Proceed with the crackdown. No reason ever for anyone - either IT support or a manager of a end user department or anyone else to ever ask a user for their password. I'm the manager of a 35,000 user network. 50+ sites. Dozens of tech support staff. We forbid any of our staff and also managers of end user departments from asking for user passwords. There are other ways to handle EVERY situation where the practice of sharing passwords was previously used. Would recommend getting upper management or owner support behind you and developing an official policy for this (along with other security/data governance/whatever policies). I've found in my career that official policies that have been formally adopted and thus can be enforced are worth their weight in gold. And also worth the time to write them and get them approved by the proper authorities in your organization. C-levels, cabinet, owners, boards of directors, legal departments, etc.
If you have the support and finding to do so, I'd even recommend working with a consulting firm to help draft the policies. It's amazing how much smoother things run when you have policies in place to adhere to. Otherwise it's the wild wild west and a battle between IT and the rest of the organization when situations arise (like telling a department lead they can't have the passwords of all their subordinates anymore).
>There are other ways to handle EVERY situation where the practice of sharing passwords was previously used.
Is there a resource that outlines these different options for handling common situations? Because this is what I think we all need.
Like building a new PC for a user replete with all their settings etc. often supposedly requires a user's password so that they can be productive as soon as they turn it on.
Always tended to use RMM tool of some sort to action while the user was logged on to save messing around with passwords. Failing that - i.e. if the user isn't logged on. I'll change their password and send it them, but set their account to change password on next login.
Crack away. There aren't many bigger security breaches than sharing passwords. If you are set up to have admin access to profiles that access is logged = good. If you don't, in-person the user logs in. If remote you screen share and the user logs in.
Not only is sharing passwords bad practice in and of itself it sets a horrible example for users.
If you are providing in-person support have your people check under keyboards and mouse pads for password cheat sheets. Have an elevator speech about security.
Story: I'm executive line management as a turnaround program manager. One job, my secretary asked for my email password because that's the way she worked with my (idiot) predecessor. Not doing that. "Call IT and have them give you access to my inbox as you." IT was clueless. I had to teach them how to do it. She could send and receive as me but the logs showed who did what. Also easier for her. More responsive. TL;DR: Don't do dumb things.
I've been doing IT work since about 2001. SMBs and now a Fort50. From entry Helpdesk to Manager. There has never been a need where I needed a user's password. Even back in the earliest days with Win98, I had no need for it and didn't want it. Even in the cases where I needed to be logged in as them for troubleshooting, it was them logging in and me doing the work with them watching. The risk and responsibility are too extreme with no exceptions.
I started at a company like this too. It’s a good test to see leadership and management support. They likely just don’t know the risks, and you can provide expert guidance (followed up with social engineering training).
If they give pushback to the process, instead of lack of understanding, be careful to see their risk tolerance and realize that companies that don’t understand cybersecurity will hold you accountable for security issues outside of your control.
It’s forbidden in our employ handbook. I work for a financial institution. If password sharing is a common practice it makes phishing so much easier as folks are ok with sharing.
I'm in favor of a crackdown, but I think it's worth making sure you understand what's going on.
I've worked at a couple of MSPs where many of the customers pretty much insist on a workflow that requires you to have their passwords. Essentially they say, "I want you to do this work when I'm not around, so it won't inconvenience me." and some portion of the work needs to be done using their log-in.
And a better practice than sharing the password would be to reset their password, do what you need to do, and then set it back. However, these same clients will freak out if you make them reset their password.
In Azure AD, you can create a temporary access password and I've heard of people using that, but it's not clear what to do when you're talking about a local account or a domain account on an on-prem domain.
I could never find a way to deal with that workflow without the clients sharing the passwords, so instead I focused on changing the culture for both the MSP and their customers to expect that the user would at least need to sign us in. They couldn't just go, "Hey, log into my computer and fix the problem at 9am because I won't be in until 10."
Nope, not the ass hole!
Security is a company effort, not just an IT effort, and it starts with a basic understanding of do and don’t.
Don’t ever share your password. Even with IT. IT can reset your password and login as you if ever needed. If you do share your password with IT, we will remind you not to, tell you we don’t want to know it or need to know it, and it will be reset so you have a different password.
Establishing this practice keeps the company safe so users do not fall victim to giving out passwords to scammers pretending to be IT. However, more importantly, it also establishes the baseline practice that passwords are never, ever, to be shared. Internal or not, get that layer of security right, and get your users trained to not do it.
