How can I protect myself from false accusations when our company practices password escrow?

Question

During an internship for a small company, my boss created an account for me, so I generated a password and I used it. The next day, my boss told me to write down the password of my account on a piece of paper, put it in a letter and to sign the envelope. Then he took the letter and told me that if he needs to access my account and I am unreachable, he is authorized to open the envelope and read the password to use it.

He also told me that this is a common practice in all companies. Now I don't know if every company does this (I don't think so) but, to me, it's not legal.

Let's say that my boss is a bad person (he's not) and he wants to frame me for something that he did. He only has to open the letter and read my password (let's say that I'm unreachable) and do his nefarious activity with my account.

Now let's say that I can't prove my innocence. How I can prevent all of this? I thought of writing down a wrong password, but if he really needs my account and I'm unreachable, I'll put him in a bad situation.

So, is there a way to protect myself (without refusing to write down the password)?

http://www.nostalgicimpressions.com/Wax_Seals_Stamps_s/2.htm — Richard, Jan 31 '16 at 22:14
`...common practice...` Huh?? BTW, at least sign across/along the seal. But seriously... Huh?? — user2338816, Feb 01 '16 at 05:46
I would say definitely get a receipt or something for the envelope... but it may be too late now since it might be too awkward to ask him without implicitly telling him you don't trust him. Another possibility is to send someone (if you don't have anyone, yourself) an email or something with the precise date/time when you gave him the envelope and details of what you did... at least later on if it comes to having to prove your case, you can make a (small) case that you're not making the story about the envelope up on the spot. — user541686, Feb 01 '16 at 09:14
Also, there's the question of why should your boss need to access your account in the first place. That's equivalent to saying that he needs to be able to impersonate you, which makes no sense. If he needs to read your files -- he can use an administrator account to read those; he doesn't need to impersonate you in order to do that, unless the files are encrypted with your password, which I suspect not (it would be kind of pointless given the context). — user541686, Feb 01 '16 at 09:17
Why go to all this trouble? He can get the admin to let him in anytime. — RedSonja, Feb 01 '16 at 10:04
Whether or not this is advisable, it is certainly not illegal. — Casey, Feb 01 '16 at 15:55
@Casey that's not necessarily true - entry into a computer system under false pretenses can be a hefty crime in a number of jurisdictions, including the US. — corsiKa, Feb 01 '16 at 15:56
@corsiKa Maybe abusing the password is illegal. Requiring you give it to them is not. — Casey, Feb 01 '16 at 15:56
Definitely talk to your CTO or relevant security/IT official in your organization to make sure that this is company policy. It is possible/plausible that your boss is doing this because another manager told him that this is a good idea. I have worked in places where giving anyone else your password was a very serious offense, and yet people running whole offices where practicing password sharing with their subordinates. — David Baucum, Feb 01 '16 at 20:18
I have worked on systems where exactly one admin was permitted (technically, there was an alternative: no electronic data processing). We followed exactly this process. The person holding the passwords in escrow (in a safe, in a safe) was the one person in the facility with maximal security authority. The alternative, of course, was to have a single bus crash make all these machines unadministratable. Given the frequent system auditing requirements, this would have put us back at the alternative quickly: no processing. It's not *so* rare, especially in smaller shops. — Eric Towers, Feb 02 '16 at 03:46
Your boss owns the system on which you have your account. He can do whatever he likes with it. As has been mentioned, your envelope should be completely unnecessary, as the system administrator would be able to get access whenever needed to your account. — user1751825, Feb 02 '16 at 05:14
Put a typo in the password on the letter in the sealed envelope. If he doesn't misuse it, he will notice quite late. And then just apologise. :) if he actually needs it, the admin will have to change it and that leaves an audit trail. — Daniel, Feb 02 '16 at 23:05
The envelope is almost a complete waste of time since there are methods to [open and reseal](http://www.wikihow.com/Open-a-Sealed-Envelope) an envelope. (Not always possible of course but how much would you rely on one being tamper proof?) — Sayse, Feb 03 '16 at 10:43
Having to sign a new envelope every 45-60 days sounds like a royal pain — Ben, Feb 04 '16 at 03:04
It's your company. They have access to your account anyway. Envelope or not: users with more privileges (your sysadmin) can always access your account — BlueWizard, Feb 13 '16 at 19:29
Why would your boss do something bad with your account? He would hurt your company and if he had a grudge against you he could fire you even without tampering on the account — BlueWizard, Feb 13 '16 at 19:30

