Convince people not to share their password with trusted others

Question

IT workers are usually trusted by their family members who readily share passwords (Facebook, email, twitter, you-name-it!) so they can get easy help to set what-ever-parameter they don't find or explanation of a challenging situation.

I always try to convince and explain why this is a bad practice and that I do not want to know their password. However, I usually fall short on argument when I get answered "But I know I can trust you" or "I know that you will not use this for evil acts" to which I can't really reply "You don't know" as it would imply they can't trust me (remember, they are family members).

What list of arguments (the longer, the better) do you use to explain the risks of having such bad practice?

Here is my own small list:

That's a bad practice and you should not trust anyone with.
That's not respectful for the people sharing intimacy with you (you gave me your Facebook password, I have now access to all the very personal details of people that trust you and not me).
That's a responsibility I do not want that you force on me.
If I use this password carelessly (i.e., without checking over my shoulder) someone can read this password and I would be the one that leaked it.

Most of them usually don't understand, become suspicious or just assume that we are just paranoid.

Please, avoid cases when harm is done using passwords. While this is mostly funny or creative, that does not answer to my answer where people trust you and this must be kept as is. Note though, that the comments stating you didn't realize they'd find what you did a problem or changing the password by a secure one and sending the password reset link are somehow valid in a way ;)

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/46306/discussion-on-question-by-auzias-convince-people-not-to-share-their-password-wit). — Rory Alsop, Oct 04 '16 at 16:04

score 174 · Answer 1 · edited Jun 16 '20 at 09:49

174

The nice and educational way

This is a bit similar to your third bullet point.

Nobody else should know your password, not even people you trust. That is the only way you can be sure only you have access to your account. Let's say you give me your Facebook password and a week later rumors start spreading about what you did in Las Vegas last year.

Only a few people you trust knows that, and well, potentially me since I have your Facebook password. If that happens, I do not want to be a suspect. I do not want to be in a position where every privacy-related incident that happens to you could have been because of me.

Giving information they should not have to people you trust can end up destroying that trust instead of reinforcing it.

If countered with "but I really do trust you completely", highlight that the person also completely trusts Eve and Mark, the only two persons in the world who know about the Vegas incident, and if the word gets out clearly someone trusted must have broken the trust. A key message is this:

I do not want to be party to all your secrets.

If need be, make up a white lie about a friend of yours who got in trouble in a similar scenario to make it more concrete.

The not so nice and educational way

To teach people not to share their password, I post all passwords people give to me on Twitter. No exceptions. If you give me your Facebook password, within five minutes it will be on Twitter together with your username. [Open up Twitter and get ready to type.]

If you still want to give it to me, that is fine, but you have been warned.

This is probably not a good idea since you should not make threats you are not prepared to deliver on, and you should not deliver on this threat. But sometimes I am tempted...

Reversing the roles

Sometimes it is easier to understand someone else's position if you reverse the roles. Give the person a sealed envelope and say this:

This envelope contains a piece of information that would completely ruin my career, my marriage, my life if it ever came out. You must hold on to this envelope forever, and make sure that nobody - including you - ever see what is inside.

But don't worry, I trust you completely.

When they refuse to take the envelope, explain that you don't want their Facebook password either.

edited Jun 16 '20 at 09:49

Community

1

answered Sep 26 '16 at 09:10

Anders

64,406
24
178
215

4

Haha! I like the not-so-nice way. As for the educational one I sometimes go this way but the argument "I know I can trust you" or "I know that you will not use this for evil acts" makes it void. – Auzias Sep 26 '16 at 09:13
3

I don't understand the purpose of the "not so nice way". It deters them from sharing the password with me, sure, but why would I do it like that? Its sentiment is not too different from saying "If you give me your password, I will hit you with a hammer". Or are you saying that you are aggressively terrible at keeping secrets? Is the point to just avoid them sharing? I don't think they will understand *why* you don't want to know their password. – mafu Sep 26 '16 at 11:35
1

I guess I am only half serious here. I guess the intended message is "trust no one", but you might be right that is not what comes across... – Anders Sep 26 '16 at 12:12
1

@mafu: I think the gist of the "not so nice way" is to respond to their argument "but I trust you completely" with a statement "I am not trustworthy, your judgement to trust me completely is wrong". But of course as Anders points out, it falls down when they realise you won't really do it, so they might continue to trust you completely, and not learn the lesson. It's difficult to convey that although you're basically trustworthy, they *still* shouldn't give you their password. – Steve Jessop Sep 26 '16 at 13:22
50

I love the third variation of reversing roles. I have read it twice to memorize it and I hope I'll be able to use it at least once in my life. – Chris Sep 26 '16 at 20:17
1

@Anders I don't *want* to be or sound untrustworthy. I am trustworthy and sincere, but I *still* don't want to know your password. -- That is the problem I see with the way this is presented at the moment. Of course your suggestion is a solution to the problem, but not one I'd like to take, personally. Of course, if someone is fine with its implications, they may use it very successfully. – mafu Sep 26 '16 at 22:32
+1, mostly for the last part, about the envelope. – Fiksdal Sep 26 '16 at 23:04
You assume that these people have secrets worth hiding I suppose – scrowler Sep 27 '16 at 10:31
70

