Ethical/Legal Reasons for keeping passwords secret?
August 6, 2008 12:49 PM   Subscribe

What are your ethical opinions on supervisors knowing thier direct reports login information?

I work in IT for a small company (re: I AM the IT department). A supervisor recently requested all of his employees' login information under the guise that some employees leave certain programs logged in. Now, obviously this is not the true issue at hand. I informed this person that I could not, in good conscious, divulge that information (all new accounts are forced password changes at first login, and every X days afterwards) even if I had it.

I'm in an equal position as this person, so anything serious (firing, etc.) is extremely unlikely, but knowing this person, they will make my life difficult if they possibly can.

I've been in IT for over 10 years, and every employer has handled it the same way: if you have a specific need for something, we'll retrieve that data if it's work related, but we're not giving up passwords.

I'd love to hear the hive mind's thought on this. Yes, you are not my lawyer.
posted by chrisfromthelc to Computers & Internet (32 answers total)
 
I don't think there's any ethical issue involved. For instance, corporations are completely within their rights to install keyloggers on all employee computers, and the courts have said so.

There may be other issues e.g. relating to security, but ethics doesn't come into play. An employee is not entitled to any privacy when using computers belonging to his employer.
posted by Class Goat at 12:55 PM on August 6, 2008


An employee's right to privacy at work is a legal issue, not an ethical one. MORALLY, anyway, I would never demand that the people that report to me give me their log ins. I am not big brother and I wouldn't want to run my department that way. If I have to do that then I am a poor manager. So my answer would be that ethically I think it's wrong. And if I would probably refuse if my boss asked me to provide it. My company's IT people do not have access to our passwords - they are encrypted in a file that they cannot read from.
posted by spicynuts at 12:58 PM on August 6, 2008


Accountant here, been involved in many SOX audits of major corporations in the past. Obviously, different rules apply to smaller organisations vs SEC registrants. I would think that the only people who should have access to their log-ins are the employees themselves and the IT department.

Go with your instincts dude. You have it right.
posted by ClanvidHorse at 1:01 PM on August 6, 2008


Agree with Goat that a company can basically do what it wants with employee password policies.

That said, the potential ethical issue here is this supervisor's reason for requesting passwords. Maybe there is some valid reason specific to your systems, but it seems very fishy, and it suggests that this guy is either incompetent (willing to compromise password security for some small convenience) or has some ulterior motive (wants to read employee email?). Challenge his reasoning.
posted by qxntpqbbbqxl at 1:09 PM on August 6, 2008


It is a breach of security, as well as a breach of ethics, for managers to be able to digitally pretend to be their staff. It doesn't matter if they "wouldn't do it", it must be prevented completely, and that means everyone.

Most companies recognize that the prevention of such shenanigans is a priority.
posted by Citrus at 1:09 PM on August 6, 2008


There may not be an ethical issue regarding privacy--I guess it's generally considered reasonable for an employer to monitor their computers/network--but there's definitely an ethical issue regarding impersonation. A supervisor with passwords can send emails under an employee's name, attempt to break into another part of the company without their own info showing up in security audits, etc. I'd say it's ethically similar to forging an employee's signature, or stealing their keycard, or something like that.
posted by equalpants at 1:10 PM on August 6, 2008 [3 favorites]


Actually, the fact that you yourself can see an actual password for an employee seems a little precarious as well. What if someone gets YOUR log in then steals all employee passwords?
posted by spicynuts at 1:13 PM on August 6, 2008


@spicynuts: I cannot see ANY employee's password:

"I informed this person that I could not, in good conscious, divulge that information (all new accounts are forced password changes at first login, and every X days afterwards) even if I had it"
posted by chrisfromthelc at 1:15 PM on August 6, 2008


There are some ethical and moral issues with doing this, and those are muddied yet more by the corporate aspect of the situation, but they can be safely disregarded because the objection to shared accounts is not a moral or ethical one. It's one of accountability.

