16

Possible Duplicate:
From a security point : Is it OK to tell your password to an admin?

I am working in a small company (20 employees) as a senior SW engineer.

After having some email problems, our newly employed IT administrator asked me for a password to see with hosting company why exactly. Without any thought I gave him my password.

After maybe 30 minutes, I realized that in my 10 years of working in several companies nobody asked me for a password, and I found it rather strange. Immediately after I changed my password.

So, are there cases where the password is really needed, when I really have to tell my password to an IT administrator?

EDIT

The reason I am asking is this: I have heard of stories where admins asked for the user's password, but only on sites like The Daily WTF.

Please note that the answers on this question were not given from a security point of view, and as such should not considered secure.

Community
  • 1
BЈовић
  • 1,199
  • 1
  • 9
  • 17
  • 1
    The law on this will vary from country to country. For example, in the UK it is permissible for a representative of an organisation to obtain access someone's mailbox for the purposes of the detection and prevention of a crime or to ensure business continuity during a person's absence. This question is going to receive a lot of opinion. –  Jul 21 '11 at 16:38
  • 1
    @Linker3000 Ok, assume that no crime is involved :) , and it is safe to assume that nobody in the company needs access to my mailbox. –  Jul 21 '11 at 16:41
  • 2
    @Linker3000: there are many other ways to let people into your inbox without disclosing your password. – Lie Ryan Jul 21 '11 at 16:47
  • Sometimes Administrators don't even need to ask for passwords because many users write them on labels affixed to their monitors in plain view. Unfortunately this is often the result of users having trouble remembering passwords that they're forced to change regularly ("I couldn't remember if I added a 17 or an 18 because I'm not allowed to re-use previous passwords"). While these can be good practices for technically-inclined people, I find that these practices fail with regular users who just want to focus on their work. =( –  Jul 21 '11 at 16:52
  • Isn't this what `sudo` is for? :p – Brendan Long Jul 21 '11 at 17:14
  • @Lie Ryan my comment does not discount that possibility. –  Jul 21 '11 at 18:26
  • 3
    Please note that many of the answers given so far, and the upvotes, were migrated with the question. As such, consider that they were not given from a **security** point of view. – AviD Jul 21 '11 at 19:36

3 Answers3

28

I have working with many companies, and the technical answer is that no one should know your password.

In practice, you really have to weigh that against any real threats, and why you are giving it to him. Also, if your password is used for many things (you should not do this either), like your banking, then really NO.

If you really ever have doubts, you can do one of two things: You can temporarily change it, so giving it to him is not an issue, or you can type it in for him. I often ask people to type their passwords in for me.

That said, an administrator can change the password when they need to, but the only problem is that they have to get the user to change it again.

  • 5
    +1 Often have users tyope their passowrd or ask if we can change it and explain why. Sometimes theya re off site and there is a valid reason I provide instructions on how to change after the admin is done. –  Jul 21 '11 at 16:01
  • 6
    I completely concur. (I'm really not stalking you KCotreau). I make it a point to look away from keyboards as users type their passwords in. Not that I can read keystrokes, but it enforces in their mind that I should not ever be given their password. If I really need to, I can reset it, and then there is that audit trail that I have done so as well as the user awareness when they have to change it again. Besides, what hosting company needs a user password to test the account? I'd politely ask the IT admin if there was a particular reason he needed the password. – music2myear Jul 21 '11 at 16:05
  • 1
    +1 for temporary changing the password (why I haven't thought of it) –  Jul 21 '11 at 16:06
  • 1
    @DaveM, those are good practices. – music2myear Jul 21 '11 at 16:09
  • 1
    Excellent answer (as always of course) with excellent comments. I concur on all counts. –  Jul 21 '11 at 16:14
  • @music2myear, perhaps I am miss-reading the question, but it doesn't seem like the IT guy works for the hosting company. – Zoredache Jul 21 '11 at 16:36
  • 1
    Paragraph 2 the IT tech mentions he needs the password to "see with the hosting company why exactly." Their email appears to be hosted, the IT guy does not appear to be hosted (maybe like The Doctor in Voyager). I'm sorry if I made that unclear in my comment. – music2myear Jul 21 '11 at 16:39
  • @Zoredache Even in that case, you could temporarily change it. –  Jul 21 '11 at 16:42
  • @music2myear I don't think you are stalking. I will say that I never look away, but their passwords are plenty safe: First, I don't care :), and second, at my age, my memory is more sieve-like anyway. :) –  Jul 21 '11 at 17:44
14