@Chris: Just tried it, my mom quickly opened the envelop and wondered why the pages were empty :/ – PlasmaHH Sep 28 '16 at 15:55
2

@PlasmaHH: Mums do not fit in the standard model ^^ this envelop trick is usable with almost everyone else – Olivier Dulac Sep 29 '16 at 11:12
41

@PlasmaHH Actually, that perfectly illustrates the point of the role-reversal: You asked them not to open it, and yet *they could not resist opening it anyways*! They have proven your point that even someone you trust can be tempted! – Cronax Sep 29 '16 at 12:26
@OlivierDulac I think you mistake human nature; [the forbidden is always the most tempting](https://en.wikiquote.org/wiki/Beauty_and_the_Beast_(1991_film)) – Izkata Sep 29 '16 at 20:53
@PlasmaHH lol, why did you make an actual envelope? Present it as a thought experiment instead. – dbanet Sep 30 '16 at 01:33
2

I would think a lot of people won't understand the second method either. They'll either go "why did you do that? I HATE YOU! YOU RUINED MY LIFE!" etc, or they'll do nothing and wonder a week later why they can't log into Facebook. Either way they still won't think about security. – user253751 Sep 30 '16 at 02:53
@dbanet: why not? It isn't as if this was expensive or so. And often people react quite differently in a thought experiment than when confronted with the real situation – PlasmaHH Sep 30 '16 at 06:54
@immibis I do not suggest that you should actualyy post anything on Twitter, so nobodys life will be ruined. – Anders Sep 30 '16 at 07:11
32

If you do the envelope thing, best to have a page in it that says in giant letters THIS IS WHY YOU SHOULD NOT GIVE YOUR PASSWORDS TO ANYONE, NOT EVEN ME. – Jasmijn Sep 30 '16 at 17:36
@Robin I think they'll still be confused. – user253751 Oct 01 '16 at 01:33
[Don't spill anything on that envelope!](https://bitcoinpaperwallet.com/images/water-damage.jpg) – k-l Oct 03 '16 at 15:50

score 160 · Answer 2 · answered Sep 26 '16 at 15:39

160

This post is about communication with people that have absolutely no technical knowledge or interest; especially people afraid of technology.

Don't explain, don't complain

It is incredible hard to change other people, especially if they are IT laymen and you are the expert.

This is the same issue as in general communications. Avoid all sentences that somehow contain "you", and stick to "I". They cannot argue against "I".

Example:

They: "Here is my password, please configure my facebook account for me."
You: "No, I never take passwords from other people. But if you log in, I'll show you."
While they type it in, pointedly look away.

It is as simple as that. It's the same as being a parent/teacher, you don't always have to explain everything in great detail. Do it by example.

Corollary

IT laymen are often not interested in actual technical or security-technical reasons at all. It confuses them (because they have no technical background), and they already have been told lots of confusing and alarming things about IT security by their TV or newspapers. So, trying to force some explanation on them does nothing for your cause. It will not help them, and it will not help you. Of course you can try to explain things if they actually are genuinely interested (in very simple words), but I found over the years that even trying to explain something in this case can do more harm than not. I will usually explain stuff in very easy similes (e.g. email <=> snailmail) and not go into specifics at all.

answered Sep 26 '16 at 15:39

AnoE

2,370
1
8
12

14

Having seen my share of eyes starting to glaze over when I get to talking about technical detail, I think this is the best answer. Let them ASK for the reason if they want it, otherwise just set the example. They obviously trust your technical knowledge, so now when they ask someone else for help they should expect the same treatment. – Ben Sep 26 '16 at 16:58
13

"If you login I'll show you" only works with relatives you live with, not your grandma who calls you from Dodgeville. Spelling her all the menus and buttons she has to click will be a torture for both of you. – Dmitry Grigoryev Sep 27 '16 at 08:41
16

@DmitryGrigoryev: Use a remote screenshare tool if possible in that situation. Doesn't cover everything, but helps remove a barrier, and sets you up to train, not just fix. – Neil Slater Sep 27 '16 at 09:05
9

@NeilSlater That is actually great advice! Telling "I can help you, but you need to install a screenshare tool" sounds like a socially acceptable way to refuse to help. – Dmitry Grigoryev Sep 27 '16 at 16:55
9

@DmitryGrigoryev: Skype, Google Hangouts and other chat apps don't require additional installs to show the screen, and are exactly the kinds of apps you will find your grandma has access to. You cannot remote-control with those apps, but you can discuss and train whilst being able to see what is going on, and most importantly you don't need the password. – Neil Slater Sep 27 '16 at 16:59
1