Sharing account information -- your own or that of others -- has been an actionable (read: "termination") offense in every place I've worked for the last 15 years. I would not provide IT service to an employer that undermined accountability with shared accounts, as it makes it much more difficult to determine who did what, and in the end the finger would get pointed at IT for not using its Magical IT Powers to know who is sitting in the chair when a shared account is used incorrectly, inappropriately, or ignorantly.

So yeah, this is one of those situations where my answer to the question is "Hell no." If that answer, accompanied by the appropriate "are you even SENTIENT!?" look of astonishment, doesn't settle the issue, then my answer changes to "Hell no, or I walk." Neither you nor I should be expected to set ourselves up for a brisk railroading due to lack of accountability, and that should be made clear.
posted by majick at 1:17 PM on August 6, 2008


I don't think there's any ethical issue involved. For instance, corporations are completely within their rights to install keyloggers on all employee computers, and the courts have said so.

Yes, the corporation is within its rights to know what the employee is doing on its computers. And should they need to do so, they should have means of doing so (such as the aforementioned keylogger!) without the employee having to divulge their password. "The corporation should be able to track what employees are doing on its computers" does not imply "an employee must give up his password to his supervisor on request." If the supervisor is untrustworthy, he could use the login information to do something nasty under someone else's ID in an attempt to frame them.

I work for a Fortune 500 company, and we have a strict policy against employees giving system passwords to anyone else, even within the company. Anything IT needs they can get without a user's password.

You (OP) are exactly right. Furthermore, depending on the relationships between you and this supervisor and your own supervisor, you might want to let your supervisor know of the request (either with or without naming the specific person who made it, depending) so that your supervisor is prepared to back you up if the person who made the request tries to escalate it.

You can also fall back on the technical reason (emphasize the "I don't have the password" part, de-emphasize the "I won't give you the password" part) if you need to.
posted by DevilsAdvocate at 1:25 PM on August 6, 2008


No, not with "a supervisor", and not even with the owner. If they need to log someone out or audit their e-mail, you can provide those services.

Sharing account information -- your own or that of others -- has been an actionable (read: "termination") offense in every place I've worked for the last 15 years.

Just as a contrary point: it has not been actionable at any place I've worked for the past 20 years. It has always been common, and smiled upon by management, for work teams to share login info, in every office I've ever worked in. Do you shut down for the day if the receptionist and the IT guy are sick, for example?

But that doesn't mean that any supervisor should have immediate access to each of their underlings' passwords.
posted by ten pounds of inedita at 1:28 PM on August 6, 2008



Accountant here, been involved in many SOX audits of major corporations in the past. Obviously, different rules apply to smaller organisations vs SEC registrants. I would think that the only people who should have access to their log-ins are the employees themselves and the IT department.


Can I correct myself? I meant that only IT and the person should have access to an account but under different User IDs that should be traceable as separate users.
posted by ClanvidHorse at 1:28 PM on August 6, 2008


"I informed this person that I could not, in good conscious, divulge that information (all new accounts are forced password changes at first login, and every X days afterwards) even if I had it"

I don't understand. When you say you could not, in good conscience, divulge that information, aren't you really saying that you don't have it? So that your ethical qualms are essentially irrelevant, and you are picking a fight?

It may be that you anticipate that the requesting individual will ask whether you could capture the passwords somehow, and that you believe the answer is yes. (That must be right, at least through some change in the system.) Then the so-called ethical question is raised.

Except that I don't see it, without you saying more about why you believe the individual wants it. If they want it for some unethical reason (e.g., impersonation), it is probably unethical for you to assist them. However, a broad range of potential purposes (such as monitoring PC use) are probably neither unethical or illegal.

To me, the most likely ethical question is whether you could assist in the disclosure of passwords if that were kept secret from the end users, and they had reason to believe that no one had such access.
posted by Clyde Mnestra at 1:33 PM on August 6, 2008


It has always been common, and smiled upon by management, for work teams to share login info, in every office I've ever worked in. Do you shut down for the day if the receptionist and the IT guy are sick, for example?

