Is it OK to tell your password to your company's sysadmin?

Question

I'm working in a small company (20 employees) as a senior software engineer.

After having problems with my email, our newly employed IT administrator asked me to write my user password to someone in our hosting company to help them identify the problem.

Without any thought I gave him my user password.

After 30 minutes, I realized that in my 10 years of working in several companies nobody asked me for a password, and I found it rather strange. Immediately after that, I changed my password.

Are there cases where the password is really needed, when I really have to tell my password to an IT administrator?

I have heard of stories where admins asked for the user's password, but only on sites like The Daily WTF, which prompted this question.

(Related: "A client wants to tell me his home laptop's password. Must I push him towards a more-complex alternative?")

The [other version](http://security.stackexchange.com/questions/5534/is-it-ok-to-tell-your-password-to-an-admin/5537#5537) of this question was closed because the answers where not focused on security. My answer focused on the practical point. In the real world there are crappy external services that provide no way for a local support person to help. If you want help from your local guy, then you may have no choice. You can change the password on your account before and/or after, or you can deal with the problem yourself. — Zoredache, Jul 22 '11 at 00:21
@Zoredache, Reading your updated answer there now, specifically the last paragraph, that does change it a bit - but see my comment below, about how "shared" accounts are really not a good idea. Besides, the OP did say "my password", so it seems thats not the case - but I'm sure VJo could clarify that. — AviD, Jul 22 '11 at 00:31
Sadly, this happened to me. But the Admin was the owner of the company. What can you do? — LarsTech, Jul 22 '11 at 03:51
"my password" and "the password to our hosting company" are two completely different things. The former the admin has no business with, the latter may very well be required for him to do his job! — user, Jul 22 '11 at 11:00
@MichaelKjörling: Excellent point; you should copy and paste it into a new answer. Dear OP: If he does so, you should accept it. — unforgettableidSupportsMonica, Jun 21 '13 at 23:14
@unforgettableid I think [@David Houde](http://security.stackexchange.com/a/37867/2138) did just that, just now. — user, Jun 22 '13 at 10:34
@MichaelKjörling: Suggested revision 2 unwisely changed the phrase "After having some email problems, our newly employed IT administrator asked me for a password to see with hosting company why exactly" to "After some email problems, our newly employed IT administrator asked me for the password to our hosting company to see why exactly". The OP didn't catch the problem, & so [approved](http://security.stackexchange.com/review/suggested-edits/258) the suggested edit. The OP has now fixed the mistake. So it turns out that, after all, it _was_ the OP's user password which the sysadmin requested. — unforgettableidSupportsMonica, Jul 10 '13 at 00:27
@MichaelKjörling: It looks like DavidHoude's [answer](http://security.stackexchange.com/a/37867/2138) has now been deleted. — unforgettableidSupportsMonica, Jul 10 '13 at 00:28

AviD · Accepted Answer · 2011-10-03T08:32:00.687

88

Short answer:

ABSOLUTELY NOT!
Your password is between you, and your computer alone.
No one else.

Not your boss, his boss, the system administrator, your bank official, your insurance agent, your ISP support technician, or your cat. Well, your cat you can tell, if she promises not to share it.

There is NEVER a good reason to share a password.
There are many reasons NOT to. Mostly, because a password is YOUR authentication, and as soon as even ONE other person knows it, it can no longer prove your identity.

Any reason your admin comes up with, is bogus, either because he is malicious, lazy, misinformed, or incompetent.
That said, it may not be his fault, but the fault of his organization. Either way, there is incompetence, ignorance and laziness abound.

If an admin, or ANY support technician asks for your password, the correct response is to LAUGH.
Because there's no way they're serious, right?

If your admin insists - explain to him that you will document sharing your password with him... and that, based on this, you are going to send nasty emails to all around - not about him, but you will claim that they came from him (using your account, in your name, using your password that you just shared with him). Of course he won't be able to prove that he didn't misuse your password... which is the point.