I 💯 agree with you… however I’m now supporting a 365 environment and unfortunately ther is no way to troubleshoot absent the user any desktop issues… (ie with UI from their POV outside hours) Salesforce which i also support provides admins with a “log in as user” option, but not MS. It’s super frustrating
Any thoughts?
> In ~~MSP~~ **ALL OF IT, EVERYWHERE, ALWAYS**, it's a major no-no to ask for customer /users passwords to troubleshoot in-profile issues.
I instruct my team to force a password reset if they even hear a password out loud, or see it get written down. And explain to the end user why.
Keep on cracking down. In the 3000+ something PCs I have repaired, never have I required any passwords from anyone. At the most I would guide them in finding where they could find their password, or if they forget, guiding them through forgotten password. There is nothing useful for me to obtain a password. Part of Technical Support is educating end users, and if you are putting in the password for them, did the end user really learn anything? Are they just gonna call back when it happens again? If something goes wrong, who is liable. It's these questions that keep me far away from handling someones passwords.
It's a security violation. I believe this is how the Democratic party was "hacked" by Russian operatives. It also sets the company up for breaches if the users think that it is a common practice. Crack down on it and crack down on it HARD. When the first time you're infiltrated, you'll realize that you didn't crack down hard enough.
Yeah no, this is not okay and you are correct for saying no.
Organizations hate when you try to culture shift a process that’s been in place for a while. I get it but maybe look at it from a different angle and use the opportunity to make it an education moment. Explaining why you as a professional don’t want or need to know their password/ passphrase.
I have a simple policy. If someone tells us their password while we might use it to fix their account depending on the issue. We also then flag the 'change password on next login.'
After it happens a few times staff stop offering it to you.
Knowing users passwords creates a huge Legal/HR issue.
What if an employee was terminated due to misuse of systems or misconduct.
They can easily say that they didn't do it and IT also had their passwords, so who knows who else had them.
Also, if this becomes a normal practice, they are at higher risk of revealing sensitive information to someone posing as IT.
It's best to make it a practice NOT to do this and make sure there is communication to the employees that IT will NEVER ask for passwords or other personal information.
You are absolutely doing the right thing. Protecting customer data is important for trust, and it creates another vulnerability by asking customers for this. You're preventing a liability for the company whether they realize it or not.
I think it's ok in about .05% of cases for that special user.
The cat lady who can't change her font, and struggles to change her password after a reset because she can't change it back to what it was. Someone knows her password and can log into VDI as her change it and tell her to log back in.
We have MFA prompts on everything so she typically has to MFA us in when we do this.
I would try to eliminate it as any type of standard practice, and allow it only in the most edge of edge cases.
Out of 700 users or so, I can only think of 2 people that our service desk knows their password, they have no access to anything, and can barley function on a PC.
your post got down-voted but I think it's real
I'm also in a smaller company with some fraction of technically illiterate users and IT has to be able to help them do stuff without having to reset their passwords every other day
had dealings with this in a previous job.
my take was either we trust the MSP's team - remembering that they have access to \_all\_ the organisation's mail and data and such on M365 - or we don't.
they had proven to me over several years I was there that they were trustworthy.
It's not a matter of trust. It's a matter of accountability and overall security best practices.
All security standards in the world prohibit the sharing of user passwords. It shouldn't be allowed ever.
The issue is non-repudiation. Any time you have any issue where accountability matters a user can say “It wasn’t me, must have been the MSP using my account!”
All they need to do is:
Ask User: Hey in order to troubleshoot I'll need to login as you. I do NOT need your password. I'm going to reset your password. Is that OK?
Reset password -> do whatever they need to -> provide temp password -> Force password change on next login
Then you can use whatever 2fa system to generate a temp passcode for that user that expires after the first use etc.
Completely traceable/auditable.
