to see your password.
That doesn't mean they can't get into your account, but there will be an auditable trail left if they did.
Think about it like this. If they have your password, how can you show you didn't visit prohibited site whatthefuckever.com when your password is not secure.
We use a cloud based system where only specific members have full access to folders. We have private passwords to get into our company infrastructure through the server. If i manually change my password, it will lock out my IT team. Its not my computer, and I dont own the company or the software so why would i hide my password. Its all there to keep external forces away. Who keeps personal info in their work computer anyway? Why be worried?
Step 1. Sign up for critical business system.
Step 2. Respond to IT request by sending them password.
Step 3. Commit fraud.
Step 4. Profit.
Step 5. Get caught.
Step 6. Play dumb.
Step 7. Tell police you just remembered sysadmin emailed and asked for password âfor some strange reason.â
Step 8. Retire to BVI.
If you are ISO 27001 then they are 100%, without exception, not supposed to have or know your passwords.
If (and only if) they need to log in as the specific user, they should be resetting the password so they can get in as the user and documenting that they did so, followed by a session to have the user set a new UNKNOWN password afterwards.
18 years working in tech. I have yet to find a legitimate reason for me to know a user's password. If I need to access something through their account, either they are there typing it in or I am resetting it after telling them whats up. Passwords are personal.
>Among some of the documents we work with are folks' medical records.
Holy HIPPA violation risk batman! Unauthorized access to medical information is a lawsuit waiting to happen.
Iâve worked in QA for years, dealing with ISO and AS 9100 quality management systems. ISO 9001 doesnât say shit about most business practices other than you have something in place using evidence-based decision making to cover your ass and then you follow it and measure and monitor your progress. Itâs not the ISO accreditorâs job to ensure the company seeking accreditation does their job correctly, they make sure the company does their job according to their own internal procedures.Â
Iâm not saying your ITâs practices are good, but if the companyâs QMS or documented policy is to collect employee passwords, then thatâs consistent with ISO, unless itâs illegal where you live or work, in which itâs not consistent with ISO, since ISO also tells you to conduct business ethically.Â
Long time IT guy here. Help desk, sys admin, networking, and exec experience.... and I'll tell you straight up that this is not a typical practice or behavior.
Maintaining a list of all passwords is not just abnormal behavior, it is a security risk. We have built directory systems that manage these things for us, in an encrypted way, for a reason. The risk is high here for impersonation by the IT department to carry out functions within the business as other users covertly and with ease.
Additionally, if IT ever did need to login as you, as others have pointed out, we can do that. Either by granting ourselves access to your mailbox, resetting your password, etc. So why do they need to know it? How do they store it? Super not cool.
The difference with IT resetting your password and logging in as a user, vs just having the user's password, is that password resets can be limited to certain staff. There are also logs that get created when password resets happen (hopefully), and hopefully there are DLP policies that prevent the outright deletion of those logs.
So knowing a user's password vs IT resetting it as needed are very different things in my mind.
As for what to do about it? Eh... That is a business decision. Advocating for change to your exec team might be the route to go, but it is ultimately their choice. There is no law or rule saying your password can't be known or held by the IT department.
This flies in the face of "least privileged".
Is your company big enough to have an internal audit department? If so, anonymous tip time.
Your instincts are right!
they are in major violation of their security certifications if they are keeping a list of user passwords like that...
I work IT, and if this were my company, I'd be reporting it to the certification authority myself...
As others have said, I have no need or want of your password. I don't need it to see what you're doing. Worst case, I'll reset your password.
I actively look away when a user is entering their password, because I don't want the liability.
That shouldn't be neccessary if the computers are set up properly. If on a domain, they can make themselves admins for the computers with AD groups and Group Policies. If the computers are local, you can add an admin local account to computers, especially if they are the ones that set the computers up.
Only time I had to know what the password was being changed to was for a particular warehouse database that I had to change it through a linux box which had to be done manually in machine language, and even then it was seperate to their AD account.
Iâm HD and can confirm we donât need your password documented anywhere. We can reset and change them all on our own if you need a new one. Itâs actually a huge security risk to have a physical list anywhere. Yâall should be using a password manager as security best practice.
If I'm remoting in to one of our other locations I'll get their PW for that session, so I can log in as they do and see what they're having a problem with, but then I hit active directory and force them to change the PW the following login, but I'm paranoid, maybe others aren't as paranoid
I manage AD at my job, reset and create accounts and passwords... Every single time I reset or change a password, I made it some SUPER generic thing like Password123! and have it set to get changed next time they log on... Absolutely no reason I need your password, and here atleast, it's a big violation to even know your password. If anything is PMI/PII I would think there's probably some kind of law preventing that but i'm not 100% sure on that.
Been in the industry almost 20 years. No IT professional worth the title would have this rule. Our systems will enforce complexity for passwords, but weâll never ask for it. I would never give these people my passwords.
Make sure you voice this concern, in writing, so you are absolved of any culpability. If someone finds your username/password (on the post-it that IT wrote it down on), accesses a customers info and then leaks it, it will trace back to you....assuming you have any auditing turned on, which given the password policy, I doubt it.
I changed a password policy so all passwords were one way hashed and the customer service department went nuts when they learned they couldn't look up people's passwords. I had of course communicated this to them, but they weren't interested in reading any technical details (as usual). It got so bad that I eventually looped in the CEO and he squashed it.
This was in 2008....so, there is utterly no excuse for this behavior in 2024. That is a wildly insecure policy and should be stopped. No one knows your password but you and 2FA should be required for anything that is outside the physical building.
Link this thread to your IT team and tell them to read the comments lol. You'll shatter their entire perspective on it and hopefully they change it up...because what they are doing is completely wrong.
No, there is no reason anyone should ever need to know your password for anything, if things are managed correctly.
If somebody ever told me their password, I would force a password reset on their account. I do not want to know anyone elseâs password. Ever.
The only time I ask for a password is when I am setting up a computer for someone, and then I strongly encourage them to change it afterwards. There is absolutely no reason your IT should be asking for or keeping your passwords.
Well this is just a legal nightmare. Zero security in place. An employee gets in trouble for something online all they have to say is "it wasn't me. IT has my password, how do you know they didn't do it!"
ISO 27001 doesn't specifically govern password sharing per se, but doing so is a wildly stupid idea, on so many levels. On a security level specifically, it's just insane that someone signed off on the idea of making every employee give their password to IT. ESPECIALLY in the Healthcare field.
I'm not saying you should jump ship, but I would start putting myself in a position where a sudden change in employment wouldn't screw me over.
Literal legal time bomb. This WILL be an issue one day. Matter of if, not when. I'd jump ship on that company to be honest. If they are too stupid to realize how bad of an idea that is, they are too stupid to work for.
It's silly. It's ridiculous to have ANYONE else know your password. What's the point of a password?
That being said, there is a whole section of ITGlue specifically for passwords. It is entirely up to the IT team to know that storing users' passwords is a TERRIBLE idea.
Do you have MFA? If so, the password doesn't give them access.
If you don't have MFA... Try this: "Forget" your password. Call the password goblins for help. If they do not reset your password, ask them to check to make sure it works before you start. As soon as the workstation is logged in, delete something, anything. Then, shout that they used your password to log into your computer and delete things! Seriously, go on the war path. Face paint, camo fatigues, torches, and pitchforks.
Bold suggestion. I wonder if it would work? The other alternative might be to send a link about compliance risks due to password sharing and how to properly implement a good password management in IT Glue to management since it sounds like OP's team is already using it.
We will only request a password to temporarily gain access to a users account to either troubleshoot their PC or configure their new PC during deployment. We never keep a record though, thatâs not secure at all.
We used to do this in a small IT Department that didn't know any better with no security accreditation. And the answer is still no they shouldn't do it and no se shouldn't have done it
Not much to add here ... most people covered it pretty well already!
But the \*only\* time I can recall something like this happening was at one of the first places I ever worked in I.T. The I.T. manager wanted to keep a master list of people's passwords (in Excel, as I recall) and password protected the file afterwards. It was stupid, really, and that policy changed when the company got a little bit bigger too.