I use a similar answer when people try to give me a copy of some copyrighted material, like a song. I ask them to let me listen on their device and tell them that if I like it, I will buy my own copy. – Ralph Sep 28 '16 at 12:46
VSee *does* have remote control. – JDługosz Sep 29 '16 at 21:16
The problem with using a screenshare tool that enables remote control (or even ANY tool that wasn't already installed) is that you're teaching the habit of giving remote control and arbitrary code execution to people they wouldn't give their Facebook password to. In my experience it's best to stick with what's already installed, or get creative. It's been more than once that I've remotely read crash logs via FaceTime or multiple picture messages. Especially if your family member types URLs in the search bar and gets back several untrusted download links they can't tell are untrustworthy... – newcoder Sep 30 '16 at 09:13
Interesting. Would I be correct in summarising your point as "Avoid any arguments that would come with explaining your reasons and simply train them, Pavlovian style, that this is what good IT professionals (/unpaid relatives) do in this situation until they stop giving out passwords?" – Lilienthal Sep 30 '16 at 10:35
No, that would not be correct, @Lilienthal (assuming you mean my answer and not one of the comments). – AnoE Sep 30 '16 at 10:46
@AnoE Perhaps I read too much into it. Would you say that you shouldn't bother explaining because it's not really your place to? – Lilienthal Sep 30 '16 at 12:39
3

@Lilienthal, no, I do not intend to imply any kind of inferiour/superiour relationship between the people involved. I.e., I as an expert am in no way "better" than them, nor am I "lower". Non-technical people are often non-technical because the topic does not interest them; it has never interested them, and it will not in the future. In situations where I am helping them (for free), explanations simply do not work. Simply refusing the password, and doing what we know is right, should be enough in such a situation, and *much* better than petty evil acts or whatever else has been suggested. – AnoE Sep 30 '16 at 14:05
Let's not forget that if someone gives you their Facebook, Google, Twitter etc. password that you could then use Oauth logins on various sites and services. If one wanted to do a little harmless(?) teaching, you could register them for a bunch of different silly services, games, etc. that spam them notifications. – Chris Cirefice Oct 01 '16 at 18:06

Peter - Reinstate Monica · Answer 3 · 2016-09-27T09:45:48.913

76

Funny enough, I actually don't accept your premise. As an IT professional you can read other people's emails and other communication, delete their directories etc. It is part of the professional code of conduct not to abuse your position. People trust your integrity, the same way they trust their bank's employees not to steal their money, although they could.

Disclosing passwords to IT professionals falls in the same category as disclosing your earnings to your tax adviser or your health issues to your doctor. We are professionals that people come to in order to get problems fixed; that often cannot be done without passing on sensitive information.

Edit: Family members whose rooms you have access to must fully trust you in any case because of the old rule that a system to which an adversary has physical access cannot be reliably protected. It would be comparatively easy for you to install a keylogger or monitor their WLAN traffic. In effect, they trust you already with their passwords, whether you like it or not.

If you don't want to handle your family members' IT problems (the same way as you wouldn't want to do their taxes if you were an accountant, or advise them on their health problems if you were a doctor); if that is the issue, come forward and say so. It is a problem we all face.

On a friendlier note your posting this question makes me trust you, paradoxically :-).

edited Sep 27 '16 at 09:45

answered Sep 27 '16 at 09:23

Peter - Reinstate Monica

1,033
8
9

The "trusted people" can apply to people who are not the OP, and not IT professionals. What then? – topher Sep 27 '16 at 10:09
1

@topher The question starts with "**IT workers** are usually trusted by their family members..." and concludes asking "What list of arguments ... do **you** use ...". What to do in the *general case* is a wide field where parts of my argument may or may not apply... Passwords are, generally spoken, not different from other sensitive data which can be abused, and should be handled with comparable care. Not more, and not less. Like, do you give family members the keys to your house? Your car? Your credit card? Would you *accept* any of those? – Peter - Reinstate Monica Sep 27 '16 at 10:38
46

I +1ed this, but I agree with the OP's premise that they shouldn't give IT people passwords. The reason is that being in the habit of sharing passwords provides a new threat vector: the user now has to distinguish between legitimate IT professionals and illegitimate ones. By making it clear that *IT professionals do not need your password*, they train the user to be alarmed if someone ever asks for it. This is a *good* thing, and I think it is professionally unethical to shirk the responsibility of training people in good habits. – jpmc26 Sep 28 '16 at 17:42
3

@jpmc26 You should make that an answer, it is the best reason not to share passwords I've seen on this page so far. – eirikdaude Sep 29 '16 at 09:56
@jpmc26 I see your point and partly agree. But I think that some IT assistance is easier delivered when the IT person can just log on to the user's account and do stuff (web mail setup, server configuration, even online banking ...). Many examples in other answers involve the user logging on and the IT person then using that session, but that's hard or impossible remotely. And my general idea holds here as well: If you have bad judgement in whom to trust, you are in trouble anyway. – Peter - Reinstate Monica Sep 29 '16 at 10:07
1

@PeterA.Schneider There should still be a way to do that without having to use that user's personal password. Our system calls it masquerading. – Izkata Sep 29 '16 at 21:03
@Izkata Yeah, there should, but usually, there isn't. – user253751 Sep 30 '16 at 02:56
I highly disagree with this but I suppose it depends on the company. For most companies I've worked for, if someone from IT requested another employee's password, they'd be reported. If I worked for a company where IT had access to my emails, files, or password, I would quit the first day, and I can't imagine many companies allowing IT unrestricted access like you seem to describe. Either they have access but everything is explicitly logged in detail or they do not have access and would have the employee log in and oversee it in person. – michael Sep 30 '16 at 06:09
1