Philipp · Accepted Answer · 2016-01-31T18:33:08.493

123

That's what the envelope is (or should be) for: In order to use your password, one needs to break the seal of the envelope you signed. When you think your password was abused, you can ask to see the envelope with your signature and check if it is still unopened.

All you need to do is that should your management ever require your password, change the password and hand in a new envelope. You might want to change your password in regular intervals anyway: It's common best practice.

By the way: In companies with a proper IT management this method is unnecessary, because system administrators can receive any necessary information from user accounts without having to know the passwords of the user. If an administrator really needs to log into a user account, they would reset the password (which would create a verifiable audit trail). And there is usually more than one system administrator, so the admin accounts do not require this method either.

edited Jan 31 '16 at 18:33

answered Jan 31 '16 at 18:20

Philipp

48,867
8
127
157

7

The last paragraph is not 100% correct, cf http://superuser.com/questions/767239/encrypted-files-after-resetting-windows-password – Hagen von Eitzen Jan 31 '16 at 20:53
@HagenvonEitzen: How likely do you estimate that they don't backup the data, and don't have the domain as backup-operator and thus owner of a second key? – Deduplicator Jan 31 '16 at 20:59
1

Well, they might need still need keys for accounts not managed by the company nor by their single-sign-on-solution - if any - to be escrowed that way... – Deduplicator Jan 31 '16 at 21:02
13

"they would reset the password" ... or just use something like `sudo` & co. – Bakuriu Jan 31 '16 at 21:03
21

One thing I would add is that there needs to be company knowledge (and ideally oversight) of this escrowed password process. If the boss can simply respond with "What do you mean signed envelope? We don't do that here." Or "I asked him for his password but he never provided the envelope" then the other preparations don't offer much protection against your account being misused by the boss. – PwdRsch Feb 01 '16 at 02:34
12

I would change _It's common **best** practice_ to _It's common practice_. While many organisations promote changing passwords frequently, I have never seen a convincing argument for doing so and many arguments against. – CJ Dennis Feb 01 '16 at 03:29
6

@PwdRsch: So, get the boss to give you a receipt for the password envelope. – Nate Eldredge Feb 01 '16 at 03:40
2

@HagenvonEitzen EFS has the concept of Recovery Agents (i.e. escrow keys), so accessing the files without having the original password is covered if you have planned for this case. – syneticon-dj Feb 01 '16 at 07:52
1

@CJDennis The only argument for frequent password change I have seen is as follows: assume the password hashes were stolen and it went unoticed. Somebody is running some bruteforce to get the password, but that is expected to take x amount of time (given password complexity requirements and estimate of expected processing power of the attacker at time of computation). So you should change the password with intervals no longer than x, so when the attacker is done and tries to use the password, it has already been changed. Edit: yes, you should use a strong salt, and moore's law anyway. – Theraot Feb 01 '16 at 11:59
@Theraot: another argument for frequent password change is that the attacker manage to obtain the plaintext of the password (e.g. keylogger, shoulder surfing) but did not actually use it for some time to mask the incident where he managed the chance to obtain the password. Frequent change limits the window of such attacks to just the vulnerable time. – Lie Ryan Feb 01 '16 at 14:50
The reasons for password change policies are off-topic for this question. – Philipp Feb 01 '16 at 14:56
@Philipp : What email providers won't [let users stop evidence of received emails from being visible on their account] until a sufficient amount of time has passed? (Alternatively, how else would "proper IT management" make the procedure described in the OP unnecessary "for accounts not managed by the company nor by their single-sign-on-solution - if any"?) – Feb 02 '16 at 06:04
+100 if possible for `By the way: In companies with a proper IT management...` – TheBlackBenzKid Feb 03 '16 at 10:37
1