Our receptionist and IT guy are smart enough to place information that other people may need in places where other people can get at them without knowing their passwords. Modern computer systems do generally allow for sharing information between users, after all.
posted by DevilsAdvocate at 1:35 PM on August 6, 2008


Sorry, OP...I misread that sentence to mean 'would not' instead of 'could not'.
posted by spicynuts at 1:46 PM on August 6, 2008


@Clyde Mnestra

The reason I was given that the passwords were needed was because of a poorly written application that one or two users sometimes leave logged in overnight (ironically, he was one of the main users causing the problem), and cause files to be locked from editing and other users to not be able to log into that particular application. We've since remedied this be forcing reboots of machines at night until the manufacturer of that software corrects the issue (this was at least a couple of weeks ago this took place). This has been reiterated to this person, so the reason they're still giving for needing passwords is well, BS.

The reason I've stated that I could not (in good conscience) give out any passwords is that this person has been trusted with access (nothing systems-critical, but above average user-level) before and attempted to abuse the privilege.

Obviously, I could manually reset every user password and provide it that way, but I cannot give out CURRENT passwords without circumventing security measures.

It's part of a bigger problem, really. This person wants to control everything, and they are neither capable technically, managerially, or otherwise. It seemingly has nothing to do with monitoring (for which I've given this person several avenues to do). I've also volunteered to assist them if there is specific activity or information they are looking for, but they continue to decline.

Believe me, I've been thinking about this long and hard.
posted by chrisfromthelc at 1:57 PM on August 6, 2008


What all can they do with the password? Where I work, a user can get into his payroll account, modify his 401(k), change insurance, etc. So I think there is an ethical aspect to this question.

Users shouldn't expect the data they produce or any privacy from authorized access, but unless this monkey works in HR he has no right to any of the above info.

In the event he does gain access to this list, and I don't even see a technical way to do it if there is forced changing, at a minimum the users need to know he has the access.

I think I would handle it that way. "I'm sorry, I only have the authority to override a password. Even I can't see what the current one is. You'll have to ask your people for their passwords if you want them."

Then punch him.

Even if all you have is access to email, this is still a bad idea. Imagine the emails that could be sent on "behalf" of an employee. Seems you;d be open to all kinds of lawsuits if something bad happend.
posted by cjorgensen at 2:11 PM on August 6, 2008


I'm about to expose either my ignorance of security measures or of your relations with this individual, but I would cope with this by playing dumb, saying:

1. "Don't worry -- problem solved. Lockout won't be happening with this forced rebooting thingy, and it'll be better once we get the software manufacturer solution. So everything's fixed."

2. "You still want the passwords? Well, [start loop with #1]."

3. If confronted with non-falsifiable, non-loopable explanation about why access to passwords still necessary, one that can't be deferred somehow pending software manufacturer solution, say: "Users are changing those all the time now thanks to the new prompts. I can't hardly keep up."

4. If forced, say "I think that's likely to create more of a security hazard than it's worth."

5. If matters progress, say " Of course, if you insist on it, I will have to tell everyone that we have their passwords. Also, in the spirit of full disclosure, I just want to caution you that those of us in IT will be able to tell each time those passwords are used by someone else. Again, I think this is more trouble than it's worth, unless there's a problem you're not telling me about."

As to whether this is an ethical issue for you, I guess it depends on how these have been abused in the past.
posted by Clyde Mnestra at 2:12 PM on August 6, 2008 [1 favorite]


The reason I was given that the passwords were needed was because of a poorly written application that one or two users sometimes leave logged in overnight (ironically, he was one of the main users causing the problem), and cause files to be locked from editing and other users to not be able to log into that particular application. We've since remedied this be forcing reboots of machines at night until the manufacturer of that software corrects the issue (this was at least a couple of weeks ago this took place). This has been reiterated to this person, so the reason they're still giving for needing passwords is well, BS.

