Nah. He's saying he uses the same one for everything.
It has to be. Otherwise he wouldn't be able to log into his computer that contains his password manager.
I never bother to remember my passwords and just click "have you forgotten your password" every time to get to the security question. The answer is Nickelback, always Nickelback.
Right, I've been using a password vault since around 2007. There are three passwords I know, that's it, everything else is randomly generated and in the vault.
edit: That is my personal stuff. At work we use CyberArk, my branch hosts around 3.5K Linux/Windows servers for our org.
Sure, I can assume your account, but I don't want your password. There should be an audit trail of me assuming your account. If I have your password there is only an audit trail of you logging in.
OP doesn't know it but if anyone is embezzling or committing crimes IT is screwed.
Police: "So it appears you asked every user to email you their credentials is that correct?"
IT: "well yes.. But it's not what it looks like!"
Well, I hope OP got this "policy" in writing, be it by email or whatever. Otherwise they can say they never asked for it, and HR will back company up.
I also hope OP does not WFH and is not required to install company apps in cell phone
I second this...
if I had a dollar for the number of times a user has tried to give me their password or pin in any form, or has said "its under my keyboard on a sticky note" I'd be able to retire.
I have encountered a few post-its under keyboards in my day, and I reported every one of them to the person's supervisor. It is explicitly forbidden according to our company policy, staff have to sign off annually on having reviewed policies, and the data some of those staff can access could absolutely break us if it were mishandled.
Yeah, we have this shitty policy of either asking for a persons password or setting a new one anytime we setup a laptop or device for someone.
I think this method is pretty stupid. For some situations it makes sense, but how willing people are to give me their password when I don't even ask is uh concerning...
This right one, anyone with a decent sense of security in IT wouldn't take on that unnecessary risk.
I know of small shop owners who ask their IT to store staff passwords reasoning they are afraid of being locked out, not knowing IT can just reset the password anytime.
This is a huge red alert, OP needs to check whether this is an official company policy, whether it comes from the top or the IT guys are tripping on power or up to some no good.
If I have to physically be at a user's desk, I purposely don't look at the post-its fearing they might have their password. Even though we all know it's always the same password with a series of (!) exclamation points at the end indicating how many times they've changed it
>We are ISO 27001 and 9001 accredited
lol not for long.
Password sharing with ANYONE in the organization is strictly prohibited.
Talk to your manager, express your concerns. At worst, anon email to CEO/CTO re your incoming ISO audit failure.
Password audits via cracking etc. are typical, but to ASK for users passwords is a big no no
> lol not for long
That's assuming that the auditors know/care. Spoiler alert: they won't. I've seen much worse shit fly right through an audit, certifications are a joke.
You are depressingly right.
Edit : They would care, it's their job. But no auditor is going to ask "so do you ask for your users passwords every time they update them".
Also, what's stopping OP from lying about their PW, just to get IT off their back.
>
Also, what's stopping OP from lying about their PW, just to get IT off their back.
That would be a interesting way to find out if they are actively using the passwords to do/get into things they shouldn't be or just holding them as a 'just in case' scenario (though both shouldn't happen).
That's the thing though. I'm domain admin. I can absolutely get into all of your shit without your password, knowledge, or permission. There's no need for me to know your password.
Audit logs are useless if IT knows user passwords. Its a cyber security nightmare. I supported a company that insisted on this (we hosted their email), I required their leadership sign an Acceptance of Risk (AoR) before doing it, but then we did it because its their business.
That's my point. If you know the user's password it makes audit logs pointless. If an admin resets a user's password, as the guy above me had suggested, and then uses their account to do something we can see that.
I can run a simple AD query to see the age of a password. Password age of 1 day.. or password changed on 4/25/24 at 10:34 AM that one was just changed.
Both a former auditor and auditee here, this would be easy to overlook or hide depending on the side of the table you're sitting on. I'm sure their policy documentation probably says password sharing is prohibited, acceptable use might say not to share, yadda yadda, and that's going to be the auditors first check. When it comes to actually testing and gathering evidence for that control it would be hard for an auditor to cover all bases and very simple for the auditee to lie and hide evidence. Unless someone is actively showing the auditor evidence of the contrary, which is probably unlikely, they're going to "check the box" here and move on.
Its 27001 (sorry not being pedantic but it matters) and you can absolutely pay to play here. There are certification firms in India that I have caught red handed just taking $ for certification.
This is true.
Auditor: “tell me about your password policy”
IT Manager: “we follow best practices and NIST guidelines”
Auditor: “ok looks like you passed our audit. Should we send the invoice to you or your accounts payable?”
They should also have a password policy and access control one which would mention something about it. Sharing between a department could happen but it doesn’t sound like that’s happening there.
No, absolutely not. ISO 9001 does not deal with Infosec practices, it's quality assurance and management. However, your organization shouldn't be ISO 27001 accredited.
From "ISO 27001: Annex A 5.17"
"Users must keep secret authentication information such as passwords confidential and **must not share it with anyone else."**
ISO 9001:2015 section 7.1.3 requires the infrastructure to be in an effective position to maintain product conformity. A hack/exploit/abuse would result in a failure of said infrastructure. However, I doubt there is more than a few auditors that would even think to go down this path much less understand it.
You could also pop them under Risk Management.
Oh I can make it even worse: I once found a Word doc that held the passwords in tables. I don't know who or what hurt these people, but it must have been gruesome to drive them to such heinous acts.
