Can a company agent look up your work password and use it to log in to your personal accounts?

-1

In other words, if you use the same password for your work email and your personal email, is it within the rights of your employer to somehow 1) Retrieve your work email password and 2) Use it on your personal account?

Finally, 3) What if they use the email issued by them to you along with looking up your password to log into a third party service that you signed up for with the email address they issued to you?

For example, if I made an Instagram account with my work email, does my employer have a right to retrieve my password from IT to get those pictures or even access the account?

passwords

kraftydevil

Posted 2016-06-15T08:39:40.150

Reputation: 129

1No one has the rights to access anything personal or work related except if you give him your blesing! :) – NIZ – 2016-06-15T08:53:33.207

@NIZ Actually, it's not you that has to given them the blessing, it's the owner of the service. For example, Facebook's terms of service make clear that "your account" is actually their account and you are not authorized to give people access to it. They gave you access, period. If the owner didn't authorize you to authorize others, you cannot do so. – David Schwartz – 2016-06-15T09:08:16.683

Legal questions are off-topic. – DavidPostill – 2016-06-15T09:35:45.913

If your Administrator knows your network password they are not following best practices. – Ramhound – 2016-06-15T11:44:52.573

Answers

Not in the United States. This would violate Federal law, specifically 18 USC 1030(a)(2)(C):

"Whoever ... intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains ... information from any protected computer ... shall be punished[.]"

They do not have authorization to access the email account or third party service (unless the provider gave it to them, which is extremely unlikely).

This would be a protected computer because 18 USC 1030(e)(2)(B) says:

"As used in this section ... the term 'protected computer' means a computer ... which is used in or affecting interstate or foreign commerce or communication, including a computer located outside the United States that is used in a manner that affects interstate or foreign commerce or communication of the United States[.]"

That would cover pretty much any email service or third party service on the Internet.

David Schwartz

Posted 2016-06-15T08:39:40.150

Reputation: 58 310

To clarify: that only applies to the third-party stuff. For the first question, about the company's own systems: they are the ones authorizing you to access it, because they own the machines (and you do not). They can freely read any emails or documents on their servers/PCs, and capture your passwords if they want to. At least, that's my understanding; I am not a lawyer, and this is not legal advice. – CBHacking – 2016-06-15T09:06:32.280

1It would depend on the specifics, but yes, they could certainly be authorized to do that. Typically "your account" is not really yours but is really owned by the owner of the service and they give you access to it. They can give others access to it. You, typically, cannot. – David Schwartz – 2016-06-15T09:09:38.500

@DavidSchwartz - Do you know anything about the common case of 'Gmail for Work' for businesses? (https://apps.google.com/products/gmail/) Who is the owner that dictates what can be done?

– kraftydevil – 2016-06-15T12:57:50.403

@kraftydevil Google is. And they authorize the business to do pretty much whatever they want. – David Schwartz – 2016-06-15T17:04:19.680

Meaning they allow the employer to have READ access to password? – kraftydevil – 2016-06-15T17:15:15.817

@kraftydevil I don't think they retain the password, so read access is no possible. But they can change it, read your mail, and so on. – David Schwartz – 2016-06-15T17:15:57.490

First of all, never re-use passwords. Just don't! There are so many better options - I strongly recommend a password storage application, like LastPass or similar - and password re-use is a great way to get bitten, even years down the road. You may have seen the news about Mark Zuckerberg's accounts getting "hacked" recently? That's what happens if you re-use passwords (which is how they got him).

Now, to your actual questions:

1) Yes, your company IT people can absolutely do this. In theory they probably can't do it easily - your passwords should be stored securely in a way that cannot be reversed back to the original password (a one-way function, such as a cryptographic hash, is usually used as part of a password storage system) - but they can do it if they have reason to. In practice, it's probably easy. They are also well within their rights to do so (unless you have a contract saying otherwise; this is unlikely); your account, and indeed your entire access to their computer, is on their terms. Some employment contracts basically say the company IT infrastructure and all data on it or sent through it - including passwords - is owned by, and subject to inspection by, your employer. There may or may not be exceptions for data of a personal nature, approved moonlighting projects using company resources, or so on, but you shouldn't assume so.

2) That would be illegal, at least in the USA. Accessing a computer system that they don't own and haven't been granted permission to access is very much against the law. Law enforcement can (legally) do it if they have a warrant, or possibly without if they're somebody like the NSA, but a non-government business cannot (legally) do so unless compelled to by a government agency. David Schwartz's answer has good detail, here.

3) Same as #2, though it's a little fuzzier there. They own that email address (and do not require your password in order to access it, unless their security is way stronger than I expect; usually a server admin can read all email on that server easily), so if you use it to do a password reset that goes to your work email they could read the resulting reset email. Using it (for a third-party site/service, without your permission) would again be illegal (same caveats as above) but maybe a sufficiently good lawyer could convince people that it's permissible for some reason. In practice, you shouldn't use your work email account for anything that you don't want your employer to have full access to.

CBHacking

Posted 2016-06-15T08:39:40.150

Reputation: 5 045

1The question was not if they "can" but if doing so was "within the rights". – David Schwartz – 2016-06-15T08:53:06.360