I'm an IT consultant. Should I discourage a client from telling me his password?

Question

I'm an IT consultant. One client has known me for a few years. He wants me to do some work on his kids' laptop again. I'll need to log into his kids' Windows user account. (I'm guessing that multiple kids share one account.)

This time, he wants to drop the machine off with me. He'll want to tell me the kids' password ("plan A"): he trusts me. But I don't want him to get in the habit of insecure practices like sharing passwords with IT consultants.

I could propose and push a "plan B":

He changes the kids' password to a new, temporary password.
I log in, do the work, then force a password change at next logon.

Or I could push him to make me an account so that I can follow a "plan C":

I reset the kids' password.
I log in, do the work, then force a password change at next logon.

Still, I want to keep him happy, and I don't want him to waste time or money. I don't want to push him towards plan B or plan C unless absolutely necessary. I wonder:

Is it really so bad for him to just tell me the kids' password? If it's bad, please explain why, and please cite a source if you can.
(Optional:) I always tell customers a per-hour rate. But lately, I've been billing by the minute. If we choose plan C, is it ethical for me to bill him for the extra minutes it will take me?

Somewhat related: ["Is it OK to tell or give your password to an admin?"](http://security.stackexchange.com/questions/5539/is-it-ok-to-tell-or-give-your-password-to-an-admin) — unforgettableidSupportsMonica, Jun 07 '13 at 06:31
After 5 years of my girlfriend wanting me to use her accounts, I finally gave up and try to force her to change the password every time afterwards. You can resist on for so long... After a while, it gets a bit too much in the way, and if people don't want to change their habits... Though I guess in your case there's a greater liability and lawsuit-surface problem... — haylem, Jun 07 '13 at 16:49
Also, your plan B and C are in the hand not that different from plan A. You could have done plenty of bad things while you have access with Plan B, and you'd need enough rights to do what you want on the kid's account with Plan C anyway. Just do what makes the guy's life easy, if you don't fear legal issues. Just don't do that for a company laptop though. — haylem, Jun 07 '13 at 16:50
I'd just go with Plan C -- get the password for the Admin account, tell him you had to reset all of the passwords to do the maintenance and reset the passwords to random 32 character strings. Then when you give the laptop back, let him know how to reset the passwords to something more memorable, along with guidelines on how to choose more secure passwords. Unless you're billing in 5 minute increments, I can't imagine it would be billable time. — Johnny, Jun 07 '13 at 21:17
If you have physical access to his machine, the windows password is not so relevant. It is a trivial matter of using either Cain & Abel or even something as a Linux live CD to bypass the login and acess all the files of every account. — That Brazilian Guy, Jun 08 '13 at 21:56
Ruda.almeida, Can you please tell me how you would use Cain and Able for this type of password recovery? I am not trying to say you can't recover a password for a machine you have physical access to. There are many tools for that, I just don't see how Cain and Able is the right tool for that particular job. Mind you it has been many years since I last used C&A, but when I last looked it was a network, Man-in-the-middle tool. — Rod MacPherson, Jun 24 '13 at 03:12

score 50 · Answer 1 · answered Jun 07 '13 at 06:48

The problem isn't with this situation in particular. Let's assess the situation here:

You're a trustworthy person to them
The password is very likely securing trivial data

Giving you the password isn't that big of a deal in this case. The problem (like you stated in your question) is that getting him in the habit of giving out passwords.

I'd definitely go with plan B. Why?

It's the best compromise between security and convenience in this case.
It'll teach him about not sharing password, especially if the lesson is coming from a trustworthy person to him.
It'll make you look even more professional and shows your interest in your client's security.
You don't know, he might spread the word about this situation and in a way you'd be contributing to a better understanding of security (in this kind of situations) in his circle of friends/family.

As for your second question, I don't think I'm the best person to answer this, but I'd say no. If something takes you 2-3 minutes and it's obviously trivial compared to another task (fixing whatever is wrong with the computer) don't actually bill the client for the extra 3 minutes of work. It makes nobody look good.

Thank you for your answer. 1. What if he replies, "I trust you, and I don't want to bother changing the password?" 2. The bill will contain only one line item: something like "Computer services". I plan to measure the minutes that the job takes me from start to finish. If we choose plan C, is it ethical for me to include the extra minutes that plan C takes me in my minutes calculation? It would be great if you could please edit your answer to reflect this. — unforgettableidSupportsMonica, Jun 07 '13 at 16:30
should also note, if something goes wrong in the future and that password is one the client used for other things (like email), you may be the first person they point the finger at when they call the police. You might be able to clear your name easy, but it won't save you from the headache. — SpYk3HH, Jun 07 '13 at 16:49

score 22 · Answer 2 · answered Jun 07 '13 at 11:45

22

I'd suggest plan B to him, but not push it if he doesn't want to bother.

