• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 390
  • Last Modified:

Asking user for a password

Not a technical but more ethical question.  

I noticed some consultants like to ask a user for their password.  I strongly like to avoid that and use an admin or create another account to test.  I understand there are some pros and convenience on that.   But I always like to avoid that.  
I think this is just not very ethical and can create some legal issue in the future in case things go wrong...

What's your guys take on that?
8 Solutions
I would agree that any consultant should be given their own password for the task.
I should be fine as long as the force password change is performed after the consultant is performed.  Sometimes its just impossible to fully test or resolve due to profile issues.

Ensuring the password is reset so the consultant no longer has the actual password should be mandatory.
If you are talking about the Consultant doing some work in the database, then I would say that the Consultant should be provided with a User Name and Password that provides the necessary (and no more than the necessary ;-) access while also ensuring that the source of changes, etc., can be traced to the Consultant.

If, on the other hand, the Consultant is debugging an issue that the user has encountered, then it is very possible that the Consultant will need to log in as the user, in which case, the Consultant will need the user's password.  As previously stated, though, the password should be changed immediately upon the Consultant no longer needing to use it (presumably when the Consultant resolves the issue ;-).
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Thomas Zucker-ScharffSystems AnalystCommented:
I do what bearpeidog suggested.  Passwords are necessary for some installs, tests, cleans.  I always make sure that the password is set to force the user to change at next login and I log out before leaving their machine.  I also make it a policy to always look away when users are typing in their passwords.   Most users will say, "You don't have to do that." or something similar, but there is always the user that will want it and it is the only ethical thing to do, IMHO.
If you are very concerned about sharing the password for trouble shooting, the consultant could use a desktop sharing application to remote into your machine that the error originated from and collaborate with you about the issue. Some examples is Remote Desktop, GotoMyPC, LogMeIn, TeamViewer
One more thing to add - a standard confidentiality agreement between the company and vendor should also be in place to protect the company of any wrongdoing/misuse by the vendor.
Leon FesterCommented:
There shouldn't be any reason or time for a consultant to as a user for his/her password.
My approach when dealing with sensitive clients/data is to ask the user to wait, while I work and then ask them to enter their credentials when needed.
Sadly in some cases, user just give the passwords because they'd rather go smoke or chat to their friends.
I usually then get the user to change the password after I've done my work.

I'd say, don't get into the habit of asking people their password, but if they do offer it, then get them to change it once you've done with your troubleshooting/fixing.
The company policy should be that a user NEVER EVER gives their password out to anyone. That use can then claim that he/she didn't "do it". It will make your life much more difficult if something illegal occurred. Additionally, if your company takes credit cards this could be considered a PCI violation.
Tiras25Author Commented:

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now