-1 for implying it's somehow hard to extract information from a sealed envelope. You could use a flashlight, or rip up the envelope and put it in a new envelope, or possibly use a thin needle to take the password out of the corner of the envelope, or you could possibly claim the envelope was lost. You've not exactly offered legal counsel on whether any of this is viable. – djechlin Feb 03 '16 at 17:11
*"In order to use your password, one needs to break the seal of the envelope you signed."* - that is, simply put, false. If envelope does not have obfuscating print inside, strong light, some organic liquids or similar techniques can be used. If it has, glue may be dissolved without really damaging paper, and envelope can be glued again. Dozens of ways, I'm sure, even if I know only four or five. – Mołot Feb 03 '16 at 22:47
Opening envelopes (sealed or not) is fairly easy. It's just not worth the effort sometimes – BlueWizard Feb 13 '16 at 19:32

score 26 · Answer 2 · answered Feb 01 '16 at 06:11

I don't think you are in a particularly worse situation than not disclosing your password. Your boss could:

Get the system administrator to make a copy of your (hashed) current password
Change it to something new
Do something evil in your name
Put the old password back (replace the hash back what it was)

What does protect you is that there are, presumably, audit trails of things that are done. For example, tracking emails by IP addresses.

If anything you are in a better situation than before. Now you can plausibly argue, if something bad is done in your name: "But my boss insisted on having my password, maybe he did it".

If the audit trails can be used to prove your boss's innocence in this sort of situation, then it can also be used to prove yours. And if no audit trails exist there will be doubt as to who really did it - whatever "it" is.

Keeta - reinstate Monica · Answer 3 · 2016-02-01T14:06:31.833

13

Change your password immediately after handing him the envelope.

You have fulfilled his requirement of giving him an envelope with your password, and you have fulfilled the need to keep it secure. In the unlikely event that he tries to use the envelope password, you can explain that you needed to change it and he had yet to receive the new envelope.

In no case would I trust anyone with a password of mine, even in a sealed envelope. An envelope is too easy to breach, even without breaking the seal. Even using "security envelopes", placing a bright light (super flashlight, office projector, car headlight) to the back side of it will cause the contents to be able to be seen through it. Considering the information to be obtained is likely a large printed single word, it is not secure. I have never worked for a company that has asked for me to give them a password in an envelope.

edited Feb 01 '16 at 14:06

answered Feb 01 '16 at 13:57

Keeta - reinstate Monica

263
1
4

28

This is a breach of trust. While the OP's company doesn't appear to have a correctly-managed IT infrastructure, that doesn't mean you should go out of your way to screw your employer who expects this information. Besides, you should always assume your employer has access to everything you're doing online. Just don't use the same password at work that you use elsewhere... problem solved. – Mark Buffalo Feb 01 '16 at 14:10
6

In practice, I'm not sure any of this matters. It's a password to a company-owned user account on company-owned equipment. As others have said, I'm not sure what having a password to such an account gives the company that they don't already have. – Robert Harvey Feb 01 '16 at 15:26
11

@MarkBuffalo My trust in him is already breached when he made the false statement "this is a common practice in all companies". – Keeta - reinstate Monica Feb 01 '16 at 15:32
1

@Keeta Good point. I have *never* seen this used before. The employer could easily hardware keylog his employee and not even to ask him for the envelope. However, his employer has the right to ask such things from him. – Mark Buffalo Feb 01 '16 at 15:33
it's not uncommon to see some password sharing for third-party vendors without enterprise-style access controls. That's exactly what products like Lastpass for Enterprise are for. – Casey Feb 01 '16 at 15:58
@MarkBuffalo: Maybe, maybe not. The employment contract and/or employee handbook may well have something in it about not sharing passwords with anyone. The one from my last job did, and didn't make exceptions for requests by management. – cHao Feb 01 '16 at 21:29
what you're suggesting is called "sociopathy" - the boss clearly wants access to his password at all time - he will have reasons for that and changing the pass after handing the old one to him will guarantee two things at the same time (if the boss finds out) : 1) the internship will end, no job will be offered. Ever. 2) he will ne snarled at. – specializt Feb 02 '16 at 09:25
1