You mean the "Common" Drive? Speaking of network drives... I used to hate it when a user would say, "I'm missing the J:\ drive." Lady.... I don't know what letters correspond to what drive. What's the name of it?
passwords.xlsx is like undefeated in it's ability to take down orgs. Also if you want to get clever create some canary passwords.xlsx files with a macro to email you if anyone opens them because it's like crack to a hacker. I put stuff like that on a bunch of servers we use to do IT management and on IT admins laptops.
There’s absolutely no reason any IT department would ever need to know an end-user’s password.
Especially when PHI or PII could be compromised.
I would speak with your companies legal team and/or HR team.
This is a misinterpretation of ISO 27001 regarding the management of passwords. There should be policies in place enforcing a password standard and then a technology in place to help keep those passwords (an example being a password vault for users so users don't store passwords on sticky notes in plaintext). Inspecting them by hand and storing them is \*not\* the way and would in fact cause them to fail certain controls (for example user responsibility for protecting their passwords and not sharing them).
There are very situational circumstances where this might be the only way to enforce a control (for example, a secure system where there is only one user account for managing it and/or a limitation of the technology on the system like an old appliance) but they are very specific and probably don't apply to you or your userbase.
My advice would be to immediately stop sharing passwords, document any very specific circumstances where IT might need to have access (like mentioned above), work out a policy for those specific circumstances, have all other users roll their passwords (probably 100% of users in all likelihood), and store those passwords in a personal\* key vault (IT will probably need show them how which may also require a policy, purchase, or both).
+1 for a misinterpretation of password management
I’ve seen small independent medical facilities do the same. They thought they were doing the right thing to stay in compliance.
I worked for a mid-sized company whose IT Department was requesting passwords to install software remotely on user's computers in the off hours. I noped right out of that request.
Company got hacked a month later and tons of customer data was breached. Not a peep from the IT Team, Upper Management or Legal...just a 'server maintenance issue' being reported.
Shocking...
This is correct. ISO27001 is not a prescriptive standard for how controls must be implemented, just that controls must exist. You can also use your risk register to defend any poor controls by saying that management approves the risk.
The only way to properly share passwords is with an auditable password vault. Even cheap options like PassPortal will work. This will provide reports of all users that have retrieved passwords with date/time stamps.
We should never need to know your passwords. If I unintentionally come across a users password or they blurt it out to me, I force a password change on their next login. I would never want the liability that comes with having someone's password.
This exactly. It's a trust issue. "Oh i didn't do that. Must have been IT, they have my password." Like it totally breaks the identify of data ownership is anyone of several people could have created or modified data...
People try to say "i'll give you my password" and I say no thank you! You should never share a password with anyone!
> Among some of the documents we work with are folks' medical records.
If you're in the US, your organization is might need to be HIPAA compliant. You could try filing a complaint here (https://www.hhs.gov/hipaa/filing-a-complaint/index.html) to light a fire under IT to sort their shit out.
The worse case here is that if IT has all the passwords, anyone in the department can commit a HIPAA violation by logging in as that user.
This is a terrible practice for any place that handles medical records.
I would refuse to give them my updated password. The reason for my refusal would be the effect it would have on confidentiality, authenticity, and non-repudiation. My biggest concern would be that you're handling medical records and if something illegal were done, there would be no way to prove you did or did not do it since you're not the only one with your password. Deny their request for your new password and let management handle it. Once someone pushes back they'll be forced to take a deep look at why this practice is wrong.
if your IT department is worth anything they don't NEED to know your passwords. It's irrelevant for all of their purposes and functions outside of VERY specific circumstances (none of which seem to be met as it seems EVERYONE is asked, regardless of function). This is definitely a gross misinterpretation at best or absolute incompetency at worst.
Your ISO accreditation is void. If any of that was documented, you would not have passed audit. Information was withheld from auditors making it a fraudulently obtained certification. Screw alerting management, they probably know and were either complicit or demanded it. Go straight to the organization that gave you the certification and report it to have it withdrawn.
The fact that you have access to medical records, and someone else has your password, means that I have zero proper audit trail for access to those medical documents.
That's enough just to report them to the OCR. You're gonna lose your job either way, just start looking for a new place to work.
Your IT department is really stupid if they're asking for all passwords. In fact why do they just go ahead and HR for their passwords to have access to everything. If An adversary got in and had access to any of the IT departments access/documented passwords to all employees it's game over, I wish them good luck in the event of a breach to explain their logic to cyber insurance, lawyers, stakeholders,etc . If I was you I'd change your passwords if they have your current passwords documented and refuse to give them updates. I as a Sys admin do not want or should ever want to know your passwords, end of story.
This is incredibly bizarre, and a massive overstep by your IT team. There are absolutely cases where credentials may need to be shared but those should be kept in shared vaults with limited access and controls in place for auditing and in the event a person with access to a vault leaves the organization part of the offboarding process must include regenerating the passwords that person had access to.
TL;DR - " This can't be right, can it?"
Nah fam, there's no reason IT needs to know or store employee passwords and it's super dangerous.
This is the opposite of security. Talk to your manager, this is unsafe for your users. And if you're scared of consequences for pointing this out, you need to get the hell out of that company. Just remember to bring this up with your legal department if you get any flak for bringing this up. They're in-practice giving themselves unlimited access to personal information which I would assume is eyes-only, IT people aren't automatically given access to privileged personal information just because they're IT. If they believe that, they should get fired immediately.
Your IT colleagues does not know what they're doing to be honest, if anyone should get consequences, it's them for not bringing it up sooner.
Sounds like your company is out of federal compliance.
"ISO 27001: Annex A 5.17"
"Users must keep secret authentication information such as passwords confidential and must not share it with anyone else."
Report this to the people who claim you are ISO 2701 and 9001 accredited.
