Wednesday, June 24, 2009

No, you can't have my password

A friend of mine recently left their job and was asked to hand over the password that they had used to access company email, etc. As a sometimes security consultant, I advised against it.

I'll also be advising against applying for a job in Bozeman, Montana, where the city requires job applicants to divulge the passwords they use to log in to Facebook, Google, Yahoo, YouTube, MySpace, etc.

Sharing your password is a bad idea for a number of reasons.
  • Many people use the same password for multiple sites (don't do that!), so revealing the password to one site might also reveal a password to a bank web site.
  • A password to an email account will allow someone to use the password reset feature of other sites. Sure, banks typically require other information to reset a password. What are the odds that the Bozeman employment application doesn't also ask for some or all of that information?
  • Picking good passwords is hard. Many people use a strategy to pick passwords and the more passwords you have for that person, the easier it is to guess the strategy and possibly guess other passwords.
But what about the legitimate business needs here? In the first case, the system administrator can provide access to email to anyone that legitimately needs it or even do a password reset, in accordance with company policies that cover access to that information. In the second case, the city of Bozeman doesn't need passwords to access public information on those sites, and has no business accessing private information.

No comments:

Post a Comment

Search This Blog