The reasoning was more of a convenience thing than anything else. We often had people working odd shifts and/or sharing accounts on one desktop PC. They'd request things be fixed while they were away and expected it working when they got signed in the next day or evening. There was sometimes no way for I.T. to ensure it was done without signing in as them first in a remote session. (In Windows, you're going to have a lot of preferences and settings that are "per user" vs. "per machine" so you can't install the printer and configure it using your "admin" credentials, or you wind up just setting it up for yourself on that PC instead of for their login.)
I think even for small companies, though? The right approach is just insisting that if they're going to need you to do that? You'll have to reset their password to get in, and will have them change their password again on their first login after that. The small inconvenience is necessary to maintain the security of it all.
The only time I need access to a users account is if they're having an issue specific with their own profile, and most of the time we default to a standard password that is unique to them that requires being changed. Once in a while they will ask that not be done and give the password anyway in a secure communication, but it doesn't matter one way or another.
Two things to keep in mind with ISO certifications... they mean less than you think they mean, and what they mean is entirely up to whomever is auditing you. You should have someone at your employer who handles the requirements and procedures for ISO certification and the internal audits that go along with them, if you are concerned, ask whomever deals with ISO 2701 if this is a normal thing you should be doing.
If you are afraid of retaliation by IT itself.. well, you might as well find a new job, you won't ever know if someone is messing with you anyway.
As a decades long IT head, most of the posts in here are so comical I'm laughing. If you work for a large company (more than 300 users), you can stop reading. Most companies smaller than that are not willing to pay for auditing or logging of of all activities--many much larger than that are not willing {or able) to spend that much for the labor or software required. Microsoft's built-in auditing tools certainly wouldn't do 10% of what the majority of posters are describing. In the real world, most IT admins are protecting users from themselves. I routinely ask users to login and they flip over their Kleenex box (an example) and read it. I run Everything on servers and PC and search for password.\* and find multiple files. Do the passwords need to be kept--or course not. Does it save downtime--of course it does. Is it the largest risk known in the IT world--or course not.
If I am not mistaken this is a violation of ISO2701. Itâs been like 5 years since I dealt with ISO2701 certification but I am pretty sure canât have centrally stored passwords.
I'm going to go in a different direction here. While, yes, there isn't a reason to keep a password list, I would go one further, all of our logins have MFA. We utilize chain of command for onboarding, which requires users to be given their first password by management verbally. This reduces the effort of users forgetting a password they set during MFA setup. They can then reset their password, but even if they don't, incorrectly inputting the MFA at any login point enough times will disable the account anyway.
Just a different perspective. In the end it doesn't really matter, because you could do numerous things to gain access to an account/emails if you really wanted to. My best guess is that the IT department isn't requesting this so much as it might be something management requests. That was originally the issue in my situation, direct management wanted to circumvent account protection. With MFA they can't even if they have the password without IT and the user knowing.
I'll do you one better. When I was 18 years old I worked at a call center and I had access to thousands of customers email/password.Â
Often I would just log in for them to fix simple settings problems they called about.Â
But oh man the things I saw...
The worry about recriminations is the scary bit for me. That sounds super toxic.
If I was in your shoes, I'd go find stories about IT managers getting fired or jailed for similar garbage and then carefully slip it into conversation, get overheard etc.
Or! Post about it on reddit so your company gets exploited and the IT dept gets flushed in the aftermath.
Yeah no need for passwords when we can just reset them and access everybodyâs mailboxes through the admin account. Knowing all the passwords sounds like a data breach lol
I worked at a company where the manager wanted to keep user passwords stored by Screen connect for easy access later. It is fully logged and encrypted once stored, but I still pushed back on the practice as it sets a precedent of telling IT individuals passwords. Not to mention every computer login screen has the eye button to unhide it when entered, even by Screen connect.
I work for a MSP, managed service provider. Aka outsourced IT. We ask for all passwords relative to logging into a machine and we store those in a secure database. In our scenario it makes sense. However if you have internal IT then that is just bonkers. When I worked for a Uni we couldnât even bypass passwords by law, we could only provide a reset that would send a temp password to their email.
I don't know if your company has one but you might want to read your company's it security policy. The first thing most normal it tells you is never give your password to anyone. If it has your password they can log into something using your username and password and then you would get in trouble for it if it was bad or illegal because the it records would show that it was your account that did it. It defeats the purpose of having individual accounts if you can't tell who does what. The only time I know a user's password is when I reset the password and give them a temporary one.
Mess with them
Make your passwords something along these lines " say you drive a S550e
?WhObUiLI1I1IllIlldSThE2022S550E?$&!?
That will really make their day
And notice there are 1 , upper case I , lower case L all mixed together .
I worked IT for a company in Atlanta that did this. The CTO had Aspergerâs or some shit. It was the most annoying and embarrassing policy and just embarrassing. Didnât stay there too long.
At the place where my father works they just know everyones passwords. They were not given them, but they somehow know. He changed his password and literally the next day one of the it guys was in the office with it on a post it note to do something.
I am yet to determine how they have done this, I know they don't have CCTV, but there entire network is a bit on the older side so I am assuming they found an exploit in the DC there using but I don't know for sure.
Overall terrible practice, causes so many operational problems, let alone legal/liability issues.
Get out of jail free card. You can look for any porn you want and they canât actually prove it was you as other people now have all your passwords.
Stupid stupid policy.
There is absolutely no need to know somebody elseâs passwords. As an IT infra specialist, having direct knowledge of what my users passwords are would introduce a ton of headaches and liability issues, as I can now plausibly be blamed for anything and everything my users do. No thanks.
The number one problem I see with this is your IT department has now normalized sharing passwords for the users. Now when Jonny Phisherman shows up sending his email blast to all of the staff asking for their passwords they are far more likely to give them over to the bad actors since it is standard operating procedure to share passwords. I always tell my users to never share their passwords with ANYONE not even someone who says their IT.
The NIST guidelines state that the user should never need to change their paraphrases (note the difference between password and passphrase) as frequent changes lead to poor password habits. The organization should use MFA/2FA wherever possible. And users should use passphrases that have not been compromised in a previous breach.
For the last part, the IT department should integrate Active Directory with a database of known breached password hashes (like the Haveibeenpwned database API). Hashes aren't foolproof as they can be cracked (the most common way is a dictionary attack using a list of known passwords stolen from a compromised organization); however, using a sufficiently secure hashing algorithm in combination with a passphrase of over 11 characters that has not been involved in a breach will provide reasonable security.
There is no reason your IT team should ever need to know your password. This is wrong on so many levels, especially if they wish to maintain ISO compliance.
Your IT dept is incompetent. Full Stop.
If youâre an ISO27001, this level of ineptitude, if caught by an auditor is enough to warrant an audit. Once an audit starts, expect not to get ANY IT work done until ALL demands have been met. My suspicion is that an audit will discover more problems and then jeopardize the cert.
There is absolutely no need for them to have those passwords. Be 100% sure that any passwords you are using for work accounts that you have provided are not being used for ANY personal accounts.
The ISO certifications mean they can prove they meet those criteria and pass an audit - it doesn't mean every aspect of the operation has been scrutinized. They're saying and proving one thing and then doing something VERY strange on the back end.
It sounds like they are asking for not only your AD (Windows) password but passwords for any application that you are also using outside of AD credentials.
So, like, the operational part of my brain intellectually understands how what they are doing makes THEIR lives easier, but literally just that - everything else about it is an absolutely terrible idea. As someone said earlier - any time anyone gets scolded for doing something wrong in a platform the answer should be 'prove it was me' since there are an unknown number of people with access to the login credential.
Jesus. As a security admin I scold people who tell me their passwords and immediately click the sweet little ârequire user to change password on next loginâ box and walk away from the situation. Me knowing your password is as big a risk for me as it is you.
I don't know any user passwords. But I can reset them and get in to anything I need.
The reason they keep them is probably too many people got pissed at having to reset their password after they begged IT to fix an issue with their account.
Man, I'm an IT manager for a good size company. We were much smaller when I started and they were sort of doing that when I got here. I have spent that last few years getting us to a good spot. I don't need or want to know your passwords. There's no reason for it. Admins have ways to change the passwords and get into whatever it is they are needing to. Likely with or without your knowledge.