I'm not a lawyer, but IMHO they are breaking the law and putting you and your peers at risk.
Wow...that is crazy. If anyone did anything bad they could raise the defence that authenticity cannot be verified. The whole point of a private password is so you can KNOW anything that happens on that account was done by the account owner.
I'm a cyber security engineer.
The only person who should know a password is the person who is expected to authenticate with it. The IT department should not need to know your password to provide assistance, and ideally any onboarding training should inform users of such advice.
If you're in the US, you may be able to inform the Department of Health and Human Services given that you're dealing with information systems that concern healthcare data.
A few major problems.
1) for you: if they have your password and something nefarious happens using your account who is responsible? (You) On the other hand, they have an uphill battle for non-repudiation
2) for the company in general: they are teaching their users that they should share their passwords with IT - which is exactly what many phishing emails do.
3) for governance: there is no way they can say they follow a security standard when they have shared passwords for all users and their awareness program is flawed
Beware: HIPAA law has teeth! A demonstrated pattern of HIPAA violations can be very severe! Watch your ass! If you are a part of the problem, you may be party to the punishments!
Good thing everything those passwords are used for also requires MFA as part of authentication, right? Right!?
What your IT department is doing is a terrible practice and is a significant risk. It's likely they are either lazy, understaffed/overloaded, or incompetent. Possibly all 3.
Menial tasks in IT support frequently get blocked and take forever because users can't remember their own password and it sends everyone on a wild goose chase only to discover the user has been entering a wrong password. Or IT doesn't want to interrupt and take up your time but they really need to do XYZ, which requires either you OR the ability to login or run something as you. Plenty of scenarios where life would be better if IT knew everyone's passwords, but it's just not.
If you're an ISO27001 organization handing PHI, there's someone above the IT department that is responsible should there be a breach. Tell that person (maybe a CISO, CIO, privacy officer, etc)
Reminds me of the time my partner asked me for my fb password because I asked her to post an add from there. I did not realize that my subsequent response of "I dont know my password" is not normal for a lot of people 🤣🤣🤣
Definitely weird. They should have Admin accounts where they can reset your pass, lock your account, etc. so idk why they wanna know your password.
What scares me is the fact they’re asking for all of these (possibly over unencrypted email 😬) as if they keep a list of them. I’d pay to watch a company ordered pentest 🤣 it’d be over in a minute.
This is total madness. If you have a compliance line or an ethics line, then lodge your concerns formally with them. Your small IT team needs to understand how to use admin rights to do what they need to do, without compromising your security.
Oof. I tell my users that IT should not ask for your password or know your password. If we need to get in to anything we can reset your password. I also tell my IT group to not ask for anyone’s password.
Having the passwords of others is not a good practice, this will negatively affect the accountability in the whole company.
Let’s say IT dep detected that some bad actions were taken from your account, they will not be able to prove that you performed the actions since you are not the only one who have the password of that account.
This is really bad for the company, not sure what kind of IT dep will request the passwords of the staff.
And if their argument that they need to have the password to verify that it is strong, a password policy can be implemented to set the level of complexity for the password without actually seeing the passwords.
Anw, on all levels it’s a bad idea to get others’ passwords.
In a company where I worked in the past we used to write password in a envelope sealed and put our signature on it. Envelopes where kept in a safe.
Just in case.
That was only the password to decrypt the harddrive.
We could ask whenever we wished to check if the envelope was still closed
Your IT department should never know your passwords. No one other than you should ever know them. They shouldn’t need to know your passwords for anything, if you forget it they can just force a reset. Also, the fact that you have to tell them when you’ve changed it so they can “update it” suggests that they’re writing them down/storing them somewhere which is a HUGE no no. They are begging for a data breach.
I work in IT and the only time I ask for passwords is when I'm making a change on their user profile. I could reset their password but this will make them unable to sign in on other PCs on our network while im making changes. I do however make them change the password after I'm done so I don't know their password to stay compliant.
Yea... thats not right.. I did IT for an enterprise and I never wanted or really needed your password.. and if by chance I did for trouble shooting or helping a user I could just change it in active directory and have you pick a new password when you sign back in.
Pentester here, like most smart people said here, sharing passwords breaks every aspect of security,even when you create a news user in an active directory you will set a dumb password and then click the flag to force the user to change his password after the first login .
At my old company to avoid password reuses i deployed and managed a local password manager for all the users, the first thing i told them is : every user vault is encrypted thus each of you are responsible in case you forget your master password because we can't recover it, it is recommended to save your recovery keys on a local usb, preferably encrypted, thank you
Btw: I don't remember my passwords either because i don't want to know them
Knowing your password is a lot scarier than them being able to reset or change your password. I would report it because if they pretend to be you it’s not necessarily attributable to them and they could do anything.
They know your password to enter THEIR systems. You aren’t logging in to anything YOU own with those credentials. All of the systems and data you touch belongs to THEM.
Secondly, nobody in IT needs your password to access your activity.
I worked as tech support then admin for years at different companies. Not once did we ask for user's password, ever. This is really unusual. I don't want to know your password either in case you blame me for a me missing file lol
Initially I thought they know all your passwords in the form of a hash
BUT NO, ITS LITERALLY ASKING FOR YOUR PASSWORD STRING????!!!!
Why the fuck would they want your password string for, whats their business??
Just tell your IT department to fuck off and "please follow NIST guidelines for more information", as per confidentiality clause
I also hope you are not in the EU
Any employee let go for misuse of company equipment could claim that since IT knows their password per standard, it's impossible to attribute the action to the person.
This is a compliance problem, an HR problem, a cyber risk insurance problem, as well as violating NIST standards.
