Asking for Passwords



  • I have worked for a number of companies over the past 20 years, and it seems that in a slight majority of them, the IT people will sooner or later ask for my password. I get the impression that I am the only one who gives them a hard time over this. It even happens at companies that are big enough to know better. What are they doing wrong that they think they need people's passwords?



  • I generally give in and give them my password - it's generally in the context of them helping me with something and I don't keep personal stuff on my work computer, so...
    I also change my password afterwards (especially when they don't ask me for my password face-to-face...)


  • Discourse touched me in a no-no place

    @tharpa said in Asking for Passwords:

    the IT people will sooner or later ask for my password

    0_1488839931249_upload-e0f1140b-4654-4629-9ad7-b7fac1ab46ec


  • FoxDev

    The IT people where I work will never ask for my password. Why? I am the IT people! 👿


  • Winner of the 2016 Presidential Election

    @RaceProUK said in Asking for Passwords:

    I am the IT people!

    Our servers are maintained by hedgehogs? That explains so much...



  • @tharpa In my experience it's always a co-worker needing to do something on my machine when I'm unavailable.


  • FoxDev

    @RaceProUK said in Asking for Passwords:

    The IT people where I work will never ask for my password. Why? I am the IT people! 👿

    Just to clarify: I never ask people for their passwords. Partly because I have no interest in knowing them (and wouldn't reveal my own), but mostly because I'm sorting out issues when they're already logged in 🙂



  • This is topical and relevant--our IT people are finally switching from an unsecured (but MAC-filtered :doing_it_wrong: ) network for the teachers to a secured one. Each teacher gets their own password (not sure as to the technical details). Here's the :wtf: the password for each account is the account password for that teacher's school computer. For most of the teachers, that's also their google apps account password, which is also their LMS password which is also their grading/attendance system password. Mine happens to be different (the machine account password, not the others--that's by policy). Oh, and they wanted us to email them the password in plain text so they could "build a spreadsheet" (yes, that's an exact quote). 🤦



  • @Benjamin-Hall I take it back. It's worse. They're using a google form to collect the passwords...

    I quote from the email (and this was repeated in person):

    Please fill in the Google form below with your full name and computer password.
    Computer Password Request Form. You must sign in with your Tampa Prep email in order to be able to open the form.
    Note: You will see a little warning message saying “Never submit passwords through Google Forms”- please ignore that message.



  • @Benjamin-Hall
    W. O. W.

    Someone needs to be fired for that little brain child. Preferably out of a cannon. Into the sun.


  • Discourse touched me in a no-no place

    @Benjamin-Hall said in Asking for Passwords:

    Please fill in the Google form below with your full name and computer password.
    Computer Password Request Form. You must sign in with your Tampa Prep email in order to be able to open the form.
    Note: You will see a little warning message saying “Never submit passwords through Google Forms”- please ignore that message.

    🤦 🤦🏻 🤦🏼 🤦🏽 🤦🏾 🤦🏿 🤦🏾 🤦🏽 🤦🏼 🤦🏻 🤦


  • Grade A Premium Asshole

    @tharpa said in Asking for Passwords:

    I have worked for a number of companies over the past 20 years, and it seems that in a slight majority of them, the IT people will sooner or later ask for my password. I get the impression that I am the only one who gives them a hard time over this. It even happens at companies that are big enough to know better. What are they doing wrong that they think they need people's passwords?

    Are the IT people building and maintaining a spreadsheet with all of the passwords? Or do they ask when you need assistance with something that they will need that password to access?

    If they keep a list of everyone's password, that is retarded. If they ask for it when they need to help you with something, it is no big deal, IMO. In fact, we do it all the time.



  • @Polygeekery said in Asking for Passwords:

    @tharpa said in Asking for Passwords:

    I have worked for a number of companies over the past 20 years, and it seems that in a slight majority of them, the IT people will sooner or later ask for my password. I get the impression that I am the only one who gives them a hard time over this. It even happens at companies that are big enough to know better. What are they doing wrong that they think they need people's passwords?

    Are the IT people building and maintaining a spreadsheet with all of the passwords? Or do they ask when you need assistance with something that they will need that password to access?

    If they keep a list of everyone's password, that is retarded. If they ask for it when they need to help you with something, it is no big deal, IMO. In fact, we do it all the time.

    I'm pretty sure that there is a spreadsheet (knowing the system, it's probably a Google Doc :wtf:). Security is not one of the primary foci of the IT department...