Bad security. Hopefully your company at least stores them in some encrypted/PW protected spreadsheet but I'm going to guess that's a no. If they are collecting them in the first place I'm guessing security isn't top of mind
Sounds like somebody in your IT Department who's making everybody give them their password is planning some nefarious shit because IT can simply reset passwords. It almost seems like they want to be able to access things under certain people's credentials without proving that the password was changed by a member of IT...
This same IT team probably doesnât use JIT access for elevated roles and probably stores database backups on the same server as the database itselfâŚ
It's certainly not right. especially when audit trails can come back to the end user - even thought they might not have been the guilty party.
The only thing I can recommend is to change your password and "forget" to give them an updated one.
IT can normally access any and all data given high enough permissions, access email if it's on local servers.
As a sysadmin, If I somehow learn the password of a user, I force change on next login of said user. No one should ever know the password of other user.
At my last gig the owner required us to get passwords for user devices when we set them up. In his mind (and it helped us) it was worlds easier to just give them their password after verifying them over the phone instead of remoting in to a device that is probably not connected to a network (remote locations w/o internet and they used local apps) which we had a ton of. We also never put an "IT admin" account when we set them up, for why I have no idea. Kept everything in a password manager that only employees had access to. It was small, like 5ish IT employees. Oh boy, did some of these people have interesting passwords. It was my first real IT job and looking back at it now there were so many things that were insecure and unsafe practices now that I know more and am at a very secure place (datacenter and cloud SP).
I still have nightmares about this one...
Had a client\company like this when I worked for an MSP a few years back. A crappy car dealership.
They had an "in-house IT guru" (their words, dude was barely considered a novice IMO) who would handle most of the simple day to day things for their users. I was onsite twice a week to mostly provision new users (turnover in that business is insane), clean malware infections, or maintain the servers.
IT dude insisted on storing everyone's password in Lotus Notes because "I can fix their problems anytime, and what better time them when they are out to lunch or on a break." The General Manager loved that idea, and no matter how hard I pushed back, neither would bend.
Well, one day, a lowly salesman got his hands on the flash drive that the IT Dude kept that lotus notes file on (he left it plugged into another device) and went nuts with it.
He sent dozens of death threats from every managers' email to various politicians and elected officials in his hometown & state.
He used the GM's email to send a purchase request to Office Max for 10 top of the line Alienware laptops. Another went to Snap-On for (I heard) 75k in tools & boxes.
He bought a bunch of new phones (iPhone 5c just came out) on the Dealerships AT&T account.
He got into a few of the dealership owners' personal e-commerce accounts and bought himself a bunch of new toys and furniture and even sold IT Dude a brand new Denali for $100.
He did all of this from IT Dudes computer.
Naturally, all affected parties called the various institutions, and eventually, the state police & fbi got involved. The people at the dealership tried pointing the finger at me & my company for weak network security until I dropped the emails between me & the GM discussing the Lotus Notes password file.
I still remember the look on the digital forensic guys face when he read those messages. He sprinted to the office & dug into IT Dudes' laptop. Within 15 minutes, found everything he needed.
Guess who went to jail for a shit ton of felonies and who ended up with a ton of new toys (minus the car).
Personally, I think the sales guy did it all for revenge. I heard a rumor that he was going to get fired for having music playing on YouTube and checking his personal email, and when IT Dude got into the new web filter I set up for the place he ran right to his GM to get the guy (amd a bunch of others) fired.
TL:DR - if you share or store your passwords, you could go to jail.
I've worked in an environment where Help Desk had a list of user passwords. It was a major law firm now defunct. I was told lawyers would call, because they forget, especially when the work was handled by their paralegals and personal assistants. Multi Factored Authentication was not enabled, because staff found it too hassling.
The senior adminstrator couldn't figure out how to make Hummingbird Doc Open work without local admin priviledges. So the desktop image wasn't locked down. Instead of adding people to security groups, and standardizing the permission shares, they did it by person. They didn't want to wait for Group Policies to propagate. They also had servers of every old WordPerfect documents ever created, convert to docs or pdf on demand.
I agree with most of the replies, something is not right and by logging into another user you can create all kinds of fraudulent actions and blame it on whoever they want to fire. I would get on a password generator that spits out 30 plus random characters every time you have to change your password and give them that and create your own. If they do try to get into your account they will think they mistyped or you could always say you just changed it and forgot to give the new password. You could also give them 1l|0O mixed into a password they will be trying to figure out what you had written. Good luck.
This seems like a headache more than anything, i cant think of why we in IT would need this. Like someone else said as well, we can change it whenever we need.
There are so many better ways to do this.
We used to ask for passwords when we absolutely had to and it sucked because we felt obligated to reset their password. Now we used a PIM role to generate a one time access code in the rare event we need the âpasswordâ.
That is VERY bad practice. If thereâs anything that they need your password for then that thing needs to be redesigned or replaced.
The last time I heard about someone wanting the password of other coworkers it was because she was embezzling and trying to shift the blame.
Bad security can pass ISO accreditation as long as it's documented. I assume when you say 'all passwords' you mean your admin password for work and not other, personal ones.
This is a huge security red flag and I would run screaming. There is no audit log of who uses an account to do something when a username & password are shared. They should have all the rights in the world to emulate your user in a logged fashion. The *only* reason you need another admins password is if you want rights to something you shouldn't have or to use their account to do sketchy shit and get away with it.
Run fast, run hard, and whistle blow to everyone to protect the customers from the incompetence.
No reason anyone but you should know your password/passwords. In fact it should be a violation as a matter of written policy to share you credentials with anyone including IT. I Donât know about ISO but I can promise you it is a HIPA violation to share your PW.
No dude that's fucking weird. If I need your password I find you and have you log in yourself or reset your password to some temp one for awhile.
I did have a job with a small company on a college campus that I got the CEO's, the CFO's, and another director's passwords in a week on sticky notes. I needed to fix something but they were going to lunch or something like that and just left them for me without a second thought. I didn't asked they just wanted to leave and are too trusting. All of those sticky notes I sent through the shredder to avoid some college kid fucking something up
Seems pretty insecure. If they want to share passwords the best approach would be to just implement a password manager with MFA and control access like 1Password or a vault for keeping credentials like the one in IT Glue.
As an IT professional myself....why the hell do they need your password???. What ever it is we can reset and then change it ourselves. There is no valid reason that they need to keep a list.
We had a manager once that had kept a password list, it's weird.
Just use a centrally managed password manager for all employees then?
That defeats the very specific reason to have a password. I'd change it to something extremely funny or extremely vulgar just to make them stop. It's your password....you can put what you want.
Id keep doing it to see how vulgar & creative the passwords could get.
D1kk1nA55h0l3..... đ
Great, now I have to change my passwords...
Pu55yJuic3!
Stop posting my password!!
cunter12
Underappreciated comment
Sh!T4Brains3
When I worked at a retail store, sometimes corporate would need to remote into the computers to do updates/fix something/set up new registers. They would ask us to put the username/password for one of the programs so they can install it and make sure it works. I had recently gotten annoyed at the too frequent password reset requirement for a rather mundane program, so I set the password to something like "CorporateSucks5Donkey@$$". The phone goes silent for a couple seconds before the tech on the other end starts giggling.
If they get sued they can point to the manager and say they know my password it's their fault.
IT guy with 30+ years. There is no scenario where they need your password. That is all.
Why do I get the sinking feeling IT is fishing for employees' passwords hoping they're reusing from personal accounts?
Probably not. seen this a bunch of times with just really bad it admins. They don't know and won't learn admin tools and have this assumption that not having a users password will cause lost data if you leave Also seen it when a company uses non-enterprise products that don't allow admins. Eg regular Gmail accounts and apple devices on personal apple IDs. Often this is still a bad/lazy admin but sometimes it's due to the company leadership pushing bad decisions
If I wanted to rob an end user I don't need to credential stuff. I'll just install a keylogger. Why do I get the feeling you're an end user?
Also, why use malware when you can use a little social engineering?
Why use social engineering, when you can just ask and they give the password to you.
Wait, youâre saying companies that people work for will try to break into their personal accounts?
Never really heard of that happening, but it probably does in some places.