No, on second thought, just don't give him your password. It's yours, between you and the computer alone.

edited Oct 03 '11 at 08:32

answered Jul 21 '11 at 20:52

AviD

72,138
22
136
218

8

I will also note, that you shouldn't type your password on his computer, unless you explicitly trust THIS PERSON. And he shouldn't ask - it's bad user education, training users to type their passwords on any random machine - that may have keyloggers, traffic sniffers, etc. – AviD Jul 21 '11 at 20:54
9

Someone likes to use CAPSLOCK to MAKE THEIR POINT. – k to the z Jul 21 '11 at 20:57
55

Shift, actually. Used selectively, it is a useful tool for emphasis. – AviD Jul 21 '11 at 21:06
This is what I thought I would get. – BЈовић Jul 21 '11 at 21:31
The question is about a password for an external service, that the admin has may have access to. If said admin is expected to be able to help resolve the a complex problem that requires those specific credentials, how do you expect that to happen without sharing a password? Sending nasty emails or laughing in the face of a tech you asked to help you may either lead to you not getting help, or the guy aiming some BOFH style revenge at you. – Zoredache Jul 22 '11 at 00:12
2

@Zoredache, If the admin should have access to this service, he should have his own credentials. If he does not, then he shouldn't. Note that (owning) credentials are pretty much equivalent to (owning) an identity - and that should not be shared. The nasty emails weren't supposed to be sent, rather to show the problem with sharing a password; same with the laughter, since with an honest, competent sysadmin that would only be said as a joke. (And btw, from my experience its the security guys with access to the *real* bofh stuff... ;) ) – AviD Jul 22 '11 at 00:25
4

Btw, @Zoredache, one "exception" to the above comment, is if the credentials are not for his *personal* account, rather a "company", shared account. (I *think* this may be what you were getting at...?) In that case, of course they shouldnt be hoarded, and given to whomsoever is responsible for administration. Very bad practice, forbidden by many regulations, but not as bad as giving up the password keys to your own identity kingdom. – AviD Jul 22 '11 at 00:26
1

Yes, I am mostly talking about credentials that an external provider treats as belonging to the organization, and not the individual. The question is about a small business., unfortunately it is very common in the case of small business the IT support will have no access, or no admin access for services he is expected to help support. I agree that you should almost never share you password, but I am just saying that in some less-then-ideal environments, there is not much choice. – Zoredache Jul 22 '11 at 00:38
18

Do NOT tell your password to your cat. Cats are [not to be trusted](http://jpetrie.myweb.uga.edu/journal.html) under any circumstances. As innocent as they may appear, they have been known to be malicious. – Jun 22 '13 at 00:56
3

The cat obviously know the password already, since it is also his name. – KristoferA Jan 30 '15 at 01:53
@KristoferA: Is the password *his name* or [*your name for him*](http://www.catquotes.com/thenamingofcats.htm "“The Naming of Cats” by T S Elliot")? I ask because he shouldn’t care about the latter, and you shouldn’t know the former. … … … … … … … … … … … … … … … … … … … … … … So, when somebody learns your password, do you change your cat’s name? :-) – Scott - Слава Україні Jul 08 '15 at 13:13
1

The “[cats are not to be trusted](http://jpetrie.myweb.uga.edu/journal.html "Entries in a cat’s journal")” link is broken. Slightly different versions of the original content can be found [here](http://www.pawsperouspets.com/humor/catdiary.shtml "Secret Cat Diary") and [here](http://www.goodeatsfanpage.com/humor/otherhumor/dog_cat_diary.htm "The Cat’s Diary"), with longer versions [here](http://www.papermodelers.com/forum/comedy-stand/12698-excerpts-cats-diary.html "Excerpts from the Cat’s diary... ") and [here](http://gpsinformation.info/main/cat-diary.txt "The Captive Cat’s Diary"). – Scott - Слава Україні Jul 08 '15 at 13:27
1

@AviD your argument sounds reasonable. But are there an authoritative sources for these principles? I guess it won't be convincing to show our IT a random stackexchange answer as proof they are wrong. – Penghe Geng Nov 01 '19 at 19:06
I don't like this answer primarily for style reasons. It's full of CAPS and doesn't go into reasons and details why in plain English language. I agree it's bad but this isn't something i can show management. – Darryn Brisdaz Nov 19 '20 at 00:30

score 20 · Answer 2 · answered Jul 21 '11 at 21:00

20

Let's try another idea: would you give one of your finger to your IT manager so that he can repair your access to your building while you are working?

