Avoid asking users for their passwords

Does your help desk routinely ask users for their passwords? Maybe it's time to rethink this policy. Find out why it's important for techs to set a good example and not ask for or accept a user's password.

A few days ago, I needed to update a computer. When I arrived at the site, however, the user was at lunch. It wouldn’t have been a problem except that he left his computer locked. Because I have an administrator password, this problem is easy for me to overcome, but I really hate shutting down a user’s system without knowing what was left running. Fortunately, his coworkers noticed my predicament and volunteered his password. It seems that they all know each other’s passwords and since they all know me, what’s a secret password between friends?

Somehow, the secret part of “secret password” seems to have escaped many people—and not just users like these. It seems that the more secure we make our systems, the more people are sharing passwords. Even techs resort to asking for passwords. Here’s my take on why techs should avoid this practice.

Don’t set a bad example
Techs should never ask for passwords or, as I did, accept them when offered. The IS group should always insist that users never give their passwords to anyone. It’s up to us to set the standard, but it seems that we are really slipping. I’ve recently learned of companies that have actually made asking for passwords a standard practice.

One example of this flawed thinking comes from an award-winning help desk that supports most desktop applications, including e-mail. Not long ago, the e-mail server administrators took away the admin rights of the help desk analysts. The analysts, however, are still responsible for supporting e-mail. How do they do it? The users have been given admin rights over their own accounts. When there is a problem with an account, the help desk analyst just asks the user for his or her password.

My next example is even worse. Earlier this year, I was told of two different companies that created forms that ask users for their passwords. These forms are used when system upgrades are scheduled for large numbers of employees. It seems these companies feel it would be too difficult or inconvenient for employees to reset their passwords after the upgrades, so they are instructing their employees to write them down and leave them with their computers.

Is sharing passwords bad?
To be fair, I’ve heard of no security breaches because of these practices (assuming you don’t think attaching a piece of paper with all a computer’s passwords to the side of the PC is a breach of security). It does, however, bring up an obvious question: If passwords across America are being given out willy nilly, why hasn’t security been violated? There are only three possible answers—dumb luck, everyone in the office is extremely honest, or corporate security has been violated but has gone unnoticed.

Practice what you preach
If we work in such trusting environments that we can share passwords, why not do away with them altogether? Passwords make administration a huge pain, and if we all trust each other, why deal with them? However, if we think that there’s even the slightest chance that a few people might take advantage of having their boss’s password or might be moonlighting for the competition, we should be setting the right example. Tell your users that no one on the technical team will ever ask for their passwords and not to divulge them if anyone asks.
Does your IT organization routinely ask users to reveal their passwords? Have you found this is the only way to get your work done? Does your organization strictly enforce its password policy? Give us your feedback. Post a comment or write to Pat Vickers.

Editor's Picks