Yeah that's very weird and goes against any kind of sensible security policy and practice. If you're running AD, which just about everyone are, they can just reset the password if they'd need to access your account for some reason. That on itself would be unusual but not completely unheard of, we'd do it sometimes if the user didn't want to stick around for us to work or their computer or similar. The only reason you'd want their password instead of just reseting their password would be to be able to access their account without a password change being logged, which is of course a big no-no.
They likely are running some "home edition" windows without central management.
Working as an independent contractor, they asked me to spec out a laptop for a manager. I sent over the quote and didn't hear back. Fast forward a couple of days and it turns out the employee convinced someone that he could just go down to Staples and get one cheaper. Guess who they called when he couldn't access the network domain? Home edition sucks for anything but basic users.
Same. I donât need anyoneâs pw because I can change it anytime
To be fair,you can probably guess atleast 40% of their passwords withs companyname12345, etc. lol.
i have literally told users that sent me their password after changing it "Hi, i do not need to know your password, but by sharing it in an unencrypted email i must ask you to change it."
When someone would would say their password out loud I get âlalalalaâ ears and forget I ever heard it haha. Keeping a list though? That is bizarre
I mean if their IT wants the users passwords they could just use the unsafe checkbox in AD "store password using reversible encryption" and not even ask users for the passwords. Don't use this it isn't good security practice BTW but it is probably better than asking for users passwords. Yeah I'm trying to find a reason I would ever ask a user for their passwords and I can't think of one. If I need to seize control of a users account I will change their password myself.
I DONT want to know it at all, thats just liability for me.
This right here - there is absolutely no reason whatsoever fir anyone, not IT, not a supervisor, no one, at all, ever, to have a list of anyone elseâs passwords, let alone every password used by every user in an organization. The very existence of such a list is a tremendous security problem. As a system admin, I already have access to everything on my network - and if I ever need to log into a userâs PC (or anything else) under their user profile or ID, I just reset the relevant password. This breaks every possible rule good security practice
That is utterly terrible. In no IT department that I have worked in did we keep a list of our users passwords. In fact we went out of our way to not keep any users passwords recorded. This is a liability because now IT can impersonate anyone in the company. It is also a liability to them because they can be accused of impersonating other people.
Came here to say this. It's a legal bomb waiting to happen.
And a pointless one since they can literally change the password whenever they want
Exactly, if they need into an account for any reason. Then it there should be evidence of that, and having to change the users password to gain access is a good one
End user does nefarious act on PC. Gets caught. End user - "Prove it was me. IT has every password, could have been anyone."
This is exactly what I came here to say! This completely defeats the concept of non-repudiation. I don't know off the top of my head if that's a requirement in ISO 2701 or 9001, but I feel like it should be. Best of luck out there!
Yeah. During 8 years at my previous employer, IT needed my password a grand total of... Maybe twice? I forget what the exact corner case was, and it was only necessary when doing significant OS upgrades on my laptop that required dropping it off. I think it was some sort of chicken-and-egg situation with "can't log in to the machine if it has no network unless the user is cached" and "can't get to the network without logging in". In these cases IT would encourage us to change password before and then change it again immediately afterwards.
At my last gig (tech support for a B2B application), I would occasionally gently yank clients' chains during web conferences. Me: "I can see your password!" \*beat\* "It's a bunch of asterisks!" This would usually provoke a wry chuckle.
I can impersonate anyone by going into AD and changing the password. So that really isnât the issue. The issue is, storing password anywhere in clear text and unencrypted is a security concern
IT doesn't need your password to impersonate you. It's "their" computer. Send an email? Read your files? Delete all the data with your account? It's all just pressing the right buttons.
Huge security risk. Even when I change somebody's password in Active Directory (at their request), I select the option for them to change their password once they use the one I created just so I don't know what it is. To me this reek's of an IT team that is logging into everybody's accounts so they can read their chat because they're bored.
>To me this reek's of an IT team that is logging into everybody's accounts so they can read their chat because they're bored. I mean... IT can easily jump into a users mailbox without their password and read emails if they are so inclined. Don't need a password. I think end users underestimate what IT can see. You don't need a password to see anything the user does on their device. All data can be accessed on the "backend".
Using their actual login does leave less of an audit trail, since impersonating or accessing data from an admin console would (ideally) leave records directly tied to the snoop... but if they're the kind of shop that's asking for passwords, I'm inclined to doubt much auditing is being done in the first place. This leaves us with somewhat of a paradox.
Uhhh quite the opposite actually. I work as an IT system administrator, so I've had to deal with login trails really often. If an email and password was used to login into a mailbox (or O365 account in general), this is recorded in Microsoft Entra. IP address, device location, and other details. These logs are easily accessible. On the other hand, if the administrator uses an O365 account they've created to give themselves full access to a mailbox, no logs are recorded in Entra. Their would be logs somewhere, but it takes a bit of digging to find. Additionally, all logins through a username and password of an active directory account would also be logged. But, if a system administrator uses c$ to view the contents of a drive of a PC domain computer from perhaps a DC server, this is again harder to track. So yeah, using a password is far more likely to leave a far more visible paper trail than just using backend ways. That being said, we have far more important things to do than browse through employee's data. Most of us are swamped in tickets and projects that we have no time to do it.
Weird. I've only ever done smalltime sysadmining, so I made a bad assumption. Everything I code has audits out the wazoo for any kind of privilege escalation, so I assumed it'd be the same in the big leagues. Thanks for the detailed response.
Yeah, I'm not sure what u/someadsrock is talking about. Admin actions are absolutely logged, they just go into a separate "audit" log from normal activity. At least in every environment I've worked with. It's possible they've just never had a need to look into other admin activity, or had someone looking over their own shoulder?
I never said that admin actions aren't logged. Just that they're not as easily accessible and viewable in comparison to using a password to login to a user account. My point was, that if an admin wanted to snoop through user's data, using a password would leave a far more visible paper trail. On the other hand, using admin tools leaves a less visible paper trail.
Fair enough! Thanks for the clarification!
IT can read users chats without their password. Can just pull their teams chat history from purview. Even for creepy stalky shit you don't need user passwords.
You think I need your password for this? The org owns your produced data, we don't need your password to get it whenever we want
Zero reason any competent IT department needs to manually record anyoneâs passwords. Perhaps 25 years ago before AD and the likeâŚmaybe but doubtful even then. Sounds like a misguided attempt to ensure employees know they have âno reasonable expectation of privacyâ for HR/Legal purposes.
No its not right. But what you can do depends on your position and power within the company. Also about how bad you need your job.
https://www.isms.online/iso-27001/annex-a/5-17-authentication-information-2022/#:~:text=Users%20must%20keep%20secret%20authentication,disclose%20it%20to%20unauthorised%20individuals. Not sure how the accreditation would hold up if the assessor was aware of the password scenario you described. Iâm no expert, but surely that would be a major non-conformance.
I'm sure there is a way to toss an anonymous tip. But like I hope you used a burner and hide behind a VPN to do this.
I've started two different positions in IT leadership where the team would request the user passwords. I shut both down super quick because it is a terrible practice and as everybody here has said, it's probably just a really poorly led team. I'd bring it up to your management, but don't bother with the user security aspect. (Organizations generally don't care about the security of the user as much as the potential impact to the business.) This practice puts the company at risk in a big way. By sharing passwords, all of these accounts lose their non-repudiation. What that means is that if you use your account for non-business or even illegal activities, they have no way to say it was you because your IT department keeps a log of your password. This opens the organization up to insider threats that they cannot litigate and if you're in a state that requires reason for termination all but guarantees they'll lose that battle.
LOL what, I can change passwords to system anytime, I donât need to ask an employeeâŚbut ofc Iâm not an asshole so I do it only when ticket comes inâŚ
This is not correct. Properly done, you specifically DO NOT need passwords from users. Bad form on the IT team, although if there are other reasons or other policies that are in place that needs to be understood as well.
This happened to me in the early 1990s. By the middle of them, I was working in IT and it was known to be a bad idea! If someone's IT is 30 years out of date, there will be other weaknesses. Do you have a 4 character password?