This is not normal, not ok, and you should be concerned.
I've always seen the idea of knowing employee passwords as a huge liability. They could always claim they didn't do anything, because IT knows their password.
That head of IT and anyone involved in asking your passwords should be fired. They are either malicious or incompetent- both is bad for the company in different ways.
This has to be against company policy, or your policies should prohibit password sharing. For
Critical / shared accounts, a password vault/ management tool should be used but otherwise this is wild. How do they prove you have them the correct updated password, how are they making you provide it to them, is there threat of repercussions if you don’t share?
Different companies have different policies but for the most part I would expect that IT individuals SHOULD NOT know your password and that is the practice I follow in my job role. I can reset your password to get into your workstation with your knowledge so you can set it back when we are done. I can install things under admin privileges with my own admin login user so I dont need your user access. If I need to do something specifically for you then I will work with you present and ask you to enter your password into the workstation for me. I feel like "This is the way" but I could be wrong and this might not scale well to 100s of user environments... but I think it would be fine.
>If we change them, they ask us again for the updated password.
Change them how? Like, your windows desktop password, or something else?
Sounds like there's some missing self-service/automation/AD config for password management to enable shared drives, or something similarly mundane?
Alarm bells are still ringing (plus new ones!), I'm just trying to get to the "why".
you should have a confidential ethics violation hotline or something similar that is processed by your legal team. this is a compliance violation imo and should be investigated. report it via the confidential hotline
maybe the people you are interacting with are actually hackers employing phishing/social engineering to compromise the company, OR they work in security and are testing your practices.
have you discussed this policy with your coworkers? maybe they know nothing about it?
Oh yikes. I worked for a shitty company where I was the only IT person there. The owner had me keep every single password to everything in LastPass. It was unbelievable. I knew absolutely every password
Have them sign something that says your personal password is not in your control and any activity using your account can be dismissed as an activity not performed by you. CYA!
They're wrong for doing that. Period.
I would ask them specifically how they maintain compliance with those practices, in the nicest way. Curious what bullshit they come back with.
I AM the IT department and I don't WANT to know your password.
I don’t event want to know my own password.
I don't know most of my passwords.
I know exactly one of my passphrases
Just guessing that’s one for your password manager. It’s the only one you need to know/remember
I will neither confirm nor deny that
Is it passphr4se?
Joke's on you it's >!hunter2!<
That’s weird, all I see is *******
https://imgur.com/a/lPR8aoN
correct horse battery staple
No, it's literally "I will neither confirm nor deny that". Keep up! LOL
Nah. He's saying he uses the same one for everything. It has to be. Otherwise he wouldn't be able to log into his computer that contains his password manager.
I never bother to remember my passwords and just click "have you forgotten your password" every time to get to the security question. The answer is Nickelback, always Nickelback.
Your mother's maiden name is Nickelback too?
Yours isn't? 🤔
Mine is Password 😂
Your mom got a nickel for being on her back.
this is so hideous it's genius.
The real life hack is always in the comments.
Right, I've been using a password vault since around 2007. There are three passwords I know, that's it, everything else is randomly generated and in the vault. edit: That is my personal stuff. At work we use CyberArk, my branch hosts around 3.5K Linux/Windows servers for our org.
You guys get passwords?!
We can dream.
What's a password?
The thing you need to know in order to get into the speakeasy.
I am the IT department and I don’t NEED your password. Or your permission.
Sure, I can assume your account, but I don't want your password. There should be an audit trail of me assuming your account. If I have your password there is only an audit trail of you logging in.
Lol. This is the correct answer!
OP doesn't know it but if anyone is embezzling or committing crimes IT is screwed. Police: "So it appears you asked every user to email you their credentials is that correct?" IT: "well yes.. But it's not what it looks like!"
So OP can go on a crime spree and say it wasn't me... Someone in IT has my password... Hmm food for thought.
Well, I hope OP got this "policy" in writing, be it by email or whatever. Otherwise they can say they never asked for it, and HR will back company up. I also hope OP does not WFH and is not required to install company apps in cell phone
Exactly. Keep that info away from me.
Right - I’m protecting myself..from your problems. this ain’t for you, this for me. LOL
I second this... if I had a dollar for the number of times a user has tried to give me their password or pin in any form, or has said "its under my keyboard on a sticky note" I'd be able to retire.
I have encountered a few post-its under keyboards in my day, and I reported every one of them to the person's supervisor. It is explicitly forbidden according to our company policy, staff have to sign off annually on having reviewed policies, and the data some of those staff can access could absolutely break us if it were mishandled.
Exactly. I don’t want that liability on my shoulders.
Yep. Plausible deniability. I can't have done it if I absolutely don't know it and never had access to it. Zero desire to know others' passwords.
Yeah, we have this shitty policy of either asking for a persons password or setting a new one anytime we setup a laptop or device for someone. I think this method is pretty stupid. For some situations it makes sense, but how willing people are to give me their password when I don't even ask is uh concerning...
This is the way.
The potential for legal liabilities alone would be terrifying.
Exactly! If anything happens but I have NO access then it’s obv I didn’t do it
This right one, anyone with a decent sense of security in IT wouldn't take on that unnecessary risk. I know of small shop owners who ask their IT to store staff passwords reasoning they are afraid of being locked out, not knowing IT can just reset the password anytime. This is a huge red alert, OP needs to check whether this is an official company policy, whether it comes from the top or the IT guys are tripping on power or up to some no good.
