Questions

What's a good policy on cracking company pass protected files?

+
0 Votes
Locked

What's a good policy on cracking company pass protected files?

cbstryker
This is less of a tech question and more of a policy question. Recently, where I work, the HR Manager was let go and she had a number of password protected company files that she never told anyone the password. We (the IT department) have been asked to crack the password (it's a protected MS word doc). Our response to them has been that it's not a technology problem but rather a department problem.

I know there are password cracking programs out there, that's not the question. My question is what are the typical policies regarding these matters? What, if any, are the legal concerns? (They are company owned files so I would ascertain that it would be within a companies legal right to remove the protection by bypassing it, but I could be wrong)

I'm sure this is a loaded question, but being new to the office/corporate environment I would love some community input on this.
  • +
    1 Votes
    robo_dev

    If she locked the file cabinet and took the key, you would drill out the lock, no big deal.

    As a helpful IT dept you should just do what they asked you to do. It never hurts to have friends in positions that may save your job some day.

    The only policy concerns are typically that only the IT or security people should be using these sorts of tools.

    There is no legal issue, unless there is a legal issue with the files to start with. For example, if these files were evidence of a crime, then perhaps using a cracking tool would contaminate or invalidate the evidence and/or chain of custody.

    If you're using cracking tools to pirate software or change license keys, there are obviously legal issues with that, but when it comes to data files, it's your data and you can do whatever you want with it.

    +
    0 Votes
    cbstryker

    I agree with what you're saying. But I'm sure you can understand that you do it once then they all expect you to do it all the time and it's something that could be avoided if the department had proper policies in effect.

    There's one person here that is always "missing" a file and it's only this one person and all the files are on a NAS file server. So this person is clearly deleting files without being careful and never learning from mistakes, but to them it doesn't matter because we have a backup system. I'm going to enable file auditing to prove that she's always deleting them.

    +
    2 Votes
    danekan

    to do anything like this in our [large corporation] company it would take the approval of a senior VP of HR. not that that would be difficult to obtain, but we wouldn't do it without it. They require this same approval if we transfer a users' files or e-mails to a new employee or just someone else in general, though this is often skirted as it's easy to avoid.

    Cracking a password is considered a DMCA violation if it's not authorized, I wouldn't just do it without it being in writing that your company wanted you to do it, even though it's totally all internally.

    +
    0 Votes
    will_smith

    i agree with danekan, the policy comes down to who's on top and what they want.

  • +
    1 Votes
    robo_dev

    If she locked the file cabinet and took the key, you would drill out the lock, no big deal.

    As a helpful IT dept you should just do what they asked you to do. It never hurts to have friends in positions that may save your job some day.

    The only policy concerns are typically that only the IT or security people should be using these sorts of tools.

    There is no legal issue, unless there is a legal issue with the files to start with. For example, if these files were evidence of a crime, then perhaps using a cracking tool would contaminate or invalidate the evidence and/or chain of custody.

    If you're using cracking tools to pirate software or change license keys, there are obviously legal issues with that, but when it comes to data files, it's your data and you can do whatever you want with it.

    +
    0 Votes
    cbstryker

    I agree with what you're saying. But I'm sure you can understand that you do it once then they all expect you to do it all the time and it's something that could be avoided if the department had proper policies in effect.

    There's one person here that is always "missing" a file and it's only this one person and all the files are on a NAS file server. So this person is clearly deleting files without being careful and never learning from mistakes, but to them it doesn't matter because we have a backup system. I'm going to enable file auditing to prove that she's always deleting them.

    +
    2 Votes
    danekan

    to do anything like this in our [large corporation] company it would take the approval of a senior VP of HR. not that that would be difficult to obtain, but we wouldn't do it without it. They require this same approval if we transfer a users' files or e-mails to a new employee or just someone else in general, though this is often skirted as it's easy to avoid.

    Cracking a password is considered a DMCA violation if it's not authorized, I wouldn't just do it without it being in writing that your company wanted you to do it, even though it's totally all internally.

    +
    0 Votes
    will_smith

    i agree with danekan, the policy comes down to who's on top and what they want.