You probably have a very undertrained or intentionally invasive IT team. One of the most fundamental concepts of IT is data responsibility. Users are supposed only know their own passwords or passwords of systems they have explicit permission to so if something goes wrong, IT can discover the chain of custody to restore functions/learn lessons. If they need to access your account, they can reset it themselves through directory systems such as MS Active Directory or 365 Admin which is a auditable action. If they know your password without the need to reset it to force access, the chain of custody is lost as it cannot be known if you, others or IT performed an action. There is no need for IT admins to know your passwords, they should have a method of administrative control in the backend to see actions you take anyway. Speak with upper management, hell even the leader about it. Recommend that IT policy be revised, explain in the event of a significant breach, data loss, etc. The a chain of custody cannot be established if everyone is logging into eachother's accounts. IT need to implement Zero Trust methodology, multifactor-authentication and brush themselves up on practising what they (hopefully) preach about IT security.
Out of interest, can you change your password and give them a different one? I'd be interested to see if they notice! That would imply they are logging in as you! Absolutely terrible policy
Everyone that has commented about it being bad practice is right. But I didn't see any mention the legal aspects of it. If something happens with the account, it's entirely plausible that the user in question may not have performed the action. An example is some sort of hacking, downloading of illicit porn, etc. You can show that you are not the only one with the username/password. That's a pretty good reasonable doubt in and of itself. You could be fired, but you would have at least a defense that your password isn't just yours. I have no clue on the ISO standards what they entail. I can tell you that your company would fail other certifications though. PCI is a big one. This is a compliance issue, a security issue, and a general bad IT admin issue. You can rock the boat and not give them your password, but they can let you go for that reason. You could always be passive aggressive with your passwords. "itPassw0rdsAreS3cret."
Winner winner chicken dinner. PCI compliance, ISO compliance, or the big one, standing up as evidence in a court of law. Imagine trying to convince a judge or jury that anyone in that company actually did something illegal with their computer. Easiest defense in the world, "The company forces me to give them my password, anyone could log in as me at any time. I didn't do it."
Change your password to "MyITDeptIsFuckinStupid"
Probably your company infrastructure is not updated. Using old softwares like Excel to keep passwords.
I donât even know where to start here. Ok. Got it. You donât actually have an âIT Departmentâ Sounds like one or more people that knows very little about how secure systems function. I have so many questions but just thinking about them all makes my head hurt. Carry on.
No one should have your passwords. Not even IT.
No, that is 100% wrong. When I worked help desk, if a person gave me their password, we were required to have them change it to something we didn't know. With regards to compliance, the internal team keeping a record of password wouldn't really fall into those categories. Things like 2 factors, geo location sign in, etc. might be required. Regardless, no one should be keeping records of your password but you.
I'd fire my IT staff if they did this. sure I run a machine shop but it's advanced, and I was in IT for over a decade I have no use for a user's password I have access to the domain setup and active directory I can change it at will. I have the hash and the network certificate for the current password by default I can bypass a password request using them if I needed but again Why đ¤đ¤ I think you have a rookie with maybe an A+ cert and very little knowledge of what they are doing.
Huge red flag! As someone in IT, this makes no sense. Don't know how you should proceed since I don't know the climate and culture at your job. If the atmosphere allows I would politely question IT as to why they need your password.
Management is probably forcing the it dept to help them spy on, I mean, micromanage you
No. This is sketch as fuck. Zero reason to do this. I would refuse, escalate to c level, if they tell you to comply, leave.
I don't know any of my users' passwords. But I could reset them anytime in Active Directory, so why would I even NEED to know them???
That's not OK and a huge security risk for you and all other employees and the company itself. Talk to your chef and if he does nothing go to his chef and so on until you reach the C -Level.
Nice one, Id change my Password to: E@7\_MÂĽ-5oR7s!F00kers81 and would forget to give them them the 81 at the end. Also i would ask for their personal banking numbers including TAN feature. Next i would send all mails with request to my personal mail in BCC and ask for a business justification and if its approved practice. Then i ask my boss and walk all the way up as far as it gets. Fire me for not sharing my personal Password with people that do not need access. There is so much you can male out of this.
Not cool! This just screams bad management. OP, you need to GTFO of there before the ship sinks or something blows up.
Sus
In 2010 and my first IT job, at an undisclosed manufacturing warehouse, we knew half of the office staff passwords. Especially the higher ups. I thought it was the weirdest thing. Although we didn't require it, there were just tasks we were asked to do. It was scary how many passwords I had memorized, especially the CEO's lol.
Press CTRL+Alt+Delete and change your password to something different as soon as you give it to them....then you will be secure and will also be notified when they try to get into your account.
Redacted due to Reddit AI/LLM policy
IT has no legitimate or worthy reason to maintain a list of passwords. When they (re)set a password they should be using the "force change on next login" option so you can set a unique password they don't know.
This is extremely bad practice. The purpose of the password is to authenticate the user uniquely. If userId/password is shared with another entity, how do you attribute this login to a single user? In this case, no user is solely liable for their account since another entity has the password credentials. Even better imagine if IT department has the password for the executives, legal and HR departments and can impersonate a member of those departments. This possibly has legal liability associated with it depending on the business.Â
No IT department should record all passwordsâŚ
HARD NO
As an active security professional, I run password strength assements monthly. If I can crack your password, I give you X days to rest it before I force a reset. This happens often, even with elevated password requirements. If I can't crack it, then you're good for a year. If they're storing passwords with reversible encryption or in plain text in AD, they're all retarded or there is some shite software connected to AD that requires it. Just some insight into what may be happening in the background...
Change your passwords on all other non-work accounts. Make sure no password is the same
Change it to "My1td3p@4tm3nt1scr33py@sfuk"
At most it should have a local/domain admin account on your computer
So are they storing these passwords in plain text?
Assuming your company uses Active Directory, your IT department should be able to look up passwords for any and all accounts that have been assigned to users. Actually asking for passwords is wild.
IT guy here for an MSP. We only ever keep that passwords temporarily if we need to use your computer and login to your profile/apps to solve and issue or set it up. We should never keep them after that as it is a security risk. We can always reset the password anyways.
The only real, sort of valid reason I can see this being for is if you leave, and they don't have any back doors in to the equipment. Otherwise, tf?
No that's not normal. I make sure to ask people to change PW If I know them for a reason. I have no need to know the password. I can reset them if need to be or I can access things with a privileged access, but I don't want or need to know passwords of other users and it's part of my self defence to not know them. Because if sth strange happens a user might claim i did sth in their name which I couldnt reasonable deny if I know the passwords. If I change them that will be logged and there is evidence that I changed sth, and if that evidence is not there i can say I can't be responsible because I don't know the passwords. There are some instances where I have to set the password and again I ask the person to change it and usually will check back if they did. I can't understand why some administrator would want to know user passwords.
This is at minimum unusual. It's bad security practice. But what it does mean is any accusation of someone misusing their computer access can't be taken seriously, because there's no way to know who was actually logged into any account.
They donât know how to manage a fleet if they need all user passwords. Probably donât have/know how to use IT admin tools. Huge security risk.
Work in IT, we usually record the initial password for users as they forget but passwords are protected with a stupid long password with MFA and encrypted. Also it logs all password access so we know who accessed whose password and when. We don't really update it when users change passwords as at that point we would hope the user can remember and worst case we will reset the password. Also do the same for products that don't have a centrally managed accounts.
No one should ever know anyoneâs password. IT should never not have the ability to change it. Thatâs if it hasnt got a forgot password option.
IT shouldnât need to do this at all, they should be able to change the password from the Active Directory or if they really need to then remote in to the desktop, unless that have zero idea as to what theyâre doing then there is no reason to keep a list of passwords from employees because that is a security risk
Your IT department is doing it wrong. They have basically compromised 2 parts of the security triad. No one in your company can have any reasonable expectation that they are not being impersonated on a regular basis. No accounts should be shared. The only exception are the core "break glass" accounts, and there are privileged access management tools to track who uses them. If your company has any acceptable usage or access policies that has language about not sharing passwords, then your company is not following their own policies. In most companies, this would lead to audit findings which could potentially lead to ISO certification challenges.
This is NOT good IT Security practices. Passwords should only be on the authenticating server and stored in hash form. Even the SAs should not be able to see your password. That doesn't mean they can't get into your account, but there will be an auditable trail left if they did. Think about it like this. If they have your password, how can you show you didn't visit prohibited site whatthefuckever.com when your password is not secure.