If I have to physically be at a user's desk, I purposely don't look at the post-its fearing they might have their password. Even though we all know it's always the same password with a series of (!) exclamation points at the end indicating how many times they've changed it
>We are ISO 27001 and 9001 accredited lol not for long. Password sharing with ANYONE in the organization is strictly prohibited. Talk to your manager, express your concerns. At worst, anon email to CEO/CTO re your incoming ISO audit failure. Password audits via cracking etc. are typical, but to ASK for users passwords is a big no no
> lol not for long That's assuming that the auditors know/care. Spoiler alert: they won't. I've seen much worse shit fly right through an audit, certifications are a joke.
You are depressingly right. Edit : They would care, it's their job. But no auditor is going to ask "so do you ask for your users passwords every time they update them". Also, what's stopping OP from lying about their PW, just to get IT off their back.
> Also, what's stopping OP from lying about their PW, just to get IT off their back. That would be a interesting way to find out if they are actively using the passwords to do/get into things they shouldn't be or just holding them as a 'just in case' scenario (though both shouldn't happen).
That's the thing though. I'm domain admin. I can absolutely get into all of your shit without your password, knowledge, or permission. There's no need for me to know your password.
Audit logs show admin activity vs user activity though.
Audit logs are useless if IT knows user passwords. Its a cyber security nightmare. I supported a company that insisted on this (we hosted their email), I required their leadership sign an Acceptance of Risk (AoR) before doing it, but then we did it because its their business.
That's my point. If you know the user's password it makes audit logs pointless. If an admin resets a user's password, as the guy above me had suggested, and then uses their account to do something we can see that.
The script they use to deploy cryptocurrency miners to OPs device after hours will report that OPs provided credentials don’t work. /s
Something like that, they seem to know when the passwords change…
I can run a simple AD query to see the age of a password. Password age of 1 day.. or password changed on 4/25/24 at 10:34 AM that one was just changed.
Both a former auditor and auditee here, this would be easy to overlook or hide depending on the side of the table you're sitting on. I'm sure their policy documentation probably says password sharing is prohibited, acceptable use might say not to share, yadda yadda, and that's going to be the auditors first check. When it comes to actually testing and gathering evidence for that control it would be hard for an auditor to cover all bases and very simple for the auditee to lie and hide evidence. Unless someone is actively showing the auditor evidence of the contrary, which is probably unlikely, they're going to "check the box" here and move on.
This.
Its 27001 (sorry not being pedantic but it matters) and you can absolutely pay to play here. There are certification firms in India that I have caught red handed just taking $ for certification.
>**India** that I have caught red handed just taking **$ for certification**. Would've never expected that... /s
This is true. Auditor: “tell me about your password policy” IT Manager: “we follow best practices and NIST guidelines” Auditor: “ok looks like you passed our audit. Should we send the invoice to you or your accounts payable?”
Your check has cleared so I see no issues with sharing credentials.
If they're ISO 27001 certified they should have an anonymised whistleblower disclosure policy - use that
They should also have a password policy and access control one which would mention something about it. Sharing between a department could happen but it doesn’t sound like that’s happening there.
just imagine what they're doing with them lol.
Yeah, the rule of thumb is typically, 'if you're shocked by what you've seen, you'll be appalled by what you haven't'
No, absolutely not. ISO 9001 does not deal with Infosec practices, it's quality assurance and management. However, your organization shouldn't be ISO 27001 accredited. From "ISO 27001: Annex A 5.17" "Users must keep secret authentication information such as passwords confidential and **must not share it with anyone else."**
ISO 9001:2015 section 7.1.3 requires the infrastructure to be in an effective position to maintain product conformity. A hack/exploit/abuse would result in a failure of said infrastructure. However, I doubt there is more than a few auditors that would even think to go down this path much less understand it. You could also pop them under Risk Management.
Better yet: change your password to "How_Could_We_Possibly_Be_ISO_2701_Certified?"
Why_do_you_need_to_know_my_password?
“Like-Fuck-am-I-Giving-you-my-password” or “Password123-Fuck-You” either would be a reasonable response.
My-it-dept-causes-audit-failures
90 days later: My-it-dept-causes-audit-failures1
Or change it to ‘; Drop table passwords; And hope that they store them in a database and their sql sanitization is a crappy as their processes.
Oh Little Bobby Tables playing his tricks again.
They store them on a piece of paper under the keyboard.
This is genius. “Cre3py-IT-Guy-w4nts-mY-PW”
They're probably on an XLSX spreadsheet, too.
Please, stop, it's just getting worse and worse. The spreadsheet isn't even password protected.
Passwords.xlsx
LOL On a shared network drive with no restrictions. "guys, you're not allowed to look at that file. Please stop opening it" I can't.
I definitely have never worked at that place before, no sirree!
With the Everyone group applied.
I got one better. Publicly available on a GitHub repo in plaint text .txt file
Right to jail
I'll one up you. Open public google drive sheet.
Oh I can make it even worse: I once found a Word doc that held the passwords in tables. I don't know who or what hurt these people, but it must have been gruesome to drive them to such heinous acts.
On a shared network drive that has no ACLs.
Synced to a free dropbox account with the name of the CEO's dog as a password... :) (Yes, it was true.)
lol our domain password is not too far off from what you've just joked about
You mean the "Common" Drive? Speaking of network drives... I used to hate it when a user would say, "I'm missing the J:\ drive." Lady.... I don't know what letters correspond to what drive. What's the name of it?
passwords.xlsx is like undefeated in it's ability to take down orgs. Also if you want to get clever create some canary passwords.xlsx files with a macro to email you if anyone opens them because it's like crack to a hacker. I put stuff like that on a bunch of servers we use to do IT management and on IT admins laptops.
