Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Asking user passwords

Posted on 2004-09-22
5
Medium Priority
?
285 Views
Last Modified: 2010-04-10
Guys,

I'm in the Uk, and have a question re asking users for their passwords. Basically, I have been told to ask users for their passwords when needing to work in their accounts. I have heard that this may be against the law according to the Data Protection Act, however the act does allow for you to change a users password to gain access to their account. Obviously, I see this as a security risk as people shouldn't tell anyone their password, however I have been told to do this as it is considered standard practice in my company.

Can anyone confirm or deny this as I don't want to end up in court for doing my job.

Thanks.
0
Comment
Question by:InteraX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Accepted Solution

by:
rj-smith earned 375 total points
ID: 12121571
I'm not sure there would be anything in the data protection act about asking users for their passwords as it's more concerned with the privacy and release of stored information. Having said that, I can't claim to be any kind of expert.

However, I would say that it is extremely bad practise to ask users for their passwords. Social engineering is a common tactic for hackers to use to breach the security of a company. If they managed to get hold of your phone list they could randomly phone up users, pretend to be from IT, and then ask users for their passwords. If this is common place within your company then users are likely to comply!!!

At the very least ensure users are instructed never to reveal their passwords over the phone or by email and if possible only to IT staff they know or that can provide ID.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12121755
There is one situation: one IT professional must do something like a existing user .
 If the system doesn’t provide a tool to do that without knowing the account password ( SU utility ), the operation must be done in a presence of the account proprietary and the password will be digit. by the owner. In any other cases, the account password must be changed and the account blocked until the owner will ask for unblock.
0
 
LVL 7

Expert Comment

by:crazijoe
ID: 12122111
I don't think it is against the law in a private organization because the Data on their accounts are the property of the company you work for. In a public market, yes it is against the law. However if you are told to ask users for their password to get into their accounts, this is a bad policy for your company. The norm is a legit IT administrator would reset the users password to gain access to their account.
0
 

Expert Comment

by:phone-pilot
ID: 12124219
I am not a UK attorney, but I am a US attorney. I've filed technical documents on firewalls, and have briefed National Security Agency personnel on authentication in mobile telephone networks. Having said that, there are several policy reasons why its good to not ask nor give a password via the phone:
1) in a cubicle environment the password giver may be overheard;
2) the IT department should be excluded from accessing sensitive data on, e.g. the employment (HR) people's computers;
3) there is one additional person who could compromize the password.

In most large corporate IT deptartments, password resets are typically accomplished by a time-synchronized identity module which permits the IT department to authenticate a user sufficiently to reset the password such that the user can select his/her own password promptly after that. An example is the smart card active ID, see http://www.secureidnews.com/news/2002/09/23/activcard-unveils-activcard-identity-management-systemtm-aims/ .

Thus, to assure proper compartmentalization of data access _within_ a company, it is advisable to implement something along these lines which keeps the password known only to the user and to the authenticating network.

In addition to avoiding problems between departments of a company, the above method also goes a long way to securing the network from more 'James-Bond' like intrusions, which may include social engineering. There is a lot of company time and value tied up in trade secrets. Keeping such secrets within the company is better achieved with robust user-authentication.

Hope this helps.
0

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This program is used to assist in finding and resolving common problems with wireless connections.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question