  • @Polygeekery can't the domain admin just reset password when needed, or something?


  • Grade A Premium Asshole

    @fbmac said in Asking for Passwords:

    @Polygeekery can't the domain admin just reset password when needed, or something?

    Sure. Then field a call from a pissed off user who later cannot login?



  • @fbmac point of order--that would require a domain. We're almost a 100% mac environment :doing_it_wrong: and the devices are entirely managed by the faculty. I think we all have admin as well (that may just be me though). Only the robotics teacher uses windows (since some of his programs don't work on mac). Not even the faculty iPads are managed centrally.


  • FoxDev

    @tharpa said in Asking for Passwords:

    What are they doing wrong that they think they need people's passwords?

    dunno, but they ain't getting mine. if they need mine they have the domain access needed to reset my password and can bloody well do that.


  • Java Dev

    Dear @accalia,

    Your password has once again been reset to the value of 'aelementia' which is in our spreadsheet. Can you please stop changing it without informing us.

    Thanks in advance,

    Local IT.


  • BINNED

    @RaceProUK said in Asking for Passwords:

    I am the IT people!

    Your employer is sooooo screwed


  • BINNED

    @Luhmann said in Asking for Passwords:

    @RaceProUK said in Asking for Passwords:

    I am the IT people!

    Your employer is sooooo screwed

    Now, now. Hedgehogs are mostly polite and buy you a drink first...


  • FoxDev

    @Onyx said in Asking for Passwords:

    Hedgehogs are mostly polite

    We are?

    @Onyx said in Asking for Passwords:

    and buy you a drink first

    We do?


  • BINNED

    @RaceProUK Hush, I'm trying to wind the Belch up :P


  • kills Dumbledore

    I had a helpdesk person ask for my password at my first job so they could remote in and sort something for me. I changed it to Password1 and told them that, then tried to change it back afterwards, but there was that stupid "you must wait at least 24 hours between password changes" policy, so I was stuck with an insecure password until the next day.


  • BINNED

    @Onyx
    comes from drink your beer to fast ... you'll wind up belching


  • BINNED

    @Onyx said in Asking for Passwords:

    buy you a drink first

    @RaceProUK where is my drink?



  • @tharpa said in Asking for Passwords:

    the IT people will sooner or later ask for my password

    It's a trap! Those who comply can expect a visit from security telling them to get their things together and be escorted out of the building because they violated company security policy number one: "never share your password with anyone".



  • @izzion said in Asking for Passwords:

    @Benjamin-Hall
    W. O. W.

    Someone needs to be fired for that little brain child. Preferably out of a cannon. Into the sun.

    That's going to be one hellva cannon. Want to see (from a very safe distance)


  • FoxDev

    @PleegWat said in Asking for Passwords:

    Dear @accalia,

    Your password has once again been reset to the value of 'aelementia' which is in our spreadsheet. Can you please stop changing it without informing us.

    Thanks in advance,

    Local IT.

    Dear Local IT,

    No.

    Accalia

    P.S. If you change my password on me again i'll grant myself domain admin and revoke yours so you can't change mine. I know what your password is, don't make me use it.

    P.P.S This message will self destruct in five seconds, report to Q for your new computer.


  • Java Dev

    Dear @accalia,

    Your non-cooperativeness has been reported to HR. Again.

    Local IT.


  • FoxDev

    @PleegWat said in Asking for Passwords:

    Dear @accalia,

    Your non-cooperativeness has been reported to HR. Again.

    Local IT.

    Dear Local IT,

    Your insults regarding our effectiveness are out of line, we have warned you about this before. this is your final warning, should you persist in this beligerant behavior we will be forced to terminate your employment.

    ‌- Human Resources


  • Java Dev

    @accalia Oy! You can't be both @accalia and HR!


  • FoxDev

    @PleegWat said in Asking for Passwords:

    @accalia Oy! You can't be both @accalia and HR!

    i can when i own Local IT's Exchange Server.


  • :belt_onion:

    @Polygeekery said in Asking for Passwords:

    Sure. Then field a call from a pissed off user who later cannot login?

    Just tell them what the new password is. That's what we do here, after I pointed out to an IT guy and his manager that they were asking me to violate their own policy. "But we need it to restore your files and set up Outlook!" "I backed up my own files and Outlook is on auto discover, so you definitely don't need to do that."


