Asking for passwords policy

How do you guys handle IT staff asking users for their passwords? Is it allowed or forbidden?
I hear the helpdesk staff asking users for their passwords so they can troubleshoot issues or setup new computers
Irks the heck out of me. How do we prevent attackers from social engineering passwords, if the users are use to giving them to IT staff
I hear the helpdesk staff asking users for their passwords so they can troubleshoot issues or setup new computers
Irks the heck out of me. How do we prevent attackers from social engineering passwords, if the users are use to giving them to IT staff
Comments
Master of Science in Information Security and Assurance - Western Governors University
Bachelor of Science in Network Administration - Western Governors University
Associate of Applied Science x4 - Heald College
This network would DEFINITELY be an easy target for a social engineering based attack.
I was thinking "Did she just send out her user name and password to the whole company?"... yup. Immediately changed her password for her and gave her a call. Then, had someone from the help desk call and let me know that her password was just changed a few days prior and wasn't the problem she was having... It took him a few to realize the big problem. I didn't care about her other issue at the time.
For me, if I need their password, I'll have them enter it in. If I can't do that, I'll change it in AD and do my work. Change it to something else, and mark for change at next login. Let them know their temp password and go on. Of course, if I really need to know what it is, I could just check their sticky note on the monitor, under the keyboard, etc.. If it doesn't work, just increment the 17 to an 18 and I'll be good.
Guest what happens to password policies?
Or a medical office is "so busy" that help desk resets their password with little verification.
Meanwhile tickets should not document patient information due to hipaa laws.
Someone with bad intentions who knows the company culture could certainly do some social engineering.
A friend started working at a giant ISP / cable company that most of us hate. They set him up and then said they needed his password to setup his email. He was like... wtf?! He refused, the techs were baffled. He told them to just reset his password, do what they needed to do and he'd just reset it back afterwards.
In my current job passwords are shared freely. We try to remote in as much as possible but there are no reservations when it comes to getting a users password. Most of my user base is more "mature" and have hard times keeping up with passwords. I often come across notebooks filled with passwords and am usually given a password whenever I am asked to work on a computer. It really irks me but the confusion that would result from me changing a users password would make IT's job very difficult.
I explained that I can always change the passwords in the future if needed but in the end I just recorded the new password in my password database. My work does not require a high level of security but it would still be nice to follow some basic guidelines.
That's pretty dumb, might as well not have any passwords at all.