?
Solved

Asking user passwords

Posted on 2004-09-22
5
Medium Priority
?
284 Views
Last Modified: 2010-04-10
Guys,

I'm in the Uk, and have a question re asking users for their passwords. Basically, I have been told to ask users for their passwords when needing to work in their accounts. I have heard that this may be against the law according to the Data Protection Act, however the act does allow for you to change a users password to gain access to their account. Obviously, I see this as a security risk as people shouldn't tell anyone their password, however I have been told to do this as it is considered standard practice in my company.

Can anyone confirm or deny this as I don't want to end up in court for doing my job.

Thanks.
0
Comment
Question by:InteraX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 6

Accepted Solution

by:
rj-smith earned 375 total points
ID: 12121571
I'm not sure there would be anything in the data protection act about asking users for their passwords as it's more concerned with the privacy and release of stored information. Having said that, I can't claim to be any kind of expert.

However, I would say that it is extremely bad practise to ask users for their passwords. Social engineering is a common tactic for hackers to use to breach the security of a company. If they managed to get hold of your phone list they could randomly phone up users, pretend to be from IT, and then ask users for their passwords. If this is common place within your company then users are likely to comply!!!

At the very least ensure users are instructed never to reveal their passwords over the phone or by email and if possible only to IT staff they know or that can provide ID.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12121755
There is one situation: one IT professional must do something like a existing user .
 If the system doesn’t provide a tool to do that without knowing the account password ( SU utility ), the operation must be done in a presence of the account proprietary and the password will be digit. by the owner. In any other cases, the account password must be changed and the account blocked until the owner will ask for unblock.
0
 
LVL 7

Expert Comment

by:crazijoe
ID: 12122111
I don't think it is against the law in a private organization because the Data on their accounts are the property of the company you work for. In a public market, yes it is against the law. However if you are told to ask users for their password to get into their accounts, this is a bad policy for your company. The norm is a legit IT administrator would reset the users password to gain access to their account.
0
 

Expert Comment

by:phone-pilot
ID: 12124219
I am not a UK attorney, but I am a US attorney. I've filed technical documents on firewalls, and have briefed National Security Agency personnel on authentication in mobile telephone networks. Having said that, there are several policy reasons why its good to not ask nor give a password via the phone:
1) in a cubicle environment the password giver may be overheard;
2) the IT department should be excluded from accessing sensitive data on, e.g. the employment (HR) people's computers;
3) there is one additional person who could compromize the password.

In most large corporate IT deptartments, password resets are typically accomplished by a time-synchronized identity module which permits the IT department to authenticate a user sufficiently to reset the password such that the user can select his/her own password promptly after that. An example is the smart card active ID, see http://www.secureidnews.com/news/2002/09/23/activcard-unveils-activcard-identity-management-systemtm-aims/ .

Thus, to assure proper compartmentalization of data access _within_ a company, it is advisable to implement something along these lines which keeps the password known only to the user and to the authenticating network.

In addition to avoiding problems between departments of a company, the above method also goes a long way to securing the network from more 'James-Bond' like intrusions, which may include social engineering. There is a lot of company time and value tied up in trade secrets. Keeping such secrets within the company is better achieved with robust user-authentication.

Hope this helps.
0

Featured Post

Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question