  • Grade A Premium Asshole

    @heterodox when you do outside IT support for SMBs, the objective is to keep them from getting pissed off. If you have pissed off customers often enough, you eventually end up having no customers.

    If it is outside of business hours, we will reset their password if absolutely necessary. But we try not to do that. Inevitably, when we reset a password that user will end up coming in early the next morning and not be able to login until someone else gets there to tell them of their password change and then that user got up early for nothing.


  • :belt_onion:

    @Polygeekery said in Asking for Passwords:

    @heterodox when you do outside IT support for SMBs, the objective is to keep them from getting pissed off. If you have pissed off customers often enough, you eventually end up having no customers.

    Ah, I'm speaking of our internal IT.

    @Polygeekery said in Asking for Passwords:

    Inevitably, when we reset a password that user will end up coming in early the next morning and not be able to login until someone else gets there to tell them of their password change and then that user got up early for nothing.

    Why not leave them the new password on voicemail and set that expectation? shrug Or any other OOB delivery mechanism (keep a personal e-mail address on hand for each user, perhaps).



  • @heterodox said in Asking for Passwords:

    Or any other OOB delivery mechanism

    They make these amazing things called Smart Phones now! And even some not-so-smart phones accept a texts! Amazing! Life Changing! Get Yours Now! (But wait! There's more!...)


  • FoxDev

    @dcon said in Asking for Passwords:

    But wait! There's more!

    "And it's yours for the low low cost of $9001!"


  • FoxDev

    @RaceProUK said in Asking for Passwords:

    @dcon said in Asking for Passwords:

    But wait! There's more!

    "And it's yours for the low low cost of $9001!"

    0_1488912754101_upload-bce7b70e-53a7-4c06-a8b3-fb4ac293d905



  • @RaceProUK said in Asking for Passwords:

    "And it's yours for the low low cost of $9001!"

    @dcon said in Asking for Passwords:

    But wait! There's more!

    Corrected for proper infomercial.



  • @Polygeekery
    Man, it's just too bad that Microsoft hasn't leveraged their fancy cloud technologies and come up with a method whereby any Active Directory user could reset their own password.

    Though, toby faire, AAD Premium is $72 per year per user, so it's not precisely a free service. Though I think the effective cost is lower if your company is already an O365 or Exchange Online subscriber


  • Grade A Premium Asshole

    @heterodox said in Asking for Passwords:

    Why not leave them the new password on voicemail and set that expectation? shrug Or any other OOB delivery mechanism (keep a personal e-mail address on hand for each user, perhaps).

    Good idea, but we support many hundreds of users.

    The thing is, it doesn't matter. It really doesn't. If we need to work on something that is better taken care of after hours and we send them an email that says, "Could you please provide the password you use to login to your computer so that we can remote in to your workstation and take care of this after hours?" the world does not burn down, the Nazis don't win, and users will continue to do stupid shit regardless of what we do.

    From a security perspective I suppose it would be better if everyone pulled an @accalia and told us to go get fucked, then we reset their password and send it to their manager. But, that would cause issues. Users are fucking morons. They will forget what you tell them, they will type the password in multiple times until their account is locked and then we have to unlock their accounts and reset their passwords yet again.

    If you are internal IT, you can draw a hard line and be a total dick about it. External IT support has to toe the line between doing the "right thing" and not annoying their users to the point that they change services. That happens. And when you have no more customers, you have no more business, you have no more income and then I guess you could go take a helpdesk job somewhere and then be a dick to the users in the name of doing the right thing.

    I actually picked up a customer once because of unnecessarily strict security requirements. A friend and I flew our families to his lake house. While there, he had some trivial issue. IIRC it was installing a new printer on his laptop. I offered to take care of it for him, but their external IT required him, as an owner, to fax in a request form. They knew who he was. That was all the verification he should have needed. The person he called was his normal support person, he called him from his cell phone, his voice was recognized and the technician knew with 100% certainty that he was the owner of the company. Even their PHB would not give him the password without the form being filled out.

    I made that sale by just telling him that we would never do that to him and if he ever had issues he could just call me. I had not been able to make that sale until that point because he was happy with them for the most part. The biggest competitor a business person will ever have is the status quo. But that sealed it.

    "But what about security!?!?!?! That is how social engineering works!!!!!111"

    Maybe. But, if someone ever pulls off a social engineering attack to the point that they can spoof a phone number, and a voice, and have small talk about business and kids and everything else before asking for something that is rightfully that person's property...fuck it. They are just going to don a mask and walk right in the front door and get the keys to the kingdom anyway.