I'll assume the answer is no. The same applies to your password. Even if you have a single password for all your services (Which never happens, even for me I confess) the password should NEVER EVER shared with anyone. It's is the only thing that can authenticate yourself. That can bother you having to waste time with your IT support, but this can also send you to jail for a long time.

So, definitely: no

answered Jul 21 '11 at 21:00

M'vy

13,033
3
47
69

9

Giving a finger is a needlessly over-exaggerated isn't it? After all you can simply change the password after the IT guy is done with the work, changing your finger isn't possible. – Zoredache Jul 21 '11 at 23:56
8

No, it is not exaggerated. Once an account is owned, it is owned - For example, depending on what the service is, and what functionality is present, a user may be able to create a surrogate account (e.g. a forwarding email address, a secondary admin account, etc). Granting someone else "temporary" access to your identity is usually no such thing. – AviD Jul 22 '11 at 00:21
12

I might give him *the* finger, though ;) – Piskvor left the building Jul 22 '11 at 10:07
@AviD: The problem there is that effectively a sysadmin is God. They can always take over your account. At the local level they can just use `su` for Unix-syle systems, or for Windows they create a token with the `zwCreateToken` call. For both local and network credentials they can almost always change your password (although many systems make it very hard for them to change the password back). – Kevin Cathcart Jul 22 '11 at 19:58
Strange use of anecdote you got there...but also, using your finger as a password, is pretty much the same of leaving your password on post-its everywhere you go. – Dog eat cat world Jul 22 '11 at 22:47
4

@Kevin, but thats not the same thing as "borrowing" your password... If the admin resets or takes over your account, *there is auditing*. Also, dont forget things like e.g. EFS, where changing a user's password still does not give you access. The problem is this mindset `that effectively a sysadmin is God` - this is not true, nor should it be the case: God does not have to justify his actions, a sysadmin does. – AviD Jul 23 '11 at 21:18
We do not talk about resetting, where audit takes place! But giving your password that does not implies audit. Indeed admin is god but it does thing under his name, not yours (with some exception on linux and su thing) – M'vy Jul 23 '11 at 22:14
@M'vy My point was in part that a Linux-like `su` is possible under Windows, for local purposes. A local Admin cannot forge usuable domain credentials, but the amdinstrator of the Domain Controller technically can, although that is similarly not documented. – Kevin Cathcart Jul 26 '11 at 16:37
@AvID: Auditing helps, and it does indeed not occur with shared passwords, it does not negate my statement. Justifing one's actions occurs after the fact, and in security, after-the-fact may very well be too late. As for your example of EFS, unless you have disabled the recovery agent, or use a smartcard-style system, the administrator of the domain controler can obtain a copy of the private key, and decrypt the files. Since in many companies the Domain administrator is also a local admin on people's machines they could (in theory at least) bypass EFS. – Kevin Cathcart Jul 26 '11 at 16:47
This is a terrible analogy. It tries to make the reader react to the terror of disfiguration and use that in place of an rational argument. Disagree? Then replace "finger" in the argument with "a fingernail clipping". Suddenly it doesn't sound as bad...but the argument is unchanged. – Beska Jun 07 '13 at 17:29
1

You shouldn't give your password to the admin, he should have sufficient privileges that its not needed. However, the sysadmin can just legitimately man-in-the-middles the service (he has the required certificates+keys and network access) and get your plaintext password that way. – wireghoul Jan 30 '15 at 12:10

score 15 · Answer 3 · answered Jul 21 '11 at 22:51

15

It was explained before that nobody should ever give its password to an administrator (i'm ok with all of it), but you should check with his superior what's going on, because if he asked yours, it's possible that he asked the password of the 18 others ( the 19th is probably his superior) and i'm pretty sure that some of your fellow co-workers use the same password everywhere.