I think you'd be covered by "There is no valid business reason why you would need these passwords. If you have a specific need for information or you need people logged off, let me know and I can provide those services for you without divulging passwords."

As others have said, there are plenty of good moral/ethical/responsible/practical reasons not to give this guy the passwords. Two I would mention that I haven't seen yet are (1) An employee who expects his password to remain private may have naively used a password that also accesses his non-work resources like bank accounts, etc., and (2) A person who is "not technically capable" who nevertheless "wants to control everything" should have very limited access on your network, to keep him from breaking anything.

Knowing that you're in the right to keep the passwords private, it seems like the greater issue here is your concern that he will make your life miserable if you don't provide the passwords. You need to figure out a way to get around that. I think the best you can do is respond with a polite and consistent reiteration that you'd be happy to help him accomplish whatever he needs, without giving out the passwords, any time he asks for them.
posted by vytae at 2:17 PM on August 6, 2008


I'd say draft a letter to the highest folk(s) in the company, stating that you need to understand what the company policy is for the following scenario (followed by a brief description.) No names or departments.

If they define a policy, great, go by it. If they ask who it was, well, you can tell 'em because they obviously weren't trying to do anything wrong, as far as you know. If they say "it's up to you", get that in writing. Oh, and if they define a policy that *does not* include noting who's asked for passwords, or who's obtained them through you according to policy, recommend such an addition.

In short, make sure you have a policy in hand that makes it less ilkely the person will make trouble for you, and so that if they insist despite the policy you can escalate it, and get that policy in a way that doesn't make it look like you're trying to get that person in trouble.

Finally: if this particular person regularly makes trouble, how do you know they don't want those passwords in order to make trouble for someone else? Hence, let your bosses decide, and take subtle steps to encourage a paper trail.
posted by davejay at 2:21 PM on August 6, 2008


Our receptionist and IT guy are smart enough to place information that other people may need in places where other people can get at them without knowing their passwords.

Like the temp who'll need to access the receptionist's computer? Good trick. I understand that competent IT planning would set up a system ahead of time such that access to general delivery mail and a Windows-based phone switchboard would not require the receptionist's password, but I've never had the good fortune to work at such a place.

That was just one example, of course. There are many compelling reasons for passwords to be shared. Just not en masse.
posted by ten pounds of inedita at 2:35 PM on August 6, 2008


What davejay said. Handle this through this person's more sane supervisors, without outright actions to get the person in trouble. That way, you're on record as simply wanting consistent security policies that protect the organization's interests (including all the legal stuff that HR specializes in knowing).
posted by salvia at 2:45 PM on August 6, 2008


Even setting the ethical concerns aside, which you are correct on, your company needs set policies for these situations. If nothing else it will make sure that you are immune if there are legal problems. I would sit down with the boss and discuss drafting a security policy, without mentioning this other employee directly. You need rules that you can point to. Security considerations should never cause you problems with a fellow employee. You have a job to do and your boss needs to have your back on this.
posted by dosterm at 2:55 PM on August 6, 2008


I would really feel uncomfortable doing this!

FWIW, here's how I would handle it: I'd decline, but suggest as an alternative that IF anyone logs in and causes a problem, you be the "on call" contact person. I'd probably stress to the supervisor that there are confidentiality issues and you wouldn't want to open the corporation up to a possible lawsuit--maybe that will make him back off.
posted by misha at 4:49 PM on August 6, 2008


My concern is that some employees might be using passwords that they also use for non-work-related logins. Of course, people shouldn't do this but they do. I think it's only fair to tell the employees that their passwords could be given out and encouraging them to NOT use the same passwords for work and non-work stuff. Insist that the boss give employees an amount of time to change things before you will give him the password.