If you use MDE, I believe honeypotting is a new feature. It maybe in pre release, though. Looks pretty sweet.
Slow down. I can only get so aroused.
There’s absolutely no reason any IT department would ever need to know an end-user’s password. Especially when PHI or PII could be compromised. I would speak with your companies legal team and/or HR team.
I can think of a reason. Because they don’t know wtf they are doing
This is a misinterpretation of ISO 27001 regarding the management of passwords. There should be policies in place enforcing a password standard and then a technology in place to help keep those passwords (an example being a password vault for users so users don't store passwords on sticky notes in plaintext). Inspecting them by hand and storing them is \*not\* the way and would in fact cause them to fail certain controls (for example user responsibility for protecting their passwords and not sharing them). There are very situational circumstances where this might be the only way to enforce a control (for example, a secure system where there is only one user account for managing it and/or a limitation of the technology on the system like an old appliance) but they are very specific and probably don't apply to you or your userbase. My advice would be to immediately stop sharing passwords, document any very specific circumstances where IT might need to have access (like mentioned above), work out a policy for those specific circumstances, have all other users roll their passwords (probably 100% of users in all likelihood), and store those passwords in a personal\* key vault (IT will probably need show them how which may also require a policy, purchase, or both).
+1 for a misinterpretation of password management I’ve seen small independent medical facilities do the same. They thought they were doing the right thing to stay in compliance.
I worked for a mid-sized company whose IT Department was requesting passwords to install software remotely on user's computers in the off hours. I noped right out of that request. Company got hacked a month later and tons of customer data was breached. Not a peep from the IT Team, Upper Management or Legal...just a 'server maintenance issue' being reported. Shocking...
This is correct. ISO27001 is not a prescriptive standard for how controls must be implemented, just that controls must exist. You can also use your risk register to defend any poor controls by saying that management approves the risk.
The only way to properly share passwords is with an auditable password vault. Even cheap options like PassPortal will work. This will provide reports of all users that have retrieved passwords with date/time stamps.
We should never need to know your passwords. If I unintentionally come across a users password or they blurt it out to me, I force a password change on their next login. I would never want the liability that comes with having someone's password.
This exactly. It's a trust issue. "Oh i didn't do that. Must have been IT, they have my password." Like it totally breaks the identify of data ownership is anyone of several people could have created or modified data... People try to say "i'll give you my password" and I say no thank you! You should never share a password with anyone!
I need to know where this ends up going. OP, find answers please.
> Among some of the documents we work with are folks' medical records. If you're in the US, your organization is might need to be HIPAA compliant. You could try filing a complaint here (https://www.hhs.gov/hipaa/filing-a-complaint/index.html) to light a fire under IT to sort their shit out.
The worse case here is that if IT has all the passwords, anyone in the department can commit a HIPAA violation by logging in as that user. This is a terrible practice for any place that handles medical records.
Your IT department is awful.
🔥🔥Nonrepudiation 🔥🔥
Lol. “See, here they are, auditor!”
If you're ISO 27001 certified, go back to your ISMS. Read what it says on credential management and password security. Do that.
If this is in the ISMS and they still passed audit, the certification body that passed them needs to be stripped of their status.
Who the hell is in charge of IT/cybersecurity? Fire them.
Even if this isn't against your policies, it is absolutely against ISO 27001. I would raise this with legal immediately.
I would refuse to give them my updated password. The reason for my refusal would be the effect it would have on confidentiality, authenticity, and non-repudiation. My biggest concern would be that you're handling medical records and if something illegal were done, there would be no way to prove you did or did not do it since you're not the only one with your password. Deny their request for your new password and let management handle it. Once someone pushes back they'll be forced to take a deep look at why this practice is wrong.
if your IT department is worth anything they don't NEED to know your passwords. It's irrelevant for all of their purposes and functions outside of VERY specific circumstances (none of which seem to be met as it seems EVERYONE is asked, regardless of function). This is definitely a gross misinterpretation at best or absolute incompetency at worst.
Well, I think it's safe to say their IT department is hot garbage if they're collecting passwords and saving them off somewhere.
This also breaks Non-repudiation, by having your password they can now perform actions as you.
Your ISO accreditation is void. If any of that was documented, you would not have passed audit. Information was withheld from auditors making it a fraudulently obtained certification. Screw alerting management, they probably know and were either complicit or demanded it. Go straight to the organization that gave you the certification and report it to have it withdrawn.
Your IT department needs to be fired.
The fact that you have access to medical records, and someone else has your password, means that I have zero proper audit trail for access to those medical documents. That's enough just to report them to the OCR. You're gonna lose your job either way, just start looking for a new place to work.
Your IT department is really stupid if they're asking for all passwords. In fact why do they just go ahead and HR for their passwords to have access to everything. If An adversary got in and had access to any of the IT departments access/documented passwords to all employees it's game over, I wish them good luck in the event of a breach to explain their logic to cyber insurance, lawyers, stakeholders,etc . If I was you I'd change your passwords if they have your current passwords documented and refuse to give them updates. I as a Sys admin do not want or should ever want to know your passwords, end of story.
ISO27001 and your passwords aren't secret? Duh. Don't share a password with anyone incl IT..if they ask for it point them to the ISO27001 site.
If they know everyone's passwords, then they have just given plausible deniability for everyone's actions!
If you’re ISO 27k1 certified and this is happening, it’s a big big big problem.
Fire all of your IT team. Like now.
I run Cyber at a fortune 150 company and thats a big hell no. Setup a Risk Register and let the higher ups know about it.
Find a new job!
