Not sure on this one.

[LadySlinger]

Hi Everyone,

Our office numbers have been down and same with our district. I'm the lone system admin/support at the main office.
So that said, I received an email the other day from the district manager requesting me to collect passwords for all computer access, email access, vendor access, company software access, etc and she wants this list by the time she comes back from the a trip. She evens wants to know the passwords for my access.
So long story short, you obviously know the high risk in sharing passwords, especially any administrative passwords which is why I am concerned.

Has anyone else run into this and if so what were the consequences?

 

[carrr]

To the point:

If this person is your boss, then you provide them the list.
Clinging to a "higher ideal" will only be seen as insubordination and may have adverse effects on your job security..

If this person is not your boss, then get with your boss and let them make the call or intercede.

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[KornGeek]

Our office numbers have been down and same with our district. I'm the lone system admin/support at the main office.
So that said, I received an email the other day from the district manager requesting me to collect passwords for all computer access, email access, vendor access, company software access, etc

It sounds to me like password security isn't really what you're concerned about. If you're afraid you're going to lose your job, clinging to a password will not help you. Instead, it will only usher you out the door faster and on less friendly ground.

 

[SQLSister]

Sounds like a layoff is coming up. Do not discuss this as a possibiility with anyone except your supervisor. You need to collect the requested passwords as you have been asked to do. But if I were you, I would most certainly be working on my resume.

Questions about posting. See faq183-874

 

[LadySlinger]

Actually I have been working on my resume for the past several months. Unfortunately the IT market isn't great in my area, so I'm rethinking other possibilities.

In anycase though, thanks for the heads up.

 

[JRBeltman]

PS Obviously put in a disclaimer with the paswords that what ever happens to them is not your responsibility.

You would not want to get blamed for some strange things happening to user accounts etc, would you?

JR
As a wise man once said: To build the house you need the stone.
Back to the Basics!

 

[Tarwn]

On the other hand, this could just be a check to make sure ex-employee accounts have been cleaned up (or old contractors, whatver). I would think tat an HR list would make a lot more sense than an account list (especially if she wants things like contractors included).
Sounds to me like it is housecleaning time, but account house cleaning, not people house cleaning.

-T

_{01000111 01101111 01110100 00100000 01000011 01101111 01100110 01100110 01100101 01100101 00111111}
The never-completed website:

http://www.tiernok.com/

 

[chiph]

She might have read in an airline magazine that all the important passwords need to be in a file in case the admin gets hit by a bus.

It's a good idea to have a sealed envelope labelled: "In the event of my untimely demise" that has all the passwords and keys (metal & RF) needed to access the servers. This should be kept offsite by a trusted individual (corporate attorney?) and not in a bank vault or with the backup tapes. (Bank deposit boxes are sealed once the bank learns of the death of the account holder -- the executor of the estate is then the only one who can open it).

Chip H.


____________________________________________________________________
If you want to get the best response to a question, please read FAQ222-2244 first

 

[rosieb]

As standard, all our Admin passwords are kept in a restricted file, available only to those who "need to know" with a copy kept in the Distaster Recovery battle box. All are changed when a member of the IT staff leaves, or if we suspect a password has been divulged.

LadySlinger
Your admin passwords should be passed on at request to a senior - but only if that person has authority to request them.

Your personal passwords (or anyone else's) should never, ever, ever be divulged. Their use could lead to you or someone else being held responsible for someone else's access. The Admin passwords will allow any necessary access to the systems, including the right to change passwords.

If your official procedures allow for your District Manager to be given the Admin passwords, then hand them over, but I'd suggest you check first with Head Office that she actually has the right to request them. But under no circumstance hand over any personal passwords.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[JRBeltman]

Rosie is right!

This is playing with fire. As I said before: Cover yourself!
Handing over all user names and passwords (for what???) is madness! And it can be used against you!!

And what is the value anyway? Hand them over now, but if you have a good password policy the users should be changing their passwords at least once a month. So the passwords are never up to date.

On the other hand I can understand the wish to have the admin passwords in a file somewhere heavily protected, but accessible by those who require access (like in case you are unable to get into work and can not be contacted, but there is an emergency). Let me stress that this only goes for admin passwords!

And even in such a situation you could create a user with admin rights and give the people who require it access to this account.

JR
As a wise man once said: To build the house you need the stone.
Back to the Basics!

 

[rosieb]

JRBeltman
>Rosie is right!>
Music to my ears!.... Can I quote you on that?

LadySlinger

The key is your security policy, if you have a formal one - and I know many organisations don't, then follow the rules.

But, never, ever give out personal passwords - especially your own. No proper policy would ever require that. If that is required you have a major security breach.

Rosie
"Never express yourself more clearly than you think" (Niels Bohr)

 

[JRBeltman]

Quoting is allowed, but only if not taken out of context

JR
As a wise man once said: To build the house you need the stone.
Back to the Basics!

 

[LadySlinger]

Thanks again,

I'm hoping that's what is going on is that its just a security procedure as opposed to anything else.
Plus it is audit time in our office. I know in the past I've been scolded by an auditor for documenting passwords, including admin passwords. So I took the extra step and password protected the sheet, so as not to screw up any one.

Rosie - I did look through our employee handbook on this too and no individual is specified on getting admin passwords. It just says "Those with priviledges are allowed rights to your password(s) or your immediate supervisor, but only if necessary".

JRBeltman - I have kept the emails and forwarded them to my home account, just incase someone is up to no good. Then that way I'm covered.

Just from certain rumors around the office though, the DM might be after the someone else in the office and since I get along with her that I might leave as well or that she might try to take me down with her. So I think the DM is doing extra precautions b/c of this. Like I said before though, with the IT market as it is, I'm going for survival of the fittest!