answered Jul 21 '11 at 22:51

noktec

411
2
4

+1 good point. Check with supervisor, or with policy, to see if the admin should be asking. – Rory Alsop Jul 22 '11 at 09:50
5

And, if so, probably go and have those policies updated... – AviD Jul 22 '11 at 11:08

Ormis · Answer 4 · 2011-07-22T18:23:15.420

Short answer, if he is an admin he should never need your password. The worst case scenario is that he needs to resets your password and give you a new one (which you would promptly change).

Unless there is some mitigating circumstances, passwords/codes/phrases are for you alone. (e.i. if the admin doesn't have a privileged account on your PC)

I have entered a few jobs where a long-time employee will have a one-off machine that doesn't have an admin account that i can use on it, but even then it's a better solution to have the user (assuming they have the rights to) make the admin a privileged account that they can use. So even then i'm hard pressed to think of any viable reason why the admin would need your password. It's always a sad day to learn that the user doesn't have administrative rights, it's not connected to the domain, and the admin that set it up hasn't worked there for 10 years......

p.s. as said in another answer, it is possible that the admin is used to getting the "get it done" treatment from their superiors, which may result in them just asking for passwords.

p.s. if the password is the administrator level password or a password to an external service that the admin does need access to, he does need the password (or needs an administrative level account created for him on that service). My response was from the perspective that it was your password. If it's for a company service, i.e. the company's web-host, it's not "your" password. Even then, it's preferred that each individual has separate logins (for accountability/auditing purposes). — Ormis, Jul 25 '11 at 18:15

score 6 · Answer 5 · answered Jul 22 '11 at 07:19

It may be time to dig out your IT security policy. If you have one in your organisation. If not, time to get the team to sit down and pen one.

It may be the case that this admin has not read it or been trained.

A culture of giving out passwords will certainly increase the chances of accounts being comprised if there are not checks in place to verify each and every request.

The issues raised about accountability are also a bit of a concern.

It's not good practice for sure.

score 6 · Answer 6 · answered Jul 22 '11 at 08:08

6

There is also one other problem with password sharing.

If anything happens to your account or by your account while someone else is logged you are the one who will be blamed. Even if inside the company is ok to share password by security policy, legaly (by law; at least in my country) you are the one who will be accused.

answered Jul 22 '11 at 08:08

StupidOne

2,802
21
35

1

That's interesting; I'm not familiar with local laws there, but in most places, being able to prove that someone else had your password (either stolen, or given in a "legitimate" way) can cause serious repudation issues, i.e. absolve you (-ish) of responsibility). – AviD Jul 22 '11 at 08:12
I know one girl few years ago gave her mail account to her boyfriend who then sent some blackmailing mails. She was found guilty, despite proving mails were not sent by her. EDIT: Well, anyway, even if you can prove it wasn't you and by laws you won't be found guilty, it's still unpleasant situation, don't you agree? – StupidOne Jul 22 '11 at 08:16
Absolutely, I agree with that point completely. – AviD Jul 22 '11 at 08:28
1

Look at an y Term of Services for a service and you will confirmed that password is your sole responsibility. – M'vy Jul 22 '11 at 08:54
@Mvy, of course. But what happens when you can prove that someone *else* has it? Is it your fault and you bear responsibility? Or repudiation? – AviD Jul 22 '11 at 09:04
@AviD♦: Depends. Most ToSes I've seen say "it's your own damn fault, whoever has the password *is* you as far as we care" - this may be another hurdle beyond proving someone else had the password. IANAL, as usual. – Piskvor left the building Jul 22 '11 at 10:11

score 1 · Answer 7 · answered Feb 09 '18 at 18:04

The core question being asked is, "Is it ever necessary for an admin to ask for a password?" Clearly, it should not be necessary. But let's define "necessary" as "required in order to accomplish something critical".