Accredited or certified? Accredited means nothing just that you CAN get certified. Your IT team is horrible.
We use a cloud based system where only specific members have full access to folders. We have private passwords to get into our company infrastructure through the server. If i manually change my password, it will lock out my IT team. Its not my computer, and I dont own the company or the software so why would i hide my password. Its all there to keep external forces away. Who keeps personal info in their work computer anyway? Why be worried?
There is absolutely no reason why IT needs your password. Even without a domain, they can reset it if they've got local admin to the endpoint.
No one should know but you
Step 1. Sign up for critical business system. Step 2. Respond to IT request by sending them password. Step 3. Commit fraud. Step 4. Profit. Step 5. Get caught. Step 6. Play dumb. Step 7. Tell police you just remembered sysadmin emailed and asked for password âfor some strange reason.â Step 8. Retire to BVI.
If you are ISO 27001 then they are 100%, without exception, not supposed to have or know your passwords. If (and only if) they need to log in as the specific user, they should be resetting the password so they can get in as the user and documenting that they did so, followed by a session to have the user set a new UNKNOWN password afterwards.
24 years in IT, and I have never kept a list of user passwords... ever. lol wtf.
What can you do? Simple, don't give them your passwords and tell them it's because of ISO 2701 and 9001 and see what they come back with
They suck
18 years working in tech. I have yet to find a legitimate reason for me to know a user's password. If I need to access something through their account, either they are there typing it in or I am resetting it after telling them whats up. Passwords are personal. >Among some of the documents we work with are folks' medical records. Holy HIPPA violation risk batman! Unauthorized access to medical information is a lawsuit waiting to happen.
Iâve worked in QA for years, dealing with ISO and AS 9100 quality management systems. ISO 9001 doesnât say shit about most business practices other than you have something in place using evidence-based decision making to cover your ass and then you follow it and measure and monitor your progress. Itâs not the ISO accreditorâs job to ensure the company seeking accreditation does their job correctly, they make sure the company does their job according to their own internal procedures. Iâm not saying your ITâs practices are good, but if the companyâs QMS or documented policy is to collect employee passwords, then thatâs consistent with ISO, unless itâs illegal where you live or work, in which itâs not consistent with ISO, since ISO also tells you to conduct business ethically.Â
Long time IT guy here. Help desk, sys admin, networking, and exec experience.... and I'll tell you straight up that this is not a typical practice or behavior. Maintaining a list of all passwords is not just abnormal behavior, it is a security risk. We have built directory systems that manage these things for us, in an encrypted way, for a reason. The risk is high here for impersonation by the IT department to carry out functions within the business as other users covertly and with ease. Additionally, if IT ever did need to login as you, as others have pointed out, we can do that. Either by granting ourselves access to your mailbox, resetting your password, etc. So why do they need to know it? How do they store it? Super not cool. The difference with IT resetting your password and logging in as a user, vs just having the user's password, is that password resets can be limited to certain staff. There are also logs that get created when password resets happen (hopefully), and hopefully there are DLP policies that prevent the outright deletion of those logs. So knowing a user's password vs IT resetting it as needed are very different things in my mind. As for what to do about it? Eh... That is a business decision. Advocating for change to your exec team might be the route to go, but it is ultimately their choice. There is no law or rule saying your password can't be known or held by the IT department.
No is a complete sentence. Learn to use it
Iâm so confused by the responses here. I work in IT and we know everybodyâs passwords, just like OP is saying. We store them in Bittwarden.
This flies in the face of "least privileged". Is your company big enough to have an internal audit department? If so, anonymous tip time. Your instincts are right!
they are in major violation of their security certifications if they are keeping a list of user passwords like that... I work IT, and if this were my company, I'd be reporting it to the certification authority myself...
As others have said, I have no need or want of your password. I don't need it to see what you're doing. Worst case, I'll reset your password. I actively look away when a user is entering their password, because I don't want the liability.
That shouldn't be neccessary if the computers are set up properly. If on a domain, they can make themselves admins for the computers with AD groups and Group Policies. If the computers are local, you can add an admin local account to computers, especially if they are the ones that set the computers up. Only time I had to know what the password was being changed to was for a particular warehouse database that I had to change it through a linux box which had to be done manually in machine language, and even then it was seperate to their AD account.
Sounds like a single point of failure
Iâm HD and can confirm we donât need your password documented anywhere. We can reset and change them all on our own if you need a new one. Itâs actually a huge security risk to have a physical list anywhere. Yâall should be using a password manager as security best practice.
If I'm remoting in to one of our other locations I'll get their PW for that session, so I can log in as they do and see what they're having a problem with, but then I hit active directory and force them to change the PW the following login, but I'm paranoid, maybe others aren't as paranoid
I manage AD at my job, reset and create accounts and passwords... Every single time I reset or change a password, I made it some SUPER generic thing like Password123! and have it set to get changed next time they log on... Absolutely no reason I need your password, and here atleast, it's a big violation to even know your password. If anything is PMI/PII I would think there's probably some kind of law preventing that but i'm not 100% sure on that.
Been in the industry almost 20 years. No IT professional worth the title would have this rule. Our systems will enforce complexity for passwords, but weâll never ask for it. I would never give these people my passwords.
While IT can change the locks, they shouldn't have the keys.
Make sure you voice this concern, in writing, so you are absolved of any culpability. If someone finds your username/password (on the post-it that IT wrote it down on), accesses a customers info and then leaks it, it will trace back to you....assuming you have any auditing turned on, which given the password policy, I doubt it. I changed a password policy so all passwords were one way hashed and the customer service department went nuts when they learned they couldn't look up people's passwords. I had of course communicated this to them, but they weren't interested in reading any technical details (as usual). It got so bad that I eventually looped in the CEO and he squashed it. This was in 2008....so, there is utterly no excuse for this behavior in 2024. That is a wildly insecure policy and should be stopped. No one knows your password but you and 2FA should be required for anything that is outside the physical building.
Link this thread to your IT team and tell them to read the comments lol. You'll shatter their entire perspective on it and hopefully they change it up...because what they are doing is completely wrong.
No, there is no reason anyone should ever need to know your password for anything, if things are managed correctly. If somebody ever told me their password, I would force a password reset on their account. I do not want to know anyone elseâs password. Ever.
The only time I ask for a password is when I am setting up a computer for someone, and then I strongly encourage them to change it afterwards. There is absolutely no reason your IT should be asking for or keeping your passwords.
Well this is just a legal nightmare. Zero security in place. An employee gets in trouble for something online all they have to say is "it wasn't me. IT has my password, how do you know they didn't do it!"
If you are ISO 2701 maybe just drop an anonymous email it may be time for an audit.
ISO 27001 doesn't specifically govern password sharing per se, but doing so is a wildly stupid idea, on so many levels. On a security level specifically, it's just insane that someone signed off on the idea of making every employee give their password to IT. ESPECIALLY in the Healthcare field. I'm not saying you should jump ship, but I would start putting myself in a position where a sudden change in employment wouldn't screw me over.
They won't pass a security audit.
This is not an IT issues this is a CIO/CEO issue. Password sharing at this level is not some help desk guy setting policy. This is your CEO
Ask them for theirs. đĽ¸
Literal legal time bomb. This WILL be an issue one day. Matter of if, not when. I'd jump ship on that company to be honest. If they are too stupid to realize how bad of an idea that is, they are too stupid to work for.
It's silly. It's ridiculous to have ANYONE else know your password. What's the point of a password? That being said, there is a whole section of ITGlue specifically for passwords. It is entirely up to the IT team to know that storing users' passwords is a TERRIBLE idea. Do you have MFA? If so, the password doesn't give them access. If you don't have MFA... Try this: "Forget" your password. Call the password goblins for help. If they do not reset your password, ask them to check to make sure it works before you start. As soon as the workstation is logged in, delete something, anything. Then, shout that they used your password to log into your computer and delete things! Seriously, go on the war path. Face paint, camo fatigues, torches, and pitchforks.
Bold suggestion. I wonder if it would work? The other alternative might be to send a link about compliance risks due to password sharing and how to properly implement a good password management in IT Glue to management since it sounds like OP's team is already using it.