@michael Re "If I worked...": Does "Snowden" ring a bell? You have never been root on a mail or web server? Or only on one where the disks and all traffic were encrypted? Even if -- the admin usually can reset people's passwords (even if he can't retrieve them) and thus reset them temporarily, and then set them back. Whatever. It's hard to prevent root from spying. (It is true though that corporate IT usually doesn't need a password -- but that is because *they are running the frigging servers!*) And besides, **the question was about family members,** not secure corporate installations. – Peter - Reinstate Monica Sep 30 '16 at 06:57
@michael So, no, Mark Zuckerberg doesn't need your password to change your Facebook account settings, and Joel doesn't need your SO password to change or delete your account or read your deleted posts here. If you don't like that, don't use Facebook or SO. I, on the other hand, do need your password for that because I don't run those servers. – Peter - Reinstate Monica Sep 30 '16 at 07:02
2

@michael I conclude from your comment you do not work in IT or have a good understanding of mail servers or databases work – Darren H Oct 01 '16 at 09:23
1

I wholeheartedly disagree. Having access to the same resources should not be equated to breaching the identity promise that passwords provide. It's *your* password that identifies *you*, if someone else changes something, *their* name should appear in the log. – transistor09 Oct 01 '16 at 09:55
@DarrenH I've worked in IT, email servers, and databases, so if anyone doesn't have any idea how they work; you clearly have no idea how to set one up securely. And you're right, the question was about family members, but I was specifically responding to "Disclosing passwords to IT professionals falls in the same category as disclosing your earnings to your tax adviser or your health issues to your doctor." If a family member or friend is coming to you, they're coming to you as a family or friend who is tech savy, not an "IT professional". – michael Oct 24 '16 at 05:50
Unless you're working at a small startup, no decent sized company grants unrestricted and unlogged access to an employee. I'm not debating whether or not having root on a server or database could get around needing someone's password, my point is if you work for a company where anyone in IT can spoof you without a trace, wow. There are rarely, if ever, times where having the user tell you their password is necessary. If you think it's necessary, I'd highly question you being an "IT professional". – michael Oct 24 '16 at 05:57
@michael Is the NSA "decent sized" enough? (And paranoid enough about security, and resourceful enough?) – Peter - Reinstate Monica Oct 24 '16 at 06:54

score 38 · Answer 4 · answered Sep 26 '16 at 11:55

38

Just change the password after you're done helping them, and send them a password reset link. They will soon learn that it's easier to keep their passwords safe than to restore them.

Alternatively (e.g. for a primary e-mail account), simply change their password to a strong one and communicate it to them. Explain that changing passwords and using computer generated passwords is recommended. Either they will learn to keep the password for themselves, or at least you'll teach them some good practices.

answered Sep 26 '16 at 11:55

Dmitry Grigoryev

10,072
1
26
56

8

Changing the password combined with a password reset is harmless (IMO) and educational. I like it ! – Auzias Sep 26 '16 at 13:09
35

I think it's rude and possibly illegal to change someone else's password on a third party system without their permission, and in any case they might reset it back to the same as it was before, or something very similar. – bdsl Sep 26 '16 at 13:10
38

@bdsl well guess what - it's illegal to login with someone else's password to begin with. If the OP has the kind of relatives who may sue him, he should stay a mile away from them. – Dmitry Grigoryev Sep 26 '16 at 13:20
24

For the love of god if you do this please hold on to the password you set it to until they verify they are able to get into the email they have their account set up with, you could possibly permanently lock them out of something if they don't know their email password -- Usually this wouldn't be a risk but if they're the type who give everyone passwords they aren't tech savvy, and if they aren't tech savvy I assume nothing but the worst. – Captain Man Sep 26 '16 at 15:56
10

@CaptainMan Or don't. A dance with Facebook customer support to retrieve a lost account would be very instructive indeed. – Williham Totland Sep 26 '16 at 16:22
3

@WillihamTotland the problem is that that class of person would probably just create another account. They don't care about the TOS – Wilhelm Erasmus Sep 26 '16 at 20:07
6

@CaptainMan Wait, you mean if you give someone your password, something bad *may* happen to your account? – Pierre Arlaud Sep 27 '16 at 07:53
1

@CaptainMan: If you are holding onto the new password, then what has been accomplished with a password reset? – dotancohen Sep 27 '16 at 10:30
2

@dotancohen Password reset provides the opportunity to change it, so that the password known to the OP is no longer valid. – Dmitry Grigoryev Sep 27 '16 at 10:49
1

@dotancohen Alternatively you could just generate a random password (which is hard to remember) and write it down, give it to the owner of the account, and once they've confirmed that they've got it then you can destroy your written copy (and won't remember the password because it is random). – Micheal Johnson Sep 27 '16 at 17:33
2

@WillihamTotland more likely, your relative would make *you* perform such dance for them. – Ángel Oct 04 '16 at 10:32

score 13 · Answer 5 · answered Sep 26 '16 at 11:45

Knowledge leads to responsibility. Imagine you gave me your password...