Generally speaking in a SOX (Sarbanes–Oxley) compliant organization it is frowned upon to know the users password and the proper method if you need access as IT admin would be to reset the users AD password. However there are times I ask my users for their passwords:

  • When I can't reproduce something and need to test as the user without interrupting their daily workflow.
  • Some admins make their regular user accounts domain admins (terrible idea btw) but they may need your password to test as a standard domain user.
  • If I am setting up email on a users phone and they don't have any interest in being walked through the steps (IE: they just want it done)
  • In a small company such as yours I have seen admins keep excel sheets with all their users passwords (another awful idea).
  • If someone needs a change made on their computer while traveling and you don't want to interrupt email flow to their phone or cut short a VPN session.

The main theme here is that the user initiated the request for support and the password is required to not interrupt them. As an admin not getting in the way of my users is my number one priority so their are some fringe cases where resetting the password is not the best option. How ever the unsolicited request for a users password is never acceptable in my eyes without explaining exactly why you need it. If it ever happens again ask your IT admin to reset your AD password and let you recreated it when he's done, I ALWAYS give my users this option (I also keep in mind these passwords may be used elsewhere like for online banking). If he has a problem or refuses this simple request then he should at the very least be able to provide a good reason why he needs it.

Supercereal
  • 241
  • 2
  • 3
  • 4
    Regarding point 2, that is indeed a terrible idea. I have my personal account as local admin, but would not, even if I had the ability, set it as domain admin. I have an account for that and it stays that way. Regarding situations where it is a user request though, I try to politely teach people the importance of me not having the password. Ironically, in many cases if they simply allow me to work around them with their logging in when necessary, most issues can be resolved in the time they take impressing me with the importance of their huge workload that prevents them from doing it this way. – music2myear Jul 21 '11 at 16:11
  • 1
    @music your lucky your users let you work around it, mine are always to frantic and the idea of having to place a phone call or walk over to my office is enough to already have them worked up. Sometimes I think a password reset would be enough to push them over the edge. –  Jul 21 '11 at 16:18
  • 1
    Oh, they're not always. A law firm I worked at for a brief period of time populated with scores of partner-level lawyers and hundreds of lawyers trying to make partner would yell and scream if I gave the slightest delay to their oh-so-hurried lives. Other companies have been better. On-site or desk-side support situations tend to be best for these methods. Thankfully, in phone-support situations my managers would back me up in these preferences, and so I would dispatch an on-site tech to do the work or simply inform them I was resetting their password and then would have them change it again. – music2myear Jul 21 '11 at 16:22
  • +1 for "not getting in the way of my users is my number one priority". (And "he should at the very least be able to provide a good reason why he needs it") –  Jul 21 '11 at 16:26
8

While I agree with the general rule, that nobody should know your credentials, in practical terms, some times it may be required, if you want the help, and you don't want to sit around re-typing your password for the tech.

Perhaps I am miss-reading your question, but it appears you are talking about an external service? Most of the other answers seem to be missing the point, and assuming the IT admin actually has administrative access.

Within my network many external services are in use, and I have no admin access on, and I do not even have an account at all. If one of my users needs me to assist them in resolving an issue, I have no ability to reset passwords or force a change after the fact. The only way for me to resolve the problem is with their credentials. For smaller problems having the users simply type in their credentials is fine, but for really complex ones that have to do with the interactions of many systems, this just is not practical.

Ideally, the person would change their password before and/or after I have used their credentials to resolve problems with an external service, but users typically really dislike this. If you are concerned simply mention it to the IT admin. I am sure he wouldn't mind you changing the password before he works on it.

In the case of small companies, some passwords for external services belong to the organization and not the individual. For example, lets say your web site was hosted on some bargin-basement cheap hosting provider that only provides a single account to manage the content. In a perfect world you would pay for better service that provides individual accounts to each user, but in it reality it is very common to have a set of shared credentials for external services. If you want your tech to help you figure out why some setting is screwed up, or why some file is corrupt, then he will need access, and if you only have the option for a single account, you may simply have no choice but to share the password.

Zoredache
  • 633
  • 1
  • 6
  • 14