Asking user for a password

Posted on 2011-05-02
Last Modified: 2012-05-11
Not a technical but more ethical question.  

I noticed some consultants like to ask a user for their password.  I strongly like to avoid that and use an admin or create another account to test.  I understand there are some pros and convenience on that.   But I always like to avoid that.  
I think this is just not very ethical and can create some legal issue in the future in case things go wrong...

What's your guys take on that?
Question by:Tiras25
    LVL 6

    Accepted Solution

    I would agree that any consultant should be given their own password for the task.
    LVL 1

    Assisted Solution

    I should be fine as long as the force password change is performed after the consultant is performed.  Sometimes its just impossible to fully test or resolve due to profile issues.

    Ensuring the password is reset so the consultant no longer has the actual password should be mandatory.
    LVL 22

    Assisted Solution

    If you are talking about the Consultant doing some work in the database, then I would say that the Consultant should be provided with a User Name and Password that provides the necessary (and no more than the necessary ;-) access while also ensuring that the source of changes, etc., can be traced to the Consultant.

    If, on the other hand, the Consultant is debugging an issue that the user has encountered, then it is very possible that the Consultant will need to log in as the user, in which case, the Consultant will need the user's password.  As previously stated, though, the password should be changed immediately upon the Consultant no longer needing to use it (presumably when the Consultant resolves the issue ;-).
    LVL 26

    Assisted Solution

    by:Thomas Zucker-Scharff
    I do what bearpeidog suggested.  Passwords are necessary for some installs, tests, cleans.  I always make sure that the password is set to force the user to change at next login and I log out before leaving their machine.  I also make it a policy to always look away when users are typing in their passwords.   Most users will say, "You don't have to do that." or something similar, but there is always the user that will want it and it is the only ethical thing to do, IMHO.
    LVL 6

    Assisted Solution

    If you are very concerned about sharing the password for trouble shooting, the consultant could use a desktop sharing application to remote into your machine that the error originated from and collaborate with you about the issue. Some examples is Remote Desktop, GotoMyPC, LogMeIn, TeamViewer
    LVL 13

    Assisted Solution

    One more thing to add - a standard confidentiality agreement between the company and vendor should also be in place to protect the company of any wrongdoing/misuse by the vendor.
    LVL 26

    Assisted Solution

    by:Leon Fester
    There shouldn't be any reason or time for a consultant to as a user for his/her password.
    My approach when dealing with sensitive clients/data is to ask the user to wait, while I work and then ask them to enter their credentials when needed.
    Sadly in some cases, user just give the passwords because they'd rather go smoke or chat to their friends.
    I usually then get the user to change the password after I've done my work.

    I'd say, don't get into the habit of asking people their password, but if they do offer it, then get them to change it once you've done with your troubleshooting/fixing.
    LVL 10

    Assisted Solution

    The company policy should be that a user NEVER EVER gives their password out to anyone. That use can then claim that he/she didn't "do it". It will make your life much more difficult if something illegal occurred. Additionally, if your company takes credit cards this could be considered a PCI violation.
    LVL 17

    Author Closing Comment


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now