I have to keep your password (which happens to be beerbar2) a secret. The next time I'm at the beer bar, I must actively avoid thinking about it, because I might accidentally spill it out. This is mentally taxing on me. That I might drink a beer in that situation is not helpful, either.

I must also be careful not to confuse it with the password of my other friend, who chose barbear3 and regularly forgets it, so I have to send him his password again.

Finally, if my computer ever gets infected with some nasty information extractor, your password ends up being collateral. I'm probably more careful than you are about those things, but it is obvious that the surface increases.

So, yeah, we trust each other at a certain level, but unless our bond is so close that we regularly use each other's account, I don't want to have to bear this additional responsibility, and you don't want that the password is less secure by definition once shared.

My point is that explaining to someone that password sharing is a bad idea does not require eroding trust, which seems to be implied by another answer.

score 8 · Answer 6 · answered Sep 28 '16 at 08:09

8

One thing you might consider trying is, "If you trust me, then trust me when I say that you shouldn't give your password to ANYONE."

answered Sep 28 '16 at 08:09

Pete Danes

81
1

4

Yeah, but they won't understand the reason beneath. – Auzias Sep 28 '16 at 08:17

score 7 · Answer 7 · answered Sep 26 '16 at 15:17

7

Don't give them opportunity to give you their passwords.

For one thing, never do tech support "free for family" over the phone. That's a quick way of ruining a good relationship. Only ever do tech support in person. Then, when the login screen comes up, pass the keyboard over to them. Let them enter the password.

answered Sep 26 '16 at 15:17

dotancohen

3,698
3
24
34

6

Refusing tech support over the phone is an even quicker way. – Dmitry Grigoryev Sep 27 '16 at 08:50
17

Refusing tech support altogether is the quickest way. – Aloha Sep 27 '16 at 15:09
1

@Cunningham'sLawyer I didn't mean to advise how to ruin relationships quickly (in which case I'd go with simply saying "I hate you"). I meant to say that refusing tech support over the phone is not always desirable. – Dmitry Grigoryev Sep 27 '16 at 16:48
Wait, what? If they give you password, it effectively stops being phone support (which is a troublesome process I suppose) and you can diagnose/fix remotely with much less effort. – kubanczyk Sep 28 '16 at 08:51

score 7 · Answer 8 · answered Sep 26 '16 at 19:01

7

What else are they giving you access to?

Someone who's willing to share passwords probably has the same passwords for everything. By giving the Facebook password, they've also giving access to every email they've ever sent, online banking, online retirement accounts, etc.

Hopefully the mention of their financial security would be enough to dissuade them.

answered Sep 26 '16 at 19:01

David Yaw

171
1

Granted, all passwords will be based on their birthday, but they are often different. You'll have to guess which separator they used for banking and whether they spelled the month or not ;) – Dmitry Grigoryev Sep 27 '16 at 08:48

score 6 · Answer 9 · edited Jun 16 '20 at 09:49

6

Offer them an alternative.

People are giving you their password for a reason. They want you to do something with it. Find out what it is, and find another way to do that.

They want you to log on and "do" something for them? Fix, post, explain?

Have them log on instead, and help them afterwards. Use remote assistance or teamviewer to take over their screen, or easy enough just Skype to share the screen and tell them where to clicK.

They want you to have the password in case they can't access a computer and the account needs work? Might be in case of death or illness, or just a coworker during a vacation time.

First of all, same principle: try finding another way to do what it is they want you to do. Memorialize the facebook wall - there are procedures for that. For a co-worker, maybe the IT department can give you the same rights to do what he can?

Second, find an alternative to having the password: have them put it in their will, or in a vault where you can access it but they'll see you have done so when it happens.

edited Jun 16 '20 at 09:49

Community

1

answered Sep 27 '16 at 06:29

Konerak

3,898
2
16
16

Doing so does not _teach_ them why this is a bad practice. – Auzias Sep 27 '16 at 06:45
You can teach them all you want, but they'll always evaluate the benefits from sharing against the risks from sharing. You teach them about the risks. My approach tries to also give them the benefits, without the risk. Combine with your teachings for the solution, imho. My objection to security.se is that too often people think "just" in security, while security and usability go hand in hand. One must guard both, else people offer up security because they still have to fulfill their needs... – Konerak Sep 27 '16 at 07:10
I see and I agree, let's just say that this (good) solution does not solve the issue exposed in the question but tackle it. – Auzias Sep 27 '16 at 07:30
Ah, no problem. I tend to think outside the box a bit. If someone asks "how can I teach my kid not to eat meat", I won't only say "explain animals feel pain and have a right to live" but also "give him something else". How can you expect people to not do A if you don't offer an alternative B? – Konerak Sep 27 '16 at 07:57
Q:How can you expect people to not do A if you don't offer an alternative B? A: by making them understand the risk of doing A. No problem for thinking out of the box don't worry ;) – Auzias Sep 27 '16 at 08:15
3