You will have unsupervised physical access to the laptop - unless there's a disk encryption password you haven't mentioned, that's almost certainly enough for you to do whatever you want without any account passwords anyway, including installing backdoors for later remote access, and knowing the password just saves you unnecessary work.

So if he's right to trust you, he doesn't need any extra security, and if he's mistaken to trust you, the temporary password change (or extra account) doesn't give him any real extra security.

On the other hand if it doesn't already have an unprivileged guest account, encourage him to set one up, so if his kids let their friends use it, they can use that. (And if you can do the necessary work from such an account, use it yourself, but that seems less likely.)

answered Jun 07 '13 at 11:45

armb

622
4
9

6

+1 for pointing out what you can do with physical access. – Bobson Jun 07 '13 at 13:41
2

Although I've giving you a +1 for the nice answer, I still disagree with one point. The main thing here is exposing the password. Think, a server's compromise; yes, someone gaining root or physical access to your server can do whatever they want, but it's also a good thing if you securely hash the passwords on the server. I _can_ give someone my laptop to fix, but I still don't want them to know my passwords. Either because I'm using the password somewhere else, or because my password is `BootyB**chSmack0****`. – Adi Jun 07 '13 at 14:18
2

@Adnan "They can do whatever they want" includes installing a keylogger (software or hardware) to send the password to him once you type it in again. You have to trust the person fixing your laptop. – derobert Jun 07 '13 at 18:43
1

There is still potentially some value to not knowing the password. In the worst case, if child pornography is found on the client's laptop, downloaded after you gave it back, and the police ask who else might have put it there, yes you _could_ still have installed a software keylogger and remote access tools, logged into his account, downloaded the porn, and cleaned up the keylogger etc. afterwards, but it's probably still better not to have known his password. So the trust issue potentially goes both ways. That's a fairly unlikely scenario though. – armb Jun 10 '13 at 15:46

score 16 · Accepted Answer · edited Jul 08 '13 at 22:20

When dealing with home or small business customers, I would go with "Plan A." As Adnan said, it's guarding trivial data. Bypassing the password, or even retrieving it, is fairly simple.

To answer your questions:

I cannot think of a single reason why it would be bad to know his kids' login password.
Ethically, you should bill for standard protocol only. This is what is agreed upon, and paid for. If you communicate a standard for password handling, your customer can either accept that or reject it and find business elsewhere.

Plan B is the most time-consuming. Your customer might not be able to access the computer to begin with.

Generally we asked customers "how can I login?", logged in the default admin, or reset the password and had them change it upon return. If you cannot do this quickly, notify your customer.

As an IT consultant, be consistent. If you are treating someone you've known 2-3 years different than a brand-new customer, you're compromising your policies.

When dealing with an enterprise or government customer, you should never know their password. You should never ask, and if they try or succeed at telling you their password, report them immediately.

The government project I worked on, we used Plan C through Active Directory. A customer once complained I reset their password (instead of Plan A). Our cyber-security manager chewed out the entire upper management and saved my bacon.

Due to my particular situation, I think I'll follow armb's advice, below: to "suggest plan B to him, but not push it if he doesn't want to bother." (I've accepted this answer for three reasons. 1. It makes the important point that things should work completely differently in an enterprise environment. 2. It provides a good answer to my question about billing. 3. Because it was relatively late, the unique information it contains was hidden at the bottom of the webpage.) — unforgettableidSupportsMonica, Jun 21 '13 at 23:10
@unforgettableid Because you accepted my answer I'm going to expand a little: It's *not necessarily* your job to educate your customers on cyber-security. Implementing and following policies that bring awareness to certain issues is fine (as the customer can leave). Simply put, billing for non-policy is unethical (and a bit pretentious). — Nathan Goings, Jun 22 '13 at 07:34

score 5 · Answer 4 · edited Mar 17 '17 at 13:14

I support TildalWave's suggestion.

Actually, I think you should rather go to his home, and show him how easy it is to crack password, for example with Cain & Abel (without showing him how to obtain this software, nor which software it is, so he won't be tempted to do that by himself later). THEN you change the password with him, and give him some tips about some strong password and good security habits.

I think that your showing him these things will strengthen your mutual trust, not lower it.

But if you can't come to his place, then yes, just allow him to tell you his sons' password, as it won't have any "shocking effect he can learn from" to ask him to change to a temporary password.

About how much you can charge... well, it looks like it's a friend more than a client, so charge him like a friend, not a client.

Thank you for your answer. 1. About your first point: If a cracker has physical access to the machine, then he has no need to crack the password. He can simply simply use a live CD to reset the password. 2. About your last point: This is a client. True, we're friendly, but I don't give discounts to clients just because we've become friendly over time. — unforgettableidSupportsMonica, Jun 07 '13 at 16:24

score 4 · Answer 5 · answered Jun 07 '13 at 08:33

Ask yourself, would it be any more difficult for you to abuse this person's trust in you by following any of the proposed plans, and if you really wanted to? I don't think so. Each of the plans you propose are just as easily exploitable - by someone else than you. Why do I know that you won't abuse his trust? Because you came here to ask about your dilemma; Something that even a slightly less honest person would never consider, and a completely dishonest person would rather seek deniability sham on a public website that makes it easier to prove this person's identity.