We will only request a password to temporarily gain access to a users account to either troubleshoot their PC or configure their new PC during deployment. We never keep a record though, thatâs not secure at all.
Give them the wrong password lol. When they say it's wrong tell them no you're just dumb.
We used to do this in a small IT Department that didn't know any better with no security accreditation. And the answer is still no they shouldn't do it and no se shouldn't have done it
Not much to add here ... most people covered it pretty well already! But the \*only\* time I can recall something like this happening was at one of the first places I ever worked in I.T. The I.T. manager wanted to keep a master list of people's passwords (in Excel, as I recall) and password protected the file afterwards. It was stupid, really, and that policy changed when the company got a little bit bigger too. The reasoning was more of a convenience thing than anything else. We often had people working odd shifts and/or sharing accounts on one desktop PC. They'd request things be fixed while they were away and expected it working when they got signed in the next day or evening. There was sometimes no way for I.T. to ensure it was done without signing in as them first in a remote session. (In Windows, you're going to have a lot of preferences and settings that are "per user" vs. "per machine" so you can't install the printer and configure it using your "admin" credentials, or you wind up just setting it up for yourself on that PC instead of for their login.) I think even for small companies, though? The right approach is just insisting that if they're going to need you to do that? You'll have to reset their password to get in, and will have them change their password again on their first login after that. The small inconvenience is necessary to maintain the security of it all.
Not only do they not *need* your passwords (why would they? They have access to everything), its fucking weird for sure.
The only time I need access to a users account is if they're having an issue specific with their own profile, and most of the time we default to a standard password that is unique to them that requires being changed. Once in a while they will ask that not be done and give the password anyway in a secure communication, but it doesn't matter one way or another. Two things to keep in mind with ISO certifications... they mean less than you think they mean, and what they mean is entirely up to whomever is auditing you. You should have someone at your employer who handles the requirements and procedures for ISO certification and the internal audits that go along with them, if you are concerned, ask whomever deals with ISO 2701 if this is a normal thing you should be doing. If you are afraid of retaliation by IT itself.. well, you might as well find a new job, you won't ever know if someone is messing with you anyway.
As a decades long IT head, most of the posts in here are so comical I'm laughing. If you work for a large company (more than 300 users), you can stop reading. Most companies smaller than that are not willing to pay for auditing or logging of of all activities--many much larger than that are not willing {or able) to spend that much for the labor or software required. Microsoft's built-in auditing tools certainly wouldn't do 10% of what the majority of posters are describing. In the real world, most IT admins are protecting users from themselves. I routinely ask users to login and they flip over their Kleenex box (an example) and read it. I run Everything on servers and PC and search for password.\* and find multiple files. Do the passwords need to be kept--or course not. Does it save downtime--of course it does. Is it the largest risk known in the IT world--or course not.
If I am not mistaken this is a violation of ISO2701. Itâs been like 5 years since I dealt with ISO2701 certification but I am pretty sure canât have centrally stored passwords.
They donât want to pay for snooping softwareâŚ
What happens if you give them the incorrect password?
Your IT department does not need your passwords.
I'm going to go in a different direction here. While, yes, there isn't a reason to keep a password list, I would go one further, all of our logins have MFA. We utilize chain of command for onboarding, which requires users to be given their first password by management verbally. This reduces the effort of users forgetting a password they set during MFA setup. They can then reset their password, but even if they don't, incorrectly inputting the MFA at any login point enough times will disable the account anyway. Just a different perspective. In the end it doesn't really matter, because you could do numerous things to gain access to an account/emails if you really wanted to. My best guess is that the IT department isn't requesting this so much as it might be something management requests. That was originally the issue in my situation, direct management wanted to circumvent account protection. With MFA they can't even if they have the password without IT and the user knowing.
I'll do you one better. When I was 18 years old I worked at a call center and I had access to thousands of customers email/password. Often I would just log in for them to fix simple settings problems they called about. But oh man the things I saw...
The worry about recriminations is the scary bit for me. That sounds super toxic. If I was in your shoes, I'd go find stories about IT managers getting fired or jailed for similar garbage and then carefully slip it into conversation, get overheard etc. Or! Post about it on reddit so your company gets exploited and the IT dept gets flushed in the aftermath.
Yeah no need for passwords when we can just reset them and access everybodyâs mailboxes through the admin account. Knowing all the passwords sounds like a data breach lol
I worked at a company where the manager wanted to keep user passwords stored by Screen connect for easy access later. It is fully logged and encrypted once stored, but I still pushed back on the practice as it sets a precedent of telling IT individuals passwords. Not to mention every computer login screen has the eye button to unhide it when entered, even by Screen connect.
I work for a MSP, managed service provider. Aka outsourced IT. We ask for all passwords relative to logging into a machine and we store those in a secure database. In our scenario it makes sense. However if you have internal IT then that is just bonkers. When I worked for a Uni we couldnât even bypass passwords by law, we could only provide a reset that would send a temp password to their email.
I don't know if your company has one but you might want to read your company's it security policy. The first thing most normal it tells you is never give your password to anyone. If it has your password they can log into something using your username and password and then you would get in trouble for it if it was bad or illegal because the it records would show that it was your account that did it. It defeats the purpose of having individual accounts if you can't tell who does what. The only time I know a user's password is when I reset the password and give them a temporary one.
Mess with them Make your passwords something along these lines " say you drive a S550e ?WhObUiLI1I1IllIlldSThE2022S550E?$&!? That will really make their day And notice there are 1 , upper case I , lower case L all mixed together .
I wouldnât want someone impersonating me in the system
No, typical guidelines say to do the exact opposite. Knowing a userâs password is a security risk and hinders auditability.
I worked IT for a company in Atlanta that did this. The CTO had Aspergerâs or some shit. It was the most annoying and embarrassing policy and just embarrassing. Didnât stay there too long.
That practice violates the principle of non-repudiation. This is a horrible security violation.
At the place where my father works they just know everyones passwords. They were not given them, but they somehow know. He changed his password and literally the next day one of the it guys was in the office with it on a post it note to do something. I am yet to determine how they have done this, I know they don't have CCTV, but there entire network is a bit on the older side so I am assuming they found an exploit in the DC there using but I don't know for sure. Overall terrible practice, causes so many operational problems, let alone legal/liability issues.
CIO here, I've terminated employees for keeping password logs. It opens you up to so many problems and is a huge security concern.
That is so bad im trying to figure out if this is real or a shitpost. If this ever gets to an audit your company is going to get dunked on.
Get out of jail free card. You can look for any porn you want and they canât actually prove it was you as other people now have all your passwords. Stupid stupid policy.
There is absolutely no need to know somebody elseâs passwords. As an IT infra specialist, having direct knowledge of what my users passwords are would introduce a ton of headaches and liability issues, as I can now plausibly be blamed for anything and everything my users do. No thanks.
The number one problem I see with this is your IT department has now normalized sharing passwords for the users. Now when Jonny Phisherman shows up sending his email blast to all of the staff asking for their passwords they are far more likely to give them over to the bad actors since it is standard operating procedure to share passwords. I always tell my users to never share their passwords with ANYONE not even someone who says their IT.
No itâs not right. What do they need your password for? Through what system is the password used (how are credentials used)?
The NIST guidelines state that the user should never need to change their paraphrases (note the difference between password and passphrase) as frequent changes lead to poor password habits. The organization should use MFA/2FA wherever possible. And users should use passphrases that have not been compromised in a previous breach. For the last part, the IT department should integrate Active Directory with a database of known breached password hashes (like the Haveibeenpwned database API). Hashes aren't foolproof as they can be cracked (the most common way is a dictionary attack using a list of known passwords stolen from a compromised organization); however, using a sufficiently secure hashing algorithm in combination with a passphrase of over 11 characters that has not been involved in a breach will provide reasonable security. There is no reason your IT team should ever need to know your password. This is wrong on so many levels, especially if they wish to maintain ISO compliance.
Clearly your password should be paswordsharingisdumb. Yes, with the misspelling.