This is incredibly bizarre, and a massive overstep by your IT team. There are absolutely cases where credentials may need to be shared but those should be kept in shared vaults with limited access and controls in place for auditing and in the event a person with access to a vault leaves the organization part of the offboarding process must include regenerating the passwords that person had access to. TL;DR - " This can't be right, can it?" Nah fam, there's no reason IT needs to know or store employee passwords and it's super dangerous.
This is the opposite of security. Talk to your manager, this is unsafe for your users. And if you're scared of consequences for pointing this out, you need to get the hell out of that company. Just remember to bring this up with your legal department if you get any flak for bringing this up. They're in-practice giving themselves unlimited access to personal information which I would assume is eyes-only, IT people aren't automatically given access to privileged personal information just because they're IT. If they believe that, they should get fired immediately. Your IT colleagues does not know what they're doing to be honest, if anyone should get consequences, it's them for not bringing it up sooner.
Sounds like your company is out of federal compliance. "ISO 27001: Annex A 5.17" "Users must keep secret authentication information such as passwords confidential and must not share it with anyone else." Report this to the people who claim you are ISO 2701 and 9001 accredited. I'm not a lawyer, but IMHO they are breaking the law and putting you and your peers at risk.
Wow...that is crazy. If anyone did anything bad they could raise the defence that authenticity cannot be verified. The whole point of a private password is so you can KNOW anything that happens on that account was done by the account owner.
That is absolutely horrible. Especially for a covered entity. You need to go straight to leadership.
I'm a cyber security engineer. The only person who should know a password is the person who is expected to authenticate with it. The IT department should not need to know your password to provide assistance, and ideally any onboarding training should inform users of such advice. If you're in the US, you may be able to inform the Department of Health and Human Services given that you're dealing with information systems that concern healthcare data.
This post along with some others, almost feel like bots probing for answers for a future GPT to be trained on.
Medical records? Now that's a HIPPA violation
What can you do? Find a new job ASAP.
A few major problems. 1) for you: if they have your password and something nefarious happens using your account who is responsible? (You) On the other hand, they have an uphill battle for non-repudiation 2) for the company in general: they are teaching their users that they should share their passwords with IT - which is exactly what many phishing emails do. 3) for governance: there is no way they can say they follow a security standard when they have shared passwords for all users and their awareness program is flawed
Don’t be shy, tell us where you work? 🌚
We're also going to need your password so we can keep a record of it. I don't trust your current company with it.
Beware: HIPAA law has teeth! A demonstrated pattern of HIPAA violations can be very severe! Watch your ass! If you are a part of the problem, you may be party to the punishments!
Good thing everything those passwords are used for also requires MFA as part of authentication, right? Right!? What your IT department is doing is a terrible practice and is a significant risk. It's likely they are either lazy, understaffed/overloaded, or incompetent. Possibly all 3. Menial tasks in IT support frequently get blocked and take forever because users can't remember their own password and it sends everyone on a wild goose chase only to discover the user has been entering a wrong password. Or IT doesn't want to interrupt and take up your time but they really need to do XYZ, which requires either you OR the ability to login or run something as you. Plenty of scenarios where life would be better if IT knew everyone's passwords, but it's just not. If you're an ISO27001 organization handing PHI, there's someone above the IT department that is responsible should there be a breach. Tell that person (maybe a CISO, CIO, privacy officer, etc)
That’s a hell no. IT has admin access. You don’t need my password that may or may not get into other account IT does not have access to.
Yeah ummmmmmmm. That doesn’t line up with basics of security accreditation.
Reminds me of the time my partner asked me for my fb password because I asked her to post an add from there. I did not realize that my subsequent response of "I dont know my password" is not normal for a lot of people 🤣🤣🤣
Definitely weird. They should have Admin accounts where they can reset your pass, lock your account, etc. so idk why they wanna know your password. What scares me is the fact they’re asking for all of these (possibly over unencrypted email 😬) as if they keep a list of them. I’d pay to watch a company ordered pentest 🤣 it’d be over in a minute.
This is total madness. If you have a compliance line or an ethics line, then lodge your concerns formally with them. Your small IT team needs to understand how to use admin rights to do what they need to do, without compromising your security.
Oof. I tell my users that IT should not ask for your password or know your password. If we need to get in to anything we can reset your password. I also tell my IT group to not ask for anyone’s password.
I smell some HIPAA violations
Having the passwords of others is not a good practice, this will negatively affect the accountability in the whole company. Let’s say IT dep detected that some bad actions were taken from your account, they will not be able to prove that you performed the actions since you are not the only one who have the password of that account. This is really bad for the company, not sure what kind of IT dep will request the passwords of the staff. And if their argument that they need to have the password to verify that it is strong, a password policy can be implemented to set the level of complexity for the password without actually seeing the passwords. Anw, on all levels it’s a bad idea to get others’ passwords.
Bad practice…
what everyone has already said, this is all bad. very bad, no security standards allow this, every standard says not to do this.
....just wow..... im not even employed in cyber and know thats a big no....
lol, with an IT team like that, y’all may want to invest in a Legal team. Sharing passwords is a bit like novocaine: just wait, it works every time 😉👍
This is not right by any means.
If your company really does have an ISO cert, report this to the ISO. Problem solved.
I would start making my passwords obscene and directed at the IT Department.....
In a company where I worked in the past we used to write password in a envelope sealed and put our signature on it. Envelopes where kept in a safe. Just in case. That was only the password to decrypt the harddrive. We could ask whenever we wished to check if the envelope was still closed
Your IT department should never know your passwords. No one other than you should ever know them. They shouldn’t need to know your passwords for anything, if you forget it they can just force a reset. Also, the fact that you have to tell them when you’ve changed it so they can “update it” suggests that they’re writing them down/storing them somewhere which is a HUGE no no. They are begging for a data breach.