So, the way I see it, your dilemma isn't in proving your trustworthiness, or preventing any doubt in your honest intentions by proposing plans that might require less of it, but more you being unaccustomed to business acquaintances laying so much trust in you also in private life. You have probably earned this trust in other ways before, and this person is prepared to move this friendship forward. Something that, it seems, has hit you as a bit of a surprise, I imagine?

So, we have these three plans, neither of them perfect in an untrusted setting, and all of them nearly identical in a trusted setting. So I propose you simply follow a plan that will be the easiest for both of you. Simple as that.

As for the payment, here's what I do in such situations: I never charge for it, or ask any compensation or return favors. It's mostly routine tasks that I can easily complete anyway, and if they're more challenging (rare), I take it as that - a challenge. Even better. If however, the person I'm doing this favor to insists in repaying me in some way, I'll either accept a small token of appreciation (invitation to a beer, a piece of the pie his wife baked,...), or if money is offered - give a web address of my favorite charity organisation and ask the person to donate that money to it and never ask about it again (but once I'm away, so if it's difficult for that person to part with the money offered - some can be too generous - , they can keep it without remorse).

If I asked an IT consultant to do some work on my laptop, I'd expect to pay for it. — armb, Jun 07 '13 at 11:49
Yes, and "this person is prepared to move this friendship forward" also doesn't apply. This is a client relationship, not a friendship. — Josh, Jun 07 '13 at 13:43
You are both correct. I have downvoted the answer. Dear TildalWave, if you fix your answer, please request me to change my vote. — unforgettableidSupportsMonica, Jul 14 '13 at 17:46
@unforgettableid - No, that's OK. My answer is reflecting my views on the situation, as it was described when writing it. You're not obliged to like it, or indeed find it useful. I misjudged what you meant with "IT consultant". The proposed plans are all equally exploitable, so I don't feel the need of supporting any in particular, and I assumed this ought to be self-obvious to a man of your profession. What I don't understand however is, why bother asking advice on ethical aspects of you charging your client more when there's more work involved? Can you see now where my answer is coming from? — TildalWave, Jul 14 '13 at 18:56
@TildalWave: As for your first point: Since you misunderstood "IT consultant", you are free to [edit] your answer if you like. Of course, it's not required. As for your question: If plan B or plan C were clearly unnecessary, then it would be clearly unethical to charge money for the extra minutes required. They aren't clearly unnecessary, but if I ever do them, I think I will still warn my client in advance that they will have to pay for the extra minutes required. — unforgettableidSupportsMonica, Jul 15 '13 at 19:31
@TildalWave: I like billing by the minute. If I get distracted by some interesting webpage, I can stop billing, enjoy the webpage, then resume billing. Billing by the second would be too complicated. — unforgettableidSupportsMonica, Jul 15 '13 at 19:55

score 2 · Answer 6 · answered Jun 07 '13 at 14:58

In this particular instance, I would either say go with Plan B or just accept his password.

Plan B makes most sense, provided you also explain exactly why you are doing what you are doing.

However, in some instances, especially if its a shared password used by all the kids, changing the password can be a pain. I am thinking in particular of Apple. I very rarely need my Apple ID, and invariably forget the password and have to go through the usual security questions etc before I can reset it. But every time I choose a new password, and make it an obscure variation on something memorable, I get told I have already used the password. This is a pain, and if a few people are sharing the same password, the chances of locking the account can be quite high.

So make a judgement call.

score 1 · Answer 7 · answered Jun 24 '13 at 03:24

Plan B is safest, because you never see what the person's password pattern is (almost everyone has a pattern they use to pick passwords) Plan C is a good fall back. Even if he changes it back to what it was, You did your due diligence in suggesting and helping him with the password change and you can legitimately say you do not know the password if anything happens later. (you don't know unless he tells you that he reset it back to what it was)

score -2 · Answer 8 · answered Jul 08 '13 at 22:58

-2

I think all plans are not fun for the client. but by necessity, plan B should be done.

This is a waste of time and money. but you have to tell your client to hide all of their important data first, before you randomize computer. I think the browser in a password that is more important.

answered Jul 08 '13 at 22:58

Ikhwanul Fikri

1
1

1

-1. What does "randomize computer" mean? What does "the browser in a password that is more important" mean? Please [edit] your answer and make it clearer. Also, if you used Google Translate to translate your answer into English: Please do not use Google Translate. – unforgettableidSupportsMonica Jul 14 '13 at 17:45

I'm an IT consultant. Should I discourage a client from telling me his password?

8 Answers8

Linked