"breach of trust" LOL. It could as well be argued that the employer requesting the password under false pretenses is in itself a breach of trust. Additionally, if "you should always assume your employer has access to everything you're doing online" then the employer should not need to request the password. – user100487 Feb 02 '16 at 14:33
if the company does not have 1) explicit written rules against changing your password "when you think it might be necessary", and 2) explicit written rules stating something like "every time you change your password you will need to give the password to your manager" then there should not be any legal problems changing the password. – x457812 Feb 02 '16 at 15:15
IMHO the only reasonable and 100% honest approach is to resign from the company, rather than playing tricks on the employer. – JonathanReez Feb 02 '16 at 15:15

score 13 · Answer 4 · answered Feb 01 '16 at 19:10

Password escrow as described in your situation is highly unusual and loaded with risks. The setup you describe relies on trusting your boss to not only be honest with their intentions and motivations, it also assumes your boss is storing those passwords in a secure manner. Are the envelopes kept in a safe? A locked filing cabinet? His desk drawer? A folder on his desk?

The ideal situation:

Escrow: A system where a disinterested third party holds money/information/property in trust on the condition that certain requirements are met before transferring said holdings to the receiving parties.

In your scenario, the person holding the password is not a disinterested third party. This is less than perfect, but they are being trusted by management to be honest and secure in their handling of the passwords.

Alternatives in other answers are good suggestions. An additional alternative to the current scenario would be to split the password into multiple parts. For example, half the password given to your manager and the other half given your manager's manager(or Human Resources, or department head, or CEO, whatever makes the most sense). How to split the password and how many people have access to which portions of the password will vary depending on the company management structure.

Just as they're trying to mitigate risk by having password escrow in the first place, they should avoid having a single point of failure in the process. Avoiding conflicts of interest and requiring multiple parties to be involved would go a long way to making password escrow safer. It's still not a great management practice, but it doesn't have to be as insecure and risky as just handing the password over to the boss in a plain envelope. Even something as simple and cheap as adding tamper resistant security tape would improve the current scenario.

score 8 · Answer 5 · answered Feb 01 '16 at 14:17

8

Philipp is correct here. Let me restate something he said:

In order to use your password, one needs to break the seal of the envelope you signed. When you think your password was abused, you can ask to see the envelope with your signature and check if it is still unopened.

To add to what he's saying, your company appears to have grossly incorrect IT management practices. What you should do at this point is make sure your password is not the same as the one you use elsewhere.

Always assume your employer has access to whatever you're doing online. Even if they don't. Do not log into your social networking accounts at work. Do not log onto your bank accounts. Use your work computer for work-related tasks. If you have a cell phone, it's even easier.

Your employer should be able to do whatever they want, within the confines of the law, to your work computer. You should not have any expectation of privacy.

answered Feb 01 '16 at 14:17

Mark Buffalo

22,498
8
74
91

2

Signing it is not foolproof. What if the boss steams it open and then reseals it? What if he takes a high resolution photo of the signature and practices forging it himself hundreds of times until he can do it perfectly? – Buttle Butkus Feb 02 '16 at 09:50
2

@ButtleButkus Then you *might* have a problem with tinfoil hattery. I'm not discounting your concerns, but you need to prioritize risks. – Mark Buffalo Feb 02 '16 at 12:32
1

my point is that this security system is not at all foolproof. If the OP has a real concern about being framed for malfeasance, then the sealed envelope trick should definitely not assuage his fears. – Buttle Butkus Feb 03 '16 at 02:14
1

*Nothing* is fool-proof. ;-) You can only manage risks. – Mark Buffalo Feb 03 '16 at 02:15
4