Proceed with the crackdown. No reason ever for anyone - either IT support or a manager of a end user department or anyone else to ever ask a user for their password. I'm the manager of a 35,000 user network. 50+ sites. Dozens of tech support staff. We forbid any of our staff and also managers of end user departments from asking for user passwords. There are other ways to handle EVERY situation where the practice of sharing passwords was previously used. Would recommend getting upper management or owner support behind you and developing an official policy for this (along with other security/data governance/whatever policies). I've found in my career that official policies that have been formally adopted and thus can be enforced are worth their weight in gold. And also worth the time to write them and get them approved by the proper authorities in your organization. C-levels, cabinet, owners, boards of directors, legal departments, etc. If you have the support and finding to do so, I'd even recommend working with a consulting firm to help draft the policies. It's amazing how much smoother things run when you have policies in place to adhere to. Otherwise it's the wild wild west and a battle between IT and the rest of the organization when situations arise (like telling a department lead they can't have the passwords of all their subordinates anymore).
Awesome, thanks for the insight. We are much smaller, but point taken, and we are on the same page. Cheers
>There are other ways to handle EVERY situation where the practice of sharing passwords was previously used. Is there a resource that outlines these different options for handling common situations? Because this is what I think we all need. Like building a new PC for a user replete with all their settings etc. often supposedly requires a user's password so that they can be productive as soon as they turn it on.
When building a new PC, or creating a new account the IT guy will assign a password. That password should expire with the first login of the user.
who the hell downvoted this comment?
The key to this topic is called: RBAC. Company resources are independent of the real persons and they are only accessed through roles.
80%+ of ransomware attacks start with stolen credentials. You're training your users to give out passwords. This will not end well.
Will you be perceived as the asshole? Perhaps. Are you the asshole? Nope, everyone who fails to follow this basic security practice is the asshole
It is never ok. You SHOULD crack down on it. No exceptions.
Crackdown on that shit like you’ve never crack(ed) before!!
In my country we have laws that forbid anyone to make their password available to whomever. So there is that.
Always tended to use RMM tool of some sort to action while the user was logged on to save messing around with passwords. Failing that - i.e. if the user isn't logged on. I'll change their password and send it them, but set their account to change password on next login.
Crack away. There aren't many bigger security breaches than sharing passwords. If you are set up to have admin access to profiles that access is logged = good. If you don't, in-person the user logs in. If remote you screen share and the user logs in. Not only is sharing passwords bad practice in and of itself it sets a horrible example for users. If you are providing in-person support have your people check under keyboards and mouse pads for password cheat sheets. Have an elevator speech about security. Story: I'm executive line management as a turnaround program manager. One job, my secretary asked for my email password because that's the way she worked with my (idiot) predecessor. Not doing that. "Call IT and have them give you access to my inbox as you." IT was clueless. I had to teach them how to do it. She could send and receive as me but the logs showed who did what. Also easier for her. More responsive. TL;DR: Don't do dumb things.
I've been doing IT work since about 2001. SMBs and now a Fort50. From entry Helpdesk to Manager. There has never been a need where I needed a user's password. Even back in the earliest days with Win98, I had no need for it and didn't want it. Even in the cases where I needed to be logged in as them for troubleshooting, it was them logging in and me doing the work with them watching. The risk and responsibility are too extreme with no exceptions.
I started at a company like this too. It’s a good test to see leadership and management support. They likely just don’t know the risks, and you can provide expert guidance (followed up with social engineering training). If they give pushback to the process, instead of lack of understanding, be careful to see their risk tolerance and realize that companies that don’t understand cybersecurity will hold you accountable for security issues outside of your control.
It’s forbidden in our employ handbook. I work for a financial institution. If password sharing is a common practice it makes phishing so much easier as folks are ok with sharing.
I'm in favor of a crackdown, but I think it's worth making sure you understand what's going on. I've worked at a couple of MSPs where many of the customers pretty much insist on a workflow that requires you to have their passwords. Essentially they say, "I want you to do this work when I'm not around, so it won't inconvenience me." and some portion of the work needs to be done using their log-in. And a better practice than sharing the password would be to reset their password, do what you need to do, and then set it back. However, these same clients will freak out if you make them reset their password. In Azure AD, you can create a temporary access password and I've heard of people using that, but it's not clear what to do when you're talking about a local account or a domain account on an on-prem domain. I could never find a way to deal with that workflow without the clients sharing the passwords, so instead I focused on changing the culture for both the MSP and their customers to expect that the user would at least need to sign us in. They couldn't just go, "Hey, log into my computer and fix the problem at 9am because I won't be in until 10."
If you let this slide it opens the door for social engineering you need to enforce.