@Auzias: Taking on risks *unnecessarily* is bad practice. A key part of showing that taking on a particular risk would be bad practice would be showing that it is unnecessary. Too bad a lot of web sites do far less than they could to make such things unnecessary (e.g. allowing user "fred" to create an alternate login "fred-xyz" with its own password and configurable authority to do various actions). – supercat Sep 27 '16 at 20:24
1

@Auzias So you have two options: "do and give your password", or "don't and don't give your password". The second is not a viable option because doesn't get done. Now, if there was a third option, "do and don't give your password", then they could choose that, but if there isn't, the first one will have to do. – user253751 Sep 30 '16 at 03:03
@immibis: Exactly. If the owner of an account can revokably authorize someone with secondary credentials to have abilities of the account'-holder's choice, then there would be little reason for an account holder to release the primary credentials. If someone wants to allow a spouse to read and respond to emails, but the email provider doesn't allow an account to have two sets of access credentials, how should such ability be handled without sharing a password? – supercat Oct 02 '16 at 16:45
Secondary credentials can work for some use cases (your mailsharing example is a perfect example), but seldom when the person needs technical help - they'd probably need help setting up the secondary credentials as well. – Konerak Oct 03 '16 at 06:32

score 6 · Answer 10 · answered Sep 28 '16 at 02:39

Once I was given a master-key to a building as part of my work and was showing it off proudly to my manager. He said that he refused to have one. When I asked why, he said that although it was useful, if something, such as a burglary, happened in any of the locked offices then those people who held the master key would be under suspicion and he didn't want that responsibility.

I think the same is true for family members sharing a password, everyone who has the password is now jointly responsible for anything that happens with that account. So it really depends on what you can do with the account. Posting to Facebook, Twitter etc could destroy a person's reputation. Shopping sites and anything to do with money could be used fraudulently. So, by not having the password it actually lessens your risk, that you get involved with something relating to that account by someone else who is also a password holder.

I totally agree with you nevertheless my family members "_trust_ me and know that, if something goes wrong, I will not be under suspicion" :/ — Auzias, Sep 28 '16 at 06:20
True, but this is a rather different situation from helping out Uncle Harry. — Casey, Sep 30 '16 at 13:30

score 4 · Answer 11 · answered Sep 27 '16 at 03:15

4

You increase your legal liability

In the case of financial applications (such as online banking), sharing passwords may result in you surrendering certain rights of recovery should fraud occur.

You might breach your terms of use

Sharing your online password may be considered a breach of your end user agreement.

You may be violating the law

Sharing passwords may be a federal crime in some cases.

answered Sep 27 '16 at 03:15

John Wu

9,101
1
28
39

9

Do you really think saying something like "You might breach your terms of use" will really make them reconsider? – Dmitry Grigoryev Sep 27 '16 at 16:51
5

Only if they are lawyers – John Wu Sep 27 '16 at 19:02

score 4 · Answer 12 · answered Sep 30 '16 at 03:47

For these kind of situations I use to say that "I have a personal policy of X".

Example:

"I have a personal policy of not knowing other people's passwords."

If they ask why, I'll reply:

"It's simply a personal decision."

If they still insist (not common), it's up to you to provide an in-depth explanation. In that case, the suggestions from other answers come in handy. As for myself, most often than not, I'll just say:

"I'd rather avoid discussing that."

score 2 · Answer 13 · answered Sep 26 '16 at 09:04

2

Your passwords are private. And like other private information about you, I simply don't want to know it.

I wouldn't discuss this alot, I'd rather state that I simply don't want to get this information and ask them to type them in themselves.

answered Sep 26 '16 at 09:04

Lukas

3,138
1
15
20

score 2 · Answer 14 · answered Sep 27 '16 at 11:56

2

Identity.

Obviously security is the most pressing concern, but before security can be enforced, one has to enforce identification. Passwords protect by identifying a user, letting them in and no one else, that's why they usually are paired to a username. Therefore they serve the same purpose as your ID or Passport.

You don't share your ID, because it would defy the purpose of having one. It's like doing a plastic surgery on your face and using you friend's ID.

For exactly this reason most online services also state in their EULA's that sharing access to your account is not allowed, and could potentially lead to the account being terminated.

answered Sep 27 '16 at 11:56

r41n

176
3

Plenty of people share their IDs for the same reason they share their passwords. – user253751 Sep 28 '16 at 01:31
This will fail because passwords are typically used in a user/password combination, and the mental model in the head is that "user" is the identification part. Common users do NOT associate a password with identity. – Tom Oct 04 '16 at 15:19
Well, the issue is to change the mental model of common users. make them understand why they should not share their passwords. If they change their mental model they understand that their identity is not only the username, but the combination of both.In the end, there are plenty of unreasonable, outright stupid, people out there. If someone doesn't understand that the concept of identity goes way beyond trust, there is no point in wasting time on that person, they will not get the point anyway. – r41n Oct 05 '16 at 08:11

score 2 · Answer 15 · answered Sep 29 '16 at 01:53

Just convince them to make the password literally be some embarrassing fact about themselves. It will likely be more secure than the typical "myname1995" passwords, be less forgettable, and they won't want to share it with anyone due to what it says! Make it a phrase like "I am in love with my best friend", eeek, do you really want to say that out loud!? (though I wouldn't make it too sensitive out of fear of some nefarious server transmitting/storing it in plain text and it ending up out in the open that way... but strike the right balance)

Then, of course, point out that what it leads to likely holds even more embarrassing secrets that is really easy to accidentally see, even without intention. Imagine your tech guy being logged into your facebook right at the time your best friend sends you some personal message on the chat. It literally pops up, hard to not at least glance at the text.