    On the other hand, if you know of anyone who is using external IT support and managed services where their support are total distended assholes about security, send them my way. I will make the sale and give you a finder's fee for the lead.


  • Grade A Premium Asshole

    @izzion said in Asking for Passwords:

    @Polygeekery
    Man, it's just too bad that Microsoft hasn't leveraged their fancy cloud technologies and come up with a method whereby any Active Directory user could reset their own password.

    Though, toby faire, AAD Premium is $72 per year per user, so it's not precisely a free service. Though I think the effective cost is lower if your company is already an O365 or Exchange Online subscriber

    "So @Polygeekery for my 50 users, this will cost me another $3600/year that I could spend on other things, why do we need this?"
    "Well, it is super mega cloud-based and if your users ever need to, they can reset their own password without calling us. They can do it themselves."
    "How much do we currently spend just on resetting passwords?"
    "Basically nothing. It takes 5 minutes to reset a password and usually when they call in we help them with other things. Plus, most trivial stuff like that is just covered under the retainer."
    "Riiiiiiight, OK, thanks for stopping by. Gotta go. I am a busy man, and now I have to look for a new IT service provider that is not trying to piss my money away. Good seeing you, send my regards to the wife and kids."



  • @Polygeekery
    Well, obviously, your first mistake is setting an expectation of doing trivial stuff to cover for user stupidity without an additional service fee 😜

    Yeah, I didn't realize it was quite THAT expensive until I was already most of the way through writing up the post. It's nice from the helpdesk side of the fence to be able to point the sales guys at this every 90 days when their password has expired and they can't get into Skype. Though I suppose we're not saving $72/year worth of helpdesk (and sales guy lost productivity) time since they submit a ticket every single quarter. But if you're already leveraging the MFA or InTune features (or even the Premium P2 license for Identity Protection), then the self-service reset is a nice added on feature that's included with those services.

    Still, yeah, your point as to how SMB consulting goes is right. Which is sad to me, since it's obvious to me that IT is more than just an overhead cost center in basically every business that operates in a First World Country these days 😿


  • :belt_onion:

    @Polygeekery said in Asking for Passwords:

    If we need to work on something that is better taken care of after hours and we send them an email that says, "Could you please provide the password you use to login to your computer so that we can remote in to your workstation and take care of this after hours?" the world does not burn down, the Nazis don't win, and users will continue to do stupid shit regardless of what we do.

    Perfectly valid point of view. Not being sarcastic there. I think our difference is in clients; my company works for clients that do expect us to draw a hard line and be a total dick about it, because that's what regulations demand. Security is more important than usability to them and that's just how it has to be sometimes. If we did ask users for passwords, our world would burn down.



  • Update on the :wtf: I reported above:

    I expressed my concerns to IT and they said the following--whatever tool they're using to mass-create credentials for the network requires it to be uploaded to the router* as a combined file. The spreadsheet will then be deleted. Still a :doing_it_wrong: moment, but at least they're aware that it's a :wtf:.


  • :belt_onion:

    @Benjamin-Hall said in Asking for Passwords:

    I expressed my concerns to IT and they said the following--whatever tool they're using to mass-create credentials for the network requires it to be uploaded to the router* as a combined file.

    Hm, internal RADIUS database maybe? They really should be using an external one that integrates with AD-- like AD itself-- but that would require competence. As would authentication using machine certificates, which would be much better.



  • @heterodox @Benjamin-Hall
    That's gonna be all sorts of fun six months from now, after the current account credentials have expired, when some poor soul gets a new machine the latest Windows feature release and has to re-connect to the wireless because the connection profiles didn't get ported over correctly.

    (INB4: account credentials never expire, and people haven't changed their password since before @boomzilla stopped doing work)



  • @izzion said in Asking for Passwords:

    before @boomzilla stopped doing work

    You are suggesting he was doing work at some point ? :trollface:


  • sekret PM club

    @izzion said in Asking for Passwords:

    people haven't changed their password since before @boomzilla stopped doing work

    There were computers then?



  • @e4tmyl33t said in Asking for Passwords:

    @izzion said in Asking for Passwords:

    people haven't changed their password since before @boomzilla stopped doing work

    There were computers then?

    He must have meant club passwords. You know, for entering the treehouse, or the "secret" hideout. Things like that.


Log in to reply