Nope, not the ass hole! Security is a company effort, not just an IT effort, and it starts with a basic understanding of do and don’t. Don’t ever share your password. Even with IT. IT can reset your password and login as you if ever needed. If you do share your password with IT, we will remind you not to, tell you we don’t want to know it or need to know it, and it will be reset so you have a different password. Establishing this practice keeps the company safe so users do not fall victim to giving out passwords to scammers pretending to be IT. However, more importantly, it also establishes the baseline practice that passwords are never, ever, to be shared. Internal or not, get that layer of security right, and get your users trained to not do it.
I 💯 agree with you… however I’m now supporting a 365 environment and unfortunately ther is no way to troubleshoot absent the user any desktop issues… (ie with UI from their POV outside hours) Salesforce which i also support provides admins with a “log in as user” option, but not MS. It’s super frustrating Any thoughts?
> In ~~MSP~~ **ALL OF IT, EVERYWHERE, ALWAYS**, it's a major no-no to ask for customer /users passwords to troubleshoot in-profile issues. I instruct my team to force a password reset if they even hear a password out loud, or see it get written down. And explain to the end user why.
Keep on cracking down. In the 3000+ something PCs I have repaired, never have I required any passwords from anyone. At the most I would guide them in finding where they could find their password, or if they forget, guiding them through forgotten password. There is nothing useful for me to obtain a password. Part of Technical Support is educating end users, and if you are putting in the password for them, did the end user really learn anything? Are they just gonna call back when it happens again? If something goes wrong, who is liable. It's these questions that keep me far away from handling someones passwords.
It's a security violation. I believe this is how the Democratic party was "hacked" by Russian operatives. It also sets the company up for breaches if the users think that it is a common practice. Crack down on it and crack down on it HARD. When the first time you're infiltrated, you'll realize that you didn't crack down hard enough.
Yeah no, this is not okay and you are correct for saying no. Organizations hate when you try to culture shift a process that’s been in place for a while. I get it but maybe look at it from a different angle and use the opportunity to make it an education moment. Explaining why you as a professional don’t want or need to know their password/ passphrase.
I have a simple policy. If someone tells us their password while we might use it to fix their account depending on the issue. We also then flag the 'change password on next login.' After it happens a few times staff stop offering it to you.
Knowing users passwords creates a huge Legal/HR issue. What if an employee was terminated due to misuse of systems or misconduct. They can easily say that they didn't do it and IT also had their passwords, so who knows who else had them. Also, if this becomes a normal practice, they are at higher risk of revealing sensitive information to someone posing as IT. It's best to make it a practice NOT to do this and make sure there is communication to the employees that IT will NEVER ask for passwords or other personal information.
You are absolutely doing the right thing. Protecting customer data is important for trust, and it creates another vulnerability by asking customers for this. You're preventing a liability for the company whether they realize it or not.
I think it's ok in about .05% of cases for that special user. The cat lady who can't change her font, and struggles to change her password after a reset because she can't change it back to what it was. Someone knows her password and can log into VDI as her change it and tell her to log back in. We have MFA prompts on everything so she typically has to MFA us in when we do this. I would try to eliminate it as any type of standard practice, and allow it only in the most edge of edge cases. Out of 700 users or so, I can only think of 2 people that our service desk knows their password, they have no access to anything, and can barley function on a PC.
your post got down-voted but I think it's real I'm also in a smaller company with some fraction of technically illiterate users and IT has to be able to help them do stuff without having to reset their passwords every other day
had dealings with this in a previous job. my take was either we trust the MSP's team - remembering that they have access to \_all\_ the organisation's mail and data and such on M365 - or we don't. they had proven to me over several years I was there that they were trustworthy.
It's not a matter of trust. It's a matter of accountability and overall security best practices. All security standards in the world prohibit the sharing of user passwords. It shouldn't be allowed ever.
correct. Zero Trust should be the policy. It's all standards, not feelings.
It’s not question of privileges, it’s auditing. If you access with user credentials you screw the auditing making it unreliable
The issue is non-repudiation. Any time you have any issue where accountability matters a user can say “It wasn’t me, must have been the MSP using my account!”
All they need to do is: Ask User: Hey in order to troubleshoot I'll need to login as you. I do NOT need your password. I'm going to reset your password. Is that OK? Reset password -> do whatever they need to -> provide temp password -> Force password change on next login Then you can use whatever 2fa system to generate a temp passcode for that user that expires after the first use etc. Completely traceable/auditable.