That's my only ethical dilemma and I think that, even though there is no privacy at work, it's a quite reasonable solution.
posted by Waitwhat at 5:27 PM on August 6, 2008


I know you said you work at a small company, so you may not have an HR person or division, but I'd start by asking the HR department for policy on this and inform them that there has been a request. If no HR division, perhaps you have a corporate lawyer or firm that represents the company? Can you tell the lawyer that the request has been made and that you, as an IT person, do not want to be held liable for exposing users to this security breach and that if it's going to be done it needs to be sanctioned by the lawyer? Maybe this will prompt someone who CAN shut him up to have a sit down with him and explain why this is a very very very bad idea and also you can cover your ass if forced to do it anyway.
posted by spicynuts at 6:31 PM on August 6, 2008


Just to make sure it's said, I can't imagine a secure network setup these days in which this would even be possible; users' passwords should really never be stored in any readable way on the network, nor should they be stored in a way that should be able to be decrypted or otherwise interpreted back to their actual passwords. I can't think of a modern operating system that does so; instead, they all store the passwords as one-way hashes, meaning that the password was turned into a string of jibberish via a one-way mechanism that cannot be reversed.

chrisfromthelc, I know you say that one way you could fulfill this tool's wishes is to manually reset every user's password, but would your users actually allow this to happen without wondering why, and immediately changing their passwords to something else (which again, you wouldn't have any way to read)? So I guess I'm confused -- did this tool supervisor guy tell you that you should reset them all and give them to him? If not -- and I cannot imagine someone actually suggesting that -- why not just tell him that you actually have no way to get at the passwords (which should be the truth), and leaving it to him to figure out a "solution" to this?
posted by delfuego at 7:12 PM on August 6, 2008


To be very explicit about the accountability that majick ably pointed out... if anyone is sharing passwords, then any operating system functions or other applications that log user information (file ownership and email authentication are a couple of examples) which are very elaborately designed to be linked to individuals are suddenly useless. Software is designed to remember this kind of stuff in exactly the ways that people don't. Moreover, if a boss and employees share passwords, you open yourself up to very dangerous he-said-she-said situations wherein employees can accuse the boss of logging in and manipulating things, and vice versa. You really don't want to have to mediate that kind of situation.
posted by mindsound at 7:48 PM on August 6, 2008


What do your systems do? Because if any of it feeds into a financial reporting application, I'd be very, very concerned about the business controls posture created by people who would normally fill different rolls in the process having access to multiple logins with differing authority. If a transaction type is supposed to be entered by one level/type of employee and signed off by another level/type of employee, and one employee has both sets of authority, goodbye control point.
posted by jacquilynne at 8:54 PM on August 6, 2008


@delfuego, No, he didn't suggest that, and I didn't bring that to his attention. I was just "thinking out loud".

I've got the situation handled for the most part; I had a long discussion with the owner of the company, highlighting what exactly was requested and what my thoughts were on the issue (which pretty much lined up with majority opinion here). I've got a meeting scheduled with our company legal counsel Monday to go over our pitiful excuse for an IT policy (written by someone with no technical expertise, obviously) and make necessary adjustments so this doesn't become an issue again.

Thanks for all the wisdom, folks.
posted by chrisfromthelc at 9:00 PM on August 6, 2008


corporations are completely within their rights to install keyloggers on all employee computers, and the courts have said so

Yes, but once anyone from the corporation uses any information they find to log into that user's accounts on, say, Gmail or Facebook or what-have-you, they're looking at the business end of a big lawsuit, and the employee who misused the login info is looking at jail time.

I'm worried that the supervisor you mention is looking to do things which he may not know are criminal.
posted by oaf at 3:51 AM on August 7, 2008


Can you find a way to make people use a different login/pw for the problem system, and that userid/pw can be used to unlock files. Sharing passwords is just not acceptable. Exceptions in our IT Dept: Legal dept., Head of HR, and a person 2 levels above the user can get access to their account. Not their password, as it isn't visible.

You need to develeop a policy that you can refer to so you don't have to deal w/ this kind of crap.
posted by theora55 at 10:12 AM on August 7, 2008


« Older What is the easiest way to rea...   |  Identify a bluegrass/country s... Newer »
This thread is closed to new comments.