With these parameters, in cases with severe / breaking flaws in the security infrastructure it may be necessary to expose a password to accomplish critical tasks. I have seen fouled up systems in both large corporations and government that were run like this for years before I ran into them. And from the standpoint of keeping the operation running, yes it was necessary to continue having that sort of password exposure while fixes were made.

The key in each case was to document the problem, document and clearly communicate the risks of operating under this flawed security situation, get a statement of policy from leadership directing under what circumstances password exposure should occur while fixes are made, then to document any password exposure necessary to continue operating while the security system was being corrected.

In short, it should never be necessary. But if it is, protect yourself by moving the risk of liability off of yourself and onto the party responsible for the decisions / infrastructure that made it inappropriately necessary. And of course if there is no move to fix the problem, you might want to consider moving on.

Ancient One · Answer 8 · 2015-01-30T01:52:37.887

Maybe.. How much do you trust them? Do you use this password anywhere else? If it's the same password (or some simple derivation thereof) that you use to gain access to places which allow direct manipulation of your finances, then you better trust the sysadmin not to use your password to gain access to those areas. Amazon Customer Service: "Well sir, our log files and audit trails show that you purchased those 1200 copies of "Sharknado 2". "

Is your convenience more important that your security? "Man... If I don't give the sysadmin my current password, they'll change it and I'll have to change it again in my phone's email setup. BOGUS!!!"

Is the password one that would embarrass you for people to know? (favorite Reality-TV star, swear word, sexual position...)

The above examples suggest that the answer would be "no". But...

The sysadmin: "Since you decided to encrypt your hard drive with Truecrypt which the company does not support, I can't recover any data from your laptop unless I have your decryption password."

So the answer is not going to be 'yes' or 'no' in every circumstance. The answer depends on the circumstances surrounding why you are being asked for it.

And.. always consider who besides yourself could be harmed in some way if someone besides yourself had your password. Secret Service: "Mr. President! You gave the nuclear launch codes to that guy???"

The answer is not "maybe", nor is it a qualified "not usually", the answer is strictly "no". See the other answers if you don't understand why. I'm honestly shocked that this answer has been here for over a year without anyone down voting or commenting on this. To anyone else reading this, don't believe this answer, read the higher voted answers — Kevin, Mar 18 '16 at 18:44

score -3 · Answer 9 · answered Jul 10 '13 at 04:55

-3

If the admin is trying to diagnose a problem only you are having, there might be good reason to access your account "as you" to identify your problem efficiently. You have a lot higher probability of getting your problem fixed if you make it easy for them.

Consider, that your data is not really secret from the sysadmins, so the only thing you're actually protecting is the password itself. If you're already following good password hygiene, it has no value as long as you change it again as soon as they are done.

The alternative - that they have a back door to bypass the need for passwords, is not really attractive either.

answered Jul 10 '13 at 04:55

ddyer

1,974
1
12
20

But the data can be made secret by encryption, no? I am not sure what you mean with "back door". Officially, there are no back doors in linux ;) – BЈовић Jul 10 '13 at 05:59
This is about a service account and incoming email. There's no separate encryption (or if there were, the user password would be irrelevant.) As root in unix, I can change your password and log in as you. How's that for a back door? – ddyer Jul 10 '13 at 18:03
@ddyer: What's a service account? – unforgettableidSupportsMonica Jul 14 '13 at 17:29
4

-1. AviD has [pointed out](http://security.stackexchange.com/questions/5539/is-it-ok-to-tell-your-password-to-your-companys-sysadmin#comment9163_5543) that if the sysadmin resets your password, it creates an audit trail, whereas if you change it for the sysadmin, there's no audit trail. Don't share your password: instead, ask your sysadmin to reset it then to diagnose the problem. – unforgettableidSupportsMonica Jul 14 '13 at 17:33

Is it OK to tell your password to your company's sysadmin?

9 Answers9

Linked

Related