Solved

Asking user passwords

Posted on 2004-09-22
5
277 Views
Last Modified: 2010-04-10
Guys,

I'm in the Uk, and have a question re asking users for their passwords. Basically, I have been told to ask users for their passwords when needing to work in their accounts. I have heard that this may be against the law according to the Data Protection Act, however the act does allow for you to change a users password to gain access to their account. Obviously, I see this as a security risk as people shouldn't tell anyone their password, however I have been told to do this as it is considered standard practice in my company.

Can anyone confirm or deny this as I don't want to end up in court for doing my job.

Thanks.
0
Comment
Question by:InteraX
5 Comments
 
LVL 6

Accepted Solution

by:
rj-smith earned 125 total points
ID: 12121571
I'm not sure there would be anything in the data protection act about asking users for their passwords as it's more concerned with the privacy and release of stored information. Having said that, I can't claim to be any kind of expert.

However, I would say that it is extremely bad practise to ask users for their passwords. Social engineering is a common tactic for hackers to use to breach the security of a company. If they managed to get hold of your phone list they could randomly phone up users, pretend to be from IT, and then ask users for their passwords. If this is common place within your company then users are likely to comply!!!

At the very least ensure users are instructed never to reveal their passwords over the phone or by email and if possible only to IT staff they know or that can provide ID.
0
 
LVL 7

Expert Comment

by:gnegrota
ID: 12121755
There is one situation: one IT professional must do something like a existing user .
 If the system doesn’t provide a tool to do that without knowing the account password ( SU utility ), the operation must be done in a presence of the account proprietary and the password will be digit. by the owner. In any other cases, the account password must be changed and the account blocked until the owner will ask for unblock.
0
 
LVL 7

Expert Comment

by:crazijoe
ID: 12122111
I don't think it is against the law in a private organization because the Data on their accounts are the property of the company you work for. In a public market, yes it is against the law. However if you are told to ask users for their password to get into their accounts, this is a bad policy for your company. The norm is a legit IT administrator would reset the users password to gain access to their account.
0
 

Expert Comment

by:phone-pilot
ID: 12124219
I am not a UK attorney, but I am a US attorney. I've filed technical documents on firewalls, and have briefed National Security Agency personnel on authentication in mobile telephone networks. Having said that, there are several policy reasons why its good to not ask nor give a password via the phone:
1) in a cubicle environment the password giver may be overheard;
2) the IT department should be excluded from accessing sensitive data on, e.g. the employment (HR) people's computers;
3) there is one additional person who could compromize the password.

In most large corporate IT deptartments, password resets are typically accomplished by a time-synchronized identity module which permits the IT department to authenticate a user sufficiently to reset the password such that the user can select his/her own password promptly after that. An example is the smart card active ID, see http://www.secureidnews.com/news/2002/09/23/activcard-unveils-activcard-identity-management-systemtm-aims/ .

Thus, to assure proper compartmentalization of data access _within_ a company, it is advisable to implement something along these lines which keeps the password known only to the user and to the authenticating network.

In addition to avoiding problems between departments of a company, the above method also goes a long way to securing the network from more 'James-Bond' like intrusions, which may include social engineering. There is a lot of company time and value tied up in trade secrets. Keeping such secrets within the company is better achieved with robust user-authentication.

Hope this helps.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now