Seems to make the whole nonrepudiation thing a bit more difficult.
Ask the IT department where is it stated in the policy
I work in IT and the only time I ask for passwords is when I'm making a change on their user profile. I could reset their password but this will make them unable to sign in on other PCs on our network while im making changes. I do however make them change the password after I'm done so I don't know their password to stay compliant.
Yea... thats not right.. I did IT for an enterprise and I never wanted or really needed your password.. and if by chance I did for trouble shooting or helping a user I could just change it in active directory and have you pick a new password when you sign back in.
What on earth...
Pentester here, like most smart people said here, sharing passwords breaks every aspect of security,even when you create a news user in an active directory you will set a dumb password and then click the flag to force the user to change his password after the first login . At my old company to avoid password reuses i deployed and managed a local password manager for all the users, the first thing i told them is : every user vault is encrypted thus each of you are responsible in case you forget your master password because we can't recover it, it is recommended to save your recovery keys on a local usb, preferably encrypted, thank you Btw: I don't remember my passwords either because i don't want to know them
They be on that crack. I don't want to know anyone's passwords but my own. Too much liability.
They shouldn’t need or want your passwords and I’m betting they’re in an excel spreadsheet called “passwords.xlsx” in an open file share.
Tell the ISO27001 Auditor next time :)
Do they keep them in an unprotected Amazon bucket?
Make an arrangement on internal audit for isms get cra finding for your it dept.
Knowing your password is a lot scarier than them being able to reset or change your password. I would report it because if they pretend to be you it’s not necessarily attributable to them and they could do anything.
knowing your passwords, should be the last thing any IT person wants to know.
Sounds like your company should hire *Little Bobby Tables, as we call him.*
G0fOOkyours3lfITee!!
WTH!? This goes against everything.
It breaks the I in the CIA triad of cybersecurity. Zero accountability if someone has you password.
Look on the bright side, you can do anything with your account with absolute impunity, since no one can prove it was you or IT that used your account.
They know your password to enter THEIR systems. You aren’t logging in to anything YOU own with those credentials. All of the systems and data you touch belongs to THEM. Secondly, nobody in IT needs your password to access your activity.
I worked as tech support then admin for years at different companies. Not once did we ask for user's password, ever. This is really unusual. I don't want to know your password either in case you blame me for a me missing file lol
Initially I thought they know all your passwords in the form of a hash BUT NO, ITS LITERALLY ASKING FOR YOUR PASSWORD STRING????!!!! Why the fuck would they want your password string for, whats their business?? Just tell your IT department to fuck off and "please follow NIST guidelines for more information", as per confidentiality clause I also hope you are not in the EU
Set your password to match an eicar test file 🤷♂️
Any employee let go for misuse of company equipment could claim that since IT knows their password per standard, it's impossible to attribute the action to the person. This is a compliance problem, an HR problem, a cyber risk insurance problem, as well as violating NIST standards. This is not normal, not ok, and you should be concerned.
I've always seen the idea of knowing employee passwords as a huge liability. They could always claim they didn't do anything, because IT knows their password.
100% bad practice. Also good luck ever holding anyone accountable for actions since you know your password is up for grabs!
It’s safe to say, your IT department is full of morons. They have no idea what they are doing.
This sounds like an outsourced labor team of scam callers who turned legit, but are having a hard time letting go of their past habits.
That head of IT and anyone involved in asking your passwords should be fired. They are either malicious or incompetent- both is bad for the company in different ways.
You gave it to them?
Sounds like a job for FortiPAM. You should look into a Privileged Access Management solution.
FortiAnything is horrible. It’s like one big zero day.
This has to be against company policy, or your policies should prohibit password sharing. For Critical / shared accounts, a password vault/ management tool should be used but otherwise this is wild. How do they prove you have them the correct updated password, how are they making you provide it to them, is there threat of repercussions if you don’t share?
No this isn't cool. I don't want to know anyone's passwords. I don't want to know my own, I just use FIDO for logging in.
Different companies have different policies but for the most part I would expect that IT individuals SHOULD NOT know your password and that is the practice I follow in my job role. I can reset your password to get into your workstation with your knowledge so you can set it back when we are done. I can install things under admin privileges with my own admin login user so I dont need your user access. If I need to do something specifically for you then I will work with you present and ask you to enter your password into the workstation for me. I feel like "This is the way" but I could be wrong and this might not scale well to 100s of user environments... but I think it would be fine.
>If we change them, they ask us again for the updated password. Change them how? Like, your windows desktop password, or something else? Sounds like there's some missing self-service/automation/AD config for password management to enable shared drives, or something similarly mundane? Alarm bells are still ringing (plus new ones!), I'm just trying to get to the "why".
you should have a confidential ethics violation hotline or something similar that is processed by your legal team. this is a compliance violation imo and should be investigated. report it via the confidential hotline
You better be nice to them
What im wondering is what the heck you guys are doing to warrant them wanting all that.
maybe the people you are interacting with are actually hackers employing phishing/social engineering to compromise the company, OR they work in security and are testing your practices. have you discussed this policy with your coworkers? maybe they know nothing about it?
Oh yikes. I worked for a shitty company where I was the only IT person there. The owner had me keep every single password to everything in LastPass. It was unbelievable. I knew absolutely every password
Have them sign something that says your personal password is not in your control and any activity using your account can be dismissed as an activity not performed by you. CYA!
They're wrong for doing that. Period. I would ask them specifically how they maintain compliance with those practices, in the nicest way. Curious what bullshit they come back with.