Certainly, but using 19th century security-by-obscurity methods in the year 2016 is pretty amusing. – Buttle Butkus Feb 03 '16 at 02:23
It is indeed amusing. However, what's the feasibility that his boss is going to "perfect" his hand-writing and forge it? It's very low, and there are many tell-tale signs that give it all away. :b – Mark Buffalo Feb 03 '16 at 02:26

score 4 · Answer 6 · answered Feb 02 '16 at 04:33

This should be completely unnecessary in a properly configured system, assuming you log on to a corporate domain. In a properly configured system, logging on to a corporate domain, any data you edit, create or have access to on the network or on your local system, will be stored in a location accessible by others who each have their own login credentials which will have the necessary permissions to access that data. By using their own login credentials, they not only have access to network data, but also local data and the audit logs will show who did what and when. Be REQUIRED to give your username and password to ANYONE is not only a bad practice, but is highly irregular, risky and/or indicative of incompetent system/network administration.

If I were in your shoes, I would ask his superiors about that policy, change my password and refuse. If your job is threatened, then I would call their/his/her bluff and prepare to file suit for wrongful termination if you do get fired. I personally, would never give that info away nor would I trust a sealed envelope as the security measure to keep people honest (sealed envelopes can be opened and resealed, if you know how or a new envelope sealed with a forged signature.) Even the seemingly nicest of bosses could simply be putting on an act until they turn on you and frame you for something. I witnessed something similar, except instead of a sealed envelope containing a password, it was a disk containing a backup copy of encryption keys. The fallout wasn't pretty and the manager got fired after the discs and data was stolen. Unsurprisingly, the fired manager never got another job, never had money problems and a competitor came to market first with the very project we had been working on. Prior to the theft, our competitor didn't even have a similar product. Be careful and think about my advice. That sounds very suspicious to me and so often in these times, the friendliest/nicest people turn out to be the most venomous snakes.

score 3 · Answer 7 · answered Feb 02 '16 at 10:43

This is unfortunately common in small companies using cloud services, without having a business relationship with the cloud provider.

Mark the envelope to make it a bit more tamper proof, that's it. A former company of mine still uses my personal e-Mail address in their domain, the never managed to change their domain registration after I left.

Change the password frequently, and hand in new envelopes every time. They would need to produce all old envelopes too, so they can proof they haven't opened one. Since most online services won't provide audit trail. So you can always stand upright innocent.

tne · Answer 8 · 2016-02-03T16:41:32.417

Let's call it what it is: a workaround for lack of proper access control. The real solution is to fix/improve access control.

Specifically, here: Why can't your boss access the things you can access with his own account?

The only purpose of credentials is to authenticate an identity. If we break that, they become useless. You might as well remove the concept of an "account" and use shared secrets for everything.

So as an alternative to outright refusing, attempting to convince him to tackle the root issue (which probably appeared because of a misunderstanding) might be worthwhile. If argued right, this shouldn't create friction: the ultimate result is a safer system for everyone.

score 2 · Answer 9 · edited Feb 03 '16 at 16:31

2

Never had to me in any company I was in.

In such case, I would put in the envelope a message saying "In case of emergency call me on mobile mobile number".

In case of emergency, I can spell the password over the phone and be informed that it was used - and my boss could do anything needed. So it is all he needs.

If the envelope is misused/stolen/scanned/broken - it would not let anyone impersonate me.

edited Feb 03 '16 at 16:31

schroeder

123,438
55
284
319

answered Feb 03 '16 at 16:26

gilhad

131
4

What if the emergency is death? How do you answer the call then? – 200_success Feb 04 '16 at 00:33
Then the password would be found in envelope with name of my boss/company in the box with other documents like mariage-certificate, lend-a-house and such (as I do not want to forgot it, I need to have it written somewhere). (usuall bills for gas, electricity etc are in other box) - death is so special case, that having to ask my wife to open the envelope is not way off – gilhad Feb 04 '16 at 09:32

score 1 · Answer 10 · edited Feb 03 '16 at 21:43

The very existence of the envelop protects you from any nefarious doings by your boss. In general, you don't need to prove your innocence. Someone else needs to prove your guilt. And that is going to be quite hard if it is well known that someone else has access to the incriminating account. If you are really worried about it, just sign the envelope wonky. Then, if your boss does manage to read the password through the envelope to do something nefarious, you can refute the validity of the envelope itself.