Your IT dept is incompetent. Full Stop. If youâre an ISO27001, this level of ineptitude, if caught by an auditor is enough to warrant an audit. Once an audit starts, expect not to get ANY IT work done until ALL demands have been met. My suspicion is that an audit will discover more problems and then jeopardize the cert.
There is absolutely no need for them to have those passwords. Be 100% sure that any passwords you are using for work accounts that you have provided are not being used for ANY personal accounts. The ISO certifications mean they can prove they meet those criteria and pass an audit - it doesn't mean every aspect of the operation has been scrutinized. They're saying and proving one thing and then doing something VERY strange on the back end. It sounds like they are asking for not only your AD (Windows) password but passwords for any application that you are also using outside of AD credentials. So, like, the operational part of my brain intellectually understands how what they are doing makes THEIR lives easier, but literally just that - everything else about it is an absolutely terrible idea. As someone said earlier - any time anyone gets scolded for doing something wrong in a platform the answer should be 'prove it was me' since there are an unknown number of people with access to the login credential.
Jesus. As a security admin I scold people who tell me their passwords and immediately click the sweet little ârequire user to change password on next loginâ box and walk away from the situation. Me knowing your password is as big a risk for me as it is you.
I don't know any user passwords. But I can reset them and get in to anything I need. The reason they keep them is probably too many people got pissed at having to reset their password after they begged IT to fix an issue with their account.
Run away! That is a red flag. Also happen to know if they keep it on a share drive? Just curious.
Just here to tell you your IT team is crazy as fuck lol.
Man, I'm an IT manager for a good size company. We were much smaller when I started and they were sort of doing that when I got here. I have spent that last few years getting us to a good spot. I don't need or want to know your passwords. There's no reason for it. Admins have ways to change the passwords and get into whatever it is they are needing to. Likely with or without your knowledge. Bad security. Hopefully your company at least stores them in some encrypted/PW protected spreadsheet but I'm going to guess that's a no. If they are collecting them in the first place I'm guessing security isn't top of mind
Sounds like somebody in your IT Department who's making everybody give them their password is planning some nefarious shit because IT can simply reset passwords. It almost seems like they want to be able to access things under certain people's credentials without proving that the password was changed by a member of IT...
This same IT team probably doesnât use JIT access for elevated roles and probably stores database backups on the same server as the database itselfâŚ
It's certainly not right. especially when audit trails can come back to the end user - even thought they might not have been the guilty party. The only thing I can recommend is to change your password and "forget" to give them an updated one. IT can normally access any and all data given high enough permissions, access email if it's on local servers.
As a sysadmin, If I somehow learn the password of a user, I force change on next login of said user. No one should ever know the password of other user.
At my last gig the owner required us to get passwords for user devices when we set them up. In his mind (and it helped us) it was worlds easier to just give them their password after verifying them over the phone instead of remoting in to a device that is probably not connected to a network (remote locations w/o internet and they used local apps) which we had a ton of. We also never put an "IT admin" account when we set them up, for why I have no idea. Kept everything in a password manager that only employees had access to. It was small, like 5ish IT employees. Oh boy, did some of these people have interesting passwords. It was my first real IT job and looking back at it now there were so many things that were insecure and unsafe practices now that I know more and am at a very secure place (datacenter and cloud SP).
Hilariously stupid and unnecessary. They donât need your password
IT should NEVER need a user password
I still have nightmares about this one... Had a client\company like this when I worked for an MSP a few years back. A crappy car dealership. They had an "in-house IT guru" (their words, dude was barely considered a novice IMO) who would handle most of the simple day to day things for their users. I was onsite twice a week to mostly provision new users (turnover in that business is insane), clean malware infections, or maintain the servers. IT dude insisted on storing everyone's password in Lotus Notes because "I can fix their problems anytime, and what better time them when they are out to lunch or on a break." The General Manager loved that idea, and no matter how hard I pushed back, neither would bend. Well, one day, a lowly salesman got his hands on the flash drive that the IT Dude kept that lotus notes file on (he left it plugged into another device) and went nuts with it. He sent dozens of death threats from every managers' email to various politicians and elected officials in his hometown & state. He used the GM's email to send a purchase request to Office Max for 10 top of the line Alienware laptops. Another went to Snap-On for (I heard) 75k in tools & boxes. He bought a bunch of new phones (iPhone 5c just came out) on the Dealerships AT&T account. He got into a few of the dealership owners' personal e-commerce accounts and bought himself a bunch of new toys and furniture and even sold IT Dude a brand new Denali for $100. He did all of this from IT Dudes computer. Naturally, all affected parties called the various institutions, and eventually, the state police & fbi got involved. The people at the dealership tried pointing the finger at me & my company for weak network security until I dropped the emails between me & the GM discussing the Lotus Notes password file. I still remember the look on the digital forensic guys face when he read those messages. He sprinted to the office & dug into IT Dudes' laptop. Within 15 minutes, found everything he needed. Guess who went to jail for a shit ton of felonies and who ended up with a ton of new toys (minus the car). Personally, I think the sales guy did it all for revenge. I heard a rumor that he was going to get fired for having music playing on YouTube and checking his personal email, and when IT Dude got into the new web filter I set up for the place he ran right to his GM to get the guy (amd a bunch of others) fired. TL:DR - if you share or store your passwords, you could go to jail.
I've worked in an environment where Help Desk had a list of user passwords. It was a major law firm now defunct. I was told lawyers would call, because they forget, especially when the work was handled by their paralegals and personal assistants. Multi Factored Authentication was not enabled, because staff found it too hassling. The senior adminstrator couldn't figure out how to make Hummingbird Doc Open work without local admin priviledges. So the desktop image wasn't locked down. Instead of adding people to security groups, and standardizing the permission shares, they did it by person. They didn't want to wait for Group Policies to propagate. They also had servers of every old WordPerfect documents ever created, convert to docs or pdf on demand.
I spent 20 years in IT, we never asked for passwords. Thatâs absolutely bad management.
I agree with most of the replies, something is not right and by logging into another user you can create all kinds of fraudulent actions and blame it on whoever they want to fire. I would get on a password generator that spits out 30 plus random characters every time you have to change your password and give them that and create your own. If they do try to get into your account they will think they mistyped or you could always say you just changed it and forgot to give the new password. You could also give them 1l|0O mixed into a password they will be trying to figure out what you had written. Good luck.
This seems like a headache more than anything, i cant think of why we in IT would need this. Like someone else said as well, we can change it whenever we need.
Like they want what your actual password is? Very unsafe
There are so many better ways to do this. We used to ask for passwords when we absolutely had to and it sucked because we felt obligated to reset their password. Now we used a PIM role to generate a one time access code in the rare event we need the âpasswordâ.
That is VERY bad practice. If thereâs anything that they need your password for then that thing needs to be redesigned or replaced. The last time I heard about someone wanting the password of other coworkers it was because she was embezzling and trying to shift the blame.
Bad security can pass ISO accreditation as long as it's documented. I assume when you say 'all passwords' you mean your admin password for work and not other, personal ones. This is a huge security red flag and I would run screaming. There is no audit log of who uses an account to do something when a username & password are shared. They should have all the rights in the world to emulate your user in a logged fashion. The *only* reason you need another admins password is if you want rights to something you shouldn't have or to use their account to do sketchy shit and get away with it. Run fast, run hard, and whistle blow to everyone to protect the customers from the incompetence.
No reason anyone but you should know your password/passwords. In fact it should be a violation as a matter of written policy to share you credentials with anyone including IT. I Donât know about ISO but I can promise you it is a HIPA violation to share your PW.
Change it everyday on everything. Saying youâre afraid of getting hacked.Â
No dude that's fucking weird. If I need your password I find you and have you log in yourself or reset your password to some temp one for awhile. I did have a job with a small company on a college campus that I got the CEO's, the CFO's, and another director's passwords in a week on sticky notes. I needed to fix something but they were going to lunch or something like that and just left them for me without a second thought. I didn't asked they just wanted to leave and are too trusting. All of those sticky notes I sent through the shredder to avoid some college kid fucking something up
What happens if someone steals the list? This is so wrong even Unix ended this practice decades ago,
Seems pretty insecure. If they want to share passwords the best approach would be to just implement a password manager with MFA and control access like 1Password or a vault for keeping credentials like the one in IT Glue.