Abhirath Mahipal · Answer 16 · 2016-10-01T10:05:16.217

Many a Times, One Means All

Explain to them that giving just this one password is going to make it easy for you to guess the passwords of other accounts. Most people use the same password everywhere or a slight variation depending on the website.

What do I mean by slight variation?
Say your brother John wants to give you the password to his Paypal account and his password is "PJkfadkf!1". If you have a few other passwords of his you can easily guess that P stands for Paypal and J for John. So by that logic his Facebook password would be "FJkfadkf!1".

Loads of Tools and Clutter

Explain to them that you're an IT professional and you use a lot of tools. It isn't humanly possible to keep a track of all the detailed aspects of every tool. If any of those tools infect your computer with a virus/malware you'd be putting them at risk. Then explain them the first point.

They probably will realise that they're potentially giving access to all their online accounts in case you accidentally misplace their password.

If he/she's younger than you, you can be a little firm and deny taking their password.

You need not be rude.

Alternatives approaches that will enable you to take passwords.

Use one time measures wherever possible. Example:- Take an one time password.

This way you cannot harm them in any way. I've also seen many websites that provide an alternative way to login via links in emails. Perhaps you could use those as well.

If you need to take their password, ask them to change it and then give it to you.

Do not forget to tell them to change it after you're done using their account.

score 2 · Answer 17 · answered Sep 29 '16 at 11:48

2

I usually go 'please, please share your Facebook credentials with me, so I can write posts, you know I don't have my own Facebook account'. This works very well, at least everybody has refused.

answered Sep 29 '16 at 11:48

Tero Lahtinen

267
2
6

score 1 · Answer 18 · answered Sep 26 '16 at 15:41

1

Remind them that they are responsible for everything that happens using their password, regardless of who actually did it, and that you would prefer not to put your reputation at risk should anything go wrong.

answered Sep 26 '16 at 15:41

Paul Smith

123
2

score 1 · Answer 19 · answered Oct 01 '16 at 20:41

If more than 1 trusted person knows your password they are more or less anonymous. In other words if you tell 3 people your password and one abuses it then you can't blame anyone, because it's impossible to know which of the 3 people abused it, or it's really hard to find out.

Additionally hackers may ruin your relationship even if you just share it with 1 person, because most people don't believe they are ever hacked, so they will be more likely to blame that 1 person that knows their password, than their own behaviour.

Kind of like people are more likely to say: "My computer is slow ever since you installed that video game tom, this has nothing todo with me installing 50 toolsbars with every installation of freeware on my computer and clicking every ad on the internet."

Than they are to say: "Wow, those toolbars I installed really slowed my computer down, and thanks for that video game tom."

score 1 · Answer 20 · answered Oct 04 '16 at 15:13

My usual answer is to stop them immediately and say

I don't want to know.

So the real question asked here follows, as to the why. These are normal people I'm talking to, so if I go into InfoSec specifics, I'll likely have to give a huge speech, which typically neither me nor they want.

The shortest answer that I've found that satisfies most people is something along the lines of:

I want to be sure that if something happens to your account, you know for sure that it wasn't me. I know you trust me and I appreciate it, but if there is a problem, we will both feel better if we know for certain. And anyway, you should always keep your personal passwords to yourself, it's a good habit and will certainly save you trouble one day.

There's no point to go into depth about trust or possible threats or elaborate very much.

score 1 · Answer 21 · edited Jun 16 '20 at 09:49

Reading the other answers I'm expecting this to be down-voted by the IT sec community here, but bear with me...

Frame challenge: I think there are some cases where sharing passwords with trusted family members can make sense. In a sense it's the same as giving someone a copy of your house keys - as a matter of fact it is exactly the same, as per the old adage that physical access to a computer will essentially make it your computer (grabbing the passwords will be trivial after that).

I think it is important to understand the context of the situation where a family member would try to give you a password, the same as with house keys. Would I accept a house key or password from a distant friend or a colleague at the office? Certainly not. But I have a duplicate key to my parents house, because they asked me to hold on to it. Why shouldn't I do the same for a password?

For example, my parents essentially share all their passwords with each other. I was able to make them to use a password manager, and the master password for that manager they know both of them. Why? Because sometimes my father forgets it - and my mom knowing it is still better than the alternative, which would be the simplest imaginable password written on a post-it note sticking on the monitor...

They also gave me a copy of that master password. I now store it safely (on an encrypted disk in a password manager), the same way I store their house key - hoping that there will never be an emergency reason for me to use either.