Side notes:

This is not common practice in any large company, but I can see how it would make sense to someone trying to run a small company. In fact, I have heard of several small companies that ran into trouble when a key resource left without disclosing the passwords to various software.
If you ever want to commit a crime using your account, be sure lots of other people have access to your password first.

score 1 · Answer 11 · answered Feb 03 '16 at 23:05

It's a big lie - no one needs your pass to access your account, there are an administrative accounts just to fit this purpose. Even more - it's not a common practice except for cheaters wishing to blame you and reduce/remove your payroll. Neither your pass, nor your certificate(s) are required for an Administrator to take a look at your full account.

score 0 · Answer 12 · answered Feb 02 '16 at 09:44

If you're worried about your boss opening the envelope, using your password for deeds of nefarious do, and then resealing your password in a new envelope and forging your signature, then just splatter a bit of paint, Jackson Pollock style, on the envelope after you sign right across the glued area, and then take a few very high resolution photos of the envelope to easily identify any attempted Pollock forgeries. Just be sure to also protect the password from any visible, infrared, x-ray, gamma ray, or any other form of peeping radiation that may allow your boss to read your password without opening the envelope, by enclosing your password in a thick lead case before putting it into the envelope.

Of course, you will also have to worry that the had a camera recording you as you wrote the password down in the first place. In that case, make sure you've done all of that at home and that he has never had access to your home.

I think that covers it.

EDIT:

Except of course if your boss rips the envelope open, performs the nefarious deeds, and then starts a severe toaster fire in the snack room next room on the same day that the security cameras are being repaired and are offline, thereby burning up all the password envelopes and absolving himself of any suspicion. So I suggest you spray down the entire room and neighboring rooms with a flame retardant foam. That should solve your problem.

score 0 · Answer 13 · answered Feb 03 '16 at 23:10

This actually depends on both country and/or state laws that you live. This is more of a question for employment law, than it is a cyber security question.

The reason that this is an employment law question is that it depends on the size of the organization, the data and system in question, the general employment contract, and the company policies.

Companies can and do put write this into employment contracts. Generally, your employee handbook will explain what data, or information systems belong to them, or have clauses in their general company policy that describe what information systems belong to them. If they own the system in question depending on what the system is being used for, they not only have the right to your password, they are legally allowed to do whatever they want with your password, the data involved with the system, and anything in between all in accordance with both the federal, state, and local laws within your jurisdiction.

This is why companies can enforce the use of proxies in order to record information. However, if the system in question is not owned by their organization and you are using their network, then it becomes a grey area because of privacy laws.

The only way to prevent this is the following:

1) In short, you as an employee, can not prevent this, if they own the information/data and the system of which you have access to.

2) Read your employee handbook, your employment contract, and specifically ask what information and data are specifically owned by the company. This includes everything from your ideas, your invention assignment agreement, and any personal information that you consider private.

3) Separate personal use from corporate use, If the company provides you with a laptop, or information system for you to use, do not use it for personal use. This is the area that becomes grey. For instance, if you published corporate secrets on facebook whether its on your personal computer or theirs they may still own the data.

Information security is about more than just computer related topics. I feel the question meets all four bullet points listed in the help center for the [What background should I give in my question?](http://security.stackexchange.com/help/on-topic) section of what's on topic. — Booga Roo, Feb 14 '16 at 05:32

score -1 · Answer 14 · answered Feb 04 '16 at 00:55

I would say this is typical, and used fairly commonly in the industry. Not the exact same way though.

Many companies use password managers where the they can access employees passwords, and passwords can be shared between employees. This is mostly for logging into 3rd party services that don't support individual user accounts.

This would specifically only be for company related logins though. No personal logins should have this.

How can I protect myself from false accusations when our company practices password escrow?

14 Answers14

Change your password immediately after handing him the envelope.