I noticed last time I was at the IT office at my school that they asked for student's passwords. I think the student was either having the operating system re-installed, or the keyboard replaced, I can't remember for sure though. Anyways, the contract we have to sign to get access to the school network / school computers (which we're basically required to sign) says this (translated):

The password is personal and shall be kept secret. If a suspicion or knowledge of someone else gaining access to the password, the student shall change his or her password immediately.

The contract says nothing about this not applying if staff asks for your password, so I sent the following email to the school's IT staff (again, translated from Norwegian):


Last week I noticed that the IT staff at school encouraged students to breach the IT contract they've signed. A student was at the IT office (I can't remember why, but I think it was an operating system reinstall or a keyboard replacement), and was asked to write down her password on a sticky note. Under section 3, "User identity and password", the contract states the following:

The password is personal and shall be kept secret. If a suspicion or knowledge of someone else gaining access to the password, the student shall change his or her password immediately. I think this episode is a clear breach on the IT contract, and shows an unprofessional attitude towards security.

Today, I got the following reply (translated yet again):

Hi! Normally you would be correct about giving away your password to others. However, when it comes to the IT staff things are slightly different.

We are able to change the passwords of all students and staff, and therefore we have a technical ability to access their resources.

We have therefore decided to let the student decide if they want us to change the password for them when we work on the machine, or if they wish to keep their password, in which case we write it down on a sticky note.

What do you think I should respond? Should I just let it go? I still think it's wrong of them to ask for the password, even more wrong to write it down, and it has nothing with me being worried about them gaining access to my data.


Previous answers seem to be primarily of the tone "they can access your files anyhow, so it doesn't matter if they have your password". This is incorrect. Many users re-use passwords or generate them according to an obvious scheme (e.g., appending "1" to "12" to foil your school's password rotation policy or using "pass-so" on StackOverflow, "pass-su" on SuperUser, etc.). If such a user gives their password to the school's IT staff, they are not only providing them the ability to access information that the IT staff can already access via their admin privileges, but they are also providing access to other, unrelated, resources that the IT staff have neither admin access to nor any legitimate reason to be able to access.

Furthermore, there is always the possibility of fraud and social engineering - I don't know about you, but my spam filters catch a constant barrage of "Hi, I'm from your email server's staff and I need your account name and password for some ridiculous reason or other" phishing attempts. It's much easier and more effective to teach users that they should absolutely never give their passwords to anyone than it is to first carve out an exception for IT staff and then expect them to be able to correctly and consistently determine whether they're dealing with actual IT staff or with impostors.

Finally, writing the account details on a post-it note (which is likely stuck to the machine itself, making it easy for any passer-by to identify where those credentials will be usable) seriously compounds the problem unless the post-it and the machine are both kept in a secure location (so that only IT staff can gain access to them) and the post-it is destroyed (shredded, purged with flame, etc.) before either leaves the secure area.

The correct course is for the IT staff to not only stop requesting user passwords, but also to take the same approach as PayPal (among others, but they're the first to come to mind) and tell users "we will never ask for your password; anyone who claims to be from IT staff and asks for your password is lying, so don't give it to them". There's no time like the present to start teaching students good security habits. Schools, of all places, should not be teaching the opposite.

4Thank you. I sent them an email basically paraphrasing what you said, and they just sent me an email back saying they've changed their routines. – sarahhodne – 2011-09-09T11:08:07.270


You could ask them to update the Terms of Service with an exemption for the I.T. department but with the condition that when a student who is informed [that a new password can be assigned] chooses to provide them with their current password, that the I.T. staff would also be taking responsibility for securing that password against theft, observation by an unauthorized third party, etc. (clauses about the destruction of hand-written passwords, such as cross-shredders and time-frames, is also important).

In addition to resolving a technical violation of the Terms of Service, this solution also makes sense to end users because the majority tend to naturally trust I.T. staff with confidential information (such as passwords) anyway.

I think with the case of IT staff it is a bit different. Some (but perhaps not all) of them will be able to reset your password and access your data. So in theory if they wanted to see your data they could (although if they've set up the profiles correctly they should be able to anyway, or at least one account will)
I aggree with you on the asking for passwords thing, it is wrong and is bad practice. What should happen is the password is reset, the IT staff do their work, the password is set to be changed at the next logon and the student enters his chosen password. (This however is null and void if last passwords are not allowed to be chosen again for a certain time, however in the eductaion establishments I have worked in this flag is usually off by default as students tend to have problems getting up in the morning least of all remembering x amount of different passwords and to keep rotating them)
It may be worthwhile speaking to your IT department and suggesting this.
However I do think this question may get closed and is more a community wiki discussion along the lines of, is it wrong for domain admins to ask for a users password.

The password policy says that you may not use any of your last 12 passwords, so students tend to just add a number to the end, or change it 12 times. But I agree with you on setting the password to be changed on the next logon. It's not that much harder, and much more secure. – sarahhodne – 2011-08-29T09:51:08.233

I agree with you @Joe that this should be a community wiki for discuss. But the contract about the question owner is asking is right they should have to mention this in their contract that if the staff needs the password then it should be legal to know them but they have not mentioned it in their contract. According to my graduation days they have mentioned it in contract so we can't object. But there will no issue about this that if your I.T staff needs the password. I think so. – avirk – 2011-08-29T09:56:16.183


You should mail them to change there contract rule about this. If they want to access your PC and want to check the data they should have to mention it before they signed the contract. According to your contract this is really wrong as they have mentioned it in there contract too and they have not told about that this rule is not applicable on IT department.

They should have legal reason for access your system. If they want to know the password time to time(If you change your password in any case) then they should allow to change it more than 12 times. There should be change in the contract paper will realty make this easy.

What if the IT staff know the password

In my case I have never faced any problem when any IT staff member knows the password of my PC . They just need to access my account and check the data of my. So there should be no problem at all with you too I think so.
They had been listed it in their contract that if they want to know the password then we had to give them in any condition. If any suspicious data will find on my account they will cease it.

Now in your case if they want to check your data you can request them to access it in your presence (If they agree to not know about password).

But all the way there is the better way to change the contract list to be more clear for a student that in future they should not to face this problem.