In my eyes this boils down to two the old saying that "security at the expense of usability comes at the expense of security". Sharing a password among close family can be a safer way of handling a situation than the most likely alternative.

IMHO it can be more fruitful to explain to relatives that handing out passwords is essentially like handing out copies of your house key. You can do it in some very limited instances with people you absolutely 100% trust - but only then, and you need to be aware of the potential consequences if this trust is abused.

Perkins · Answer 22 · 2016-09-29T20:08:17.217

0

In most cases, giving someone else your password is a violation of the site Terms of Service. In most cases, a breach of the ToS requires you to delete the account and never use the service again. In some jurisdictions continuing to access the account in violation of the ToS is felony "Computer Hacking" and can put all involved parties in jail.

Please don't make me an accessory to "hacking" charges. If you give me your password I will be forced to report it to the maintainers of the site and have your account terminated.

For the Skeptics: https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 http://www.tomsguide.com/us/obama-cfaa-revisions-infosec,news-20330.html https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

edited Sep 29 '16 at 20:08

answered Sep 26 '16 at 21:25

Perkins

199
4

4

Since when "hacking" is a crime? I'm pretty confident that some 20% of fellow users of this site have a CEH certification, would that put them in jail? I believe not. – grochmal Sep 27 '16 at 01:30
For that matter wouldn't a TOS violation be a contract law thing? – StarWeaver Sep 27 '16 at 04:09
4

Ever since the Computer Fraud and Abuse Act: Access in violation of TOS = unauthorized access. Unauthorized access to a machine involved in any form of interstate or inter-country commerce or communication = felony. They have seriously put people in jail for TOS violations, even when all actions on the system were otherwise legal. Obviously this does not apply to people who have been hired by the owner of the system to test security, as long as they stay within the bounds of the agreed testing. – Perkins Sep 29 '16 at 19:53
The problem is that visiting a website without obtaining prior permission is unauthorized access under US law, just like breaking in to some high level government server. That happens before you even get a chance to enter the password. The law is so badly written that it is not taken literally and it is selectively enforced. – Alex Cannon Feb 26 '18 at 22:57
1

@AlexCannon Oh, I quite agree, the law is stupid. But that just makes it all the more effective for scaring users into not giving you their passwords. – Perkins Mar 01 '18 at 19:37
Wow, the downvotes on this qustion are so absurd! – WHO's NoToOldRx4CovidIsMurder Dec 05 '19 at 23:48
@MatthewElvey I know. I'm not sure if it's because they think it's rude or because they think the hacking laws are stupid. But I've never had to warn anyone more than once with this tactic. Saying that if they give you their password you'll report them and have their account deleted is pretty darn effective even if it is rather blunt. Better to start a little more polite though. – Perkins Dec 18 '19 at 18:37

score 0 · Answer 23 · answered Feb 26 '18 at 23:01

You can always tell the person that you don't trust your computer's security, and that it would be best to not know the password since typing it in to your computer could lead to the account becoming compromised by Internet spammers and the like. I think it would be a very reasonable and polite way to decline.

A lot the bad things that can happen when you tell someone your password aren't because the person is dishonest and misusing your password, it's because they don't know enough to use it in a secure way, and someone else ends up doing something bad with it.

score -1 · Answer 24 · edited Nov 20 '19 at 13:23

You can always throw out an informative explanation on data leakage and the strain it would place on your relationship.

For example:

Them: Can you help me? My password is...
You: I can help you, but please don't tell/hand/etc me your password.
// have them type it in or something//
You: We all know sharing passwords is bad but if a company--like your bank--were to be compromised, your information and password could be leaked to the public. If something were to happen, I wouldn't want you to think I misused or lost it.

The above scenario can be modified to how you conversate with the person, but you get the point.

This has worked for me in the past with friends and family. You mention bank or something similar and it catches their attention.

I highlighted what I think the most important line is. This is actually a good idea. — schroeder, Nov 20 '19 at 13:23

score -1 · Answer 25 · answered Sep 30 '16 at 01:07

There should be no need to share a password for a social media account, because the owner of this account should be capable of managing it themselves.

When asked for assistance, I would be inclined to direct them to a suitable online tutorial. If they are not capable of following the tutorials, then I would question whether they are capable of safely using the service.

score -6 · Answer 26 · answered Sep 28 '16 at 18:43

-6

There's actually nothing wrong with sharing passwords. For non security critical applications (i.e.: most things for most people, probably everything but financial apparatus) it is a matter of convenience, utility, and reasonable trust.

It seems like the part you really care about is them abusing your expertise, and want to have a legitimate-sounding way to say "no I can't do that because XYZ". In which case just tell them the TOS for that service will ban people for account sharing, which is probably true in many instances.

answered Sep 28 '16 at 18:43

John K

107

2

The question is about explaining the risks of such a bad practice. You yourself suggest there is a problem with sharing passwords for critical applications, which would mean that there is a legitimate reason to educate. – schroeder Sep 28 '16 at 19:46
1

Very poorly considered answer. All online services must be treated as confidential. Insecure social media accounts can be hijacked for identity theft, and/or posting illegal, damaging material. – user1751825 Sep 30 '16 at 01:05