Asking for passwords policy

mnashe

How do you guys handle IT staff asking users for their passwords? Is it allowed or forbidden?

I hear the helpdesk staff asking users for their passwords so they can troubleshoot issues or setup new computers

Irks the heck out of me. How do we prevent attackers from social engineering passwords, if the users are use to giving them to IT staff

PCTechLinc

I would say no way. Our IT staff assigns a temporary password and then allow the customer to reset after first use. For some high-security applications, there is a self-help reset your own password utility. Internal threats are the most destructive, and if a customer says "well I gave my password to so-and-so tech" then what's the point of having passwords? There goes your non-repudiation.

kaiju

No need to ask for the password if the helpdesk uses remote desktop. All the user has to do is accept the connection. Admin rights will allow a PC to be setup without the user being present. Once the user logs on all of the necessary apps can be pushed to the PC or pulled from the server. Seems like your organization needs to reinforce Cybersecurity awareness and reiterate that personal passwords should not shared with anybody.

This network would DEFINITELY be an easy target for a social engineering based attack.

cyberguypr

Sharing passwords is a big NO even in the crappiest security policies. You simply lose all accountability. This is a clear sign of an extremely immature operation and I see it all the time. Now, if someone high up approves this and assumes the risk, then whatever anyone think is an exercise in utility.

Jon_Cisco

Personally I don't think IT should have access to passwords. It defeats the purpose of authentication. However I know most people in my company give me the passwords even when I ask them to type them for privacy reasons.

PC509

You could always do what one user of mine did... Do a Reply All to a company wide email notification from the help desk, and ask for help while also giving your user name and password. She was a higher up, so it went out to everyone.

I was thinking "Did she just send out her user name and password to the whole company?"... yup. Immediately changed her password for her and gave her a call. Then, had someone from the help desk call and let me know that her password was just changed a few days prior and wasn't the problem she was having... It took him a few to realize the big problem. I didn't care about her other issue at the time.

For me, if I need their password, I'll have them enter it in. If I can't do that, I'll change it in AD and do my work. Change it to something else, and mark for change at next login. Let them know their temp password and go on. Of course, if I really need to know what it is, I could just check their sticky note on the monitor, under the keyboard, etc.. If it doesn't work, just increment the 17 to an 18 and I'll be good.

mnashe

I 100% agree with you all. It's unacceptable. The biggest reason that I see them doing this is for our remote users. When a remote user gets a new laptop, the helpdesk staff will build the new laptop and then login as the user to do a setup, copy files, etc. When the user receives the laptop, they'll be able to login, since their credentials are already cached. If the user wasn't previously logged in to the new laptop by the helpdesk, the user would not be able to login from home (domain controller not available message). This would be a non issue if the VPN software connected prior to user logon

Panther

On the flip side, I've had c-level staff not able to login their computer, and request a password reset.
Guest what happens to password policies?

Or a medical office is "so busy" that help desk resets their password with little verification.
Meanwhile tickets should not document patient information due to hipaa laws.

Someone with bad intentions who knows the company culture could certainly do some social engineering.

Danielm7

When I first started at my last company the helpdesk would ask users for their passwords and keep them on sticky notes with the laptops while they worked on them. The only experience their manager had was from Best Buy and he assured me it was fine. I got that changed pretty quickly.

A friend started working at a giant ISP / cable company that most of us hate. They set him up and then said they needed his password to setup his email. He was like... wtf?! He refused, the techs were baffled. He told them to just reset his password, do what they needed to do and he'd just reset it back afterwards.

logisticalstyles

While it is a textbook security risk to share passwords, some organizations just don't care. My last job was at a software company and we didn't want anyone's passwords. If I had to work on a user's computer I would either log in as Admin and do what I needed to do or change the user's password and let them know about it when I returned the computer to them.

In my current job passwords are shared freely. We try to remote in as much as possible but there are no reservations when it comes to getting a users password. Most of my user base is more "mature" and have hard times keeping up with passwords. I often come across notebooks filled with passwords and am usually given a password whenever I am asked to work on a computer. It really irks me but the confusion that would result from me changing a users password would make IT's job very difficult.

MitM

Interesting thread. I came across this issue this week. I told some IT managers that I was going to send an email out to the entire company reminding them to never share passwords, even with IT. Instant pushback! They agree users shouldn't share their passwords but then full of excuses on why it shouldn't apply to IT members.

Jon_Cisco

I recently had a boss ask me to change their email password because they believed it was compromised. Then they immediately gave it to me in just in case they were ever locked out.

I explained that I can always change the passwords in the future if needed but in the end I just recorded the new password in my password database. My work does not require a high level of security but it would still be nice to follow some basic guidelines.

eillinois31

mnashe wrote: »

How do you guys handle IT staff asking users for their passwords? Is it allowed or forbidden?

I hear the helpdesk staff asking users for their passwords so they can troubleshoot issues or setup new computers

Irks the heck out of me. How do we prevent attackers from social engineering passwords, if the users are use to giving them to IT staff

That's pretty dumb, might as well not have any passwords at all.

Danbert1.0

I am going to have to agree with many others here. When I worked at my previous job the HD people were always asking for passwords. They couldn't understand how that was a bad thing. They have admin accounts for a reason. If you need the users credentials then the user has to be available to put them in.