Forced to Share Passwords - Yes, Really

• 

  Hybroid on 17/10/2022 - 23:41

  +14

  Doubt there's any legislation for this but sounds like the dumbest thing I've heard today.

  I get it for some network applications where we share licenses (e.g. Primavera P6) but individual accounts? That's a massive security risk.

  Something's lost in communication here.

  • 

    mapax on 18/10/2022 - 06:45

    I didn’t think there would be legislation but that is what the IT manager requested before allowing people to have their own password on their windows login or intranet account.

    • 

      DoctorCalculon on 18/10/2022 - 19:59

      +3

      Why don't you teach your IT Manager (how the f did they get this job in the first place?) a lesson the hard way?
      Login to their account, and reorganise all their files. ;-)

• 

  trustnoone on 17/10/2022 - 23:56

  +1

  I don't get what you mean tbh. Are you saying everyone logging into a network say WIFI and using the same single hardware password? Or are you saying IT is telling you that if every employee just so happened to use the same password, it wouldn't be a large security risk?

  • 

    jv on 17/10/2022 - 23:58

    it wouldn't be a large security risk?

    Only if someone leaks the password.

  • 

    mapax on 18/10/2022 - 06:48

    +1

    They set the windows and intranet password the same for everyone, IT manager might be JV because they said it’s not a problem if people don’t share it.

• 

  kanad on 18/10/2022 - 00:00

  +4

  What password we are talking here? Windows login password?
  If yes then the IT manager should be fired due to being incompetent. I am thinking how can they even know what password your friend is setting. Passwords are not stored in a proper identity system.

  • 

    mapax on 18/10/2022 - 06:51

    I’m not much of a computer guy, but if IT has already set the password don’t you need admin privileges to change it?

    • 

      apsilon on 18/10/2022 - 08:16

      +2

      No, I used to typically set a new account to a default password but the user was forced to change it the first time they logged in. Perhaps that's where the confusion is?

    • 

      blitz on 18/10/2022 - 09:59

      +1

      if IT has already set the password don’t you need admin privileges to change it

      If everyone has the same password then it might not be too hard to get admin privileges.

    • 

      ThithLord on 18/10/2022 - 10:46

      Log on, press CTRL+ALT+DEL and you should see Change Password. Change your pw, then log off and then back in (this ensures Windows re-caches the password)

• 

  stirlo on 18/10/2022 - 00:05

  reuse the same password for every employee when logging in to hardware or networks?

  Did someone get confused with a wifi password? For wifi access this isn't a big deal.
  If it's a windows account that is quite stupid.

• 

  Almost Banned on 18/10/2022 - 01:08

  -4

  Sorry - are you really asking if it is against the law for an employer to use a common password for all employees???
  Yep, we've reached peak nanny state.

• 

  cabler365 on 18/10/2022 - 01:57

  +2

  https://www.cyber.gov.au/acsc/view-all-content/publications/… ==> under "Create Unique Passphrases" it says: "Use a unique passphrase for every valuable account. Reusing a passphrase makes each account that uses it more vulnerable." So its not against the law but it does go against best practice. If your employer is compliant against any of the IT Standards, you'll probably find similar statements in those guidelines too (eg ISO 27001)

  And to agree with comments above - incredibly risky.

• 

  payless69 on 18/10/2022 - 04:23

  -3

  Choose a "social" leader, get a social environment!

• 

  morse on 18/10/2022 - 05:10

  +3

  Not sure on legislation but there should be a IT security policy for whichever gov dept they work for, if not an all of gov policy for whichever state/fed they are employed by. The practice of everyone using the same password with a unique username places your friend at risk. If someone uses their account to access private data or engage in illegal activity (fraud, child sex offences) your friend could get busted for it - though it would be relatively easy to defend themselves if they have evidence of the IT manager directing them to have the same password. The practice of using a generic username and password for all staff exposes the gov and any consumer data they have access too, i.e. you won’t know who is responsible for a breach or illegal activity.

  I’m super aware of this working in a large hospital with heaps of work stations, I always lock/log out when leaving a computer as it’s not unheard of that people use an open computer to access private info.

  Pretty much all gov depts have some sort of whistle blower / public interest disclosure process. There’s usually a way to do this anonymously. I would do this if leadership is aware and doing nothing. It seems super odd that the IT manager would want shared passwords - if it’s not for malevolent reasons, at best it’s mismanagement .

• 

  ozbargainsam on 18/10/2022 - 07:00

  +2

  OP needs to describe exactly which prompt this supposedly common password is being entered. Because there's just no way it's their user account password.

  If you're talking about a wifi password, then it's very common, especially for smaller companies, to not have implemented policies for a private network for company devices.

  • 

    mapax on 18/10/2022 - 07:12

    Not WiFi.
    I’ll try to get more details tonight but was told the process is switch computer on - enter username and password.
    Click on remote login - enter username and password.

• 

  pegaxs on 18/10/2022 - 07:40

  +2

  I dont think there is "legislation" that covers this, but there most definitely would be industry guidelines and "best practices" that would be recommended.

  Now, if it was on my own personal computer that I used from home to log into a work server, then no, I will not run just some random password. If they want me to use a "set" password to log into their system, then sure. I would let them know that I think it is a bullshit and dangerous move to just have a universal password, but I would still use it.

  If it is a work supplied computer or laptop, I would just run whatever password they told me to run… but there is no way in hell I would put ANY personal details onto that computer or store any of my own data on it.

  And then when the inevitable happens and the work network is compromised and the police are investigating the breach, I would joyfully tell them.. "Oh yeah, and everyone had to use the same password "password1234" on every account.

• 

  stickingly on 18/10/2022 - 08:04

  Not that uncommon in small businesses with controlling owners who don't know any better. As an IT consultant in the past I have seen some shockers, including exactly what you are describing, one where the users were assigned a password that they couldn't change and the owner kept them all written down in a book in case he "needed to check up on anyone", and one where the computers were all set to autologon with the assigned users account name and the same password.

• 

  newbo on 18/10/2022 - 08:30

  +6

  Log in as your boss and send emails that he is buying everyone UberEats for the rest of the year

• 

  jellykingdom on 18/10/2022 - 08:38

  +1

  I'm surprised you didn't say "IT" "Manager"

  That sounds dodgy as hell

• 

  Cheaplikethebird on 18/10/2022 - 09:51

  +2

  Wow. Had a security audit at a place I worked and they pulled us up on reusing the same temporary password for new users (that would then be reset after first login).

  Even ignoring access from an external party, if an employee does something dodgy on the company network then even if you track it back to an account you can't reasonably prove that it was the owner of the account.

  Does this dept have access to databases with personal information from the general public? If so then it's worth reporting.

  • 

    DashCam AKA Rolts on 18/10/2022 - 11:20

    +1

    if an employee does something dodgy on the company network then even if you track it back to an account you can't reasonably prove that it was the owner of the account.

    My workplace, a few years ago, had an instance of an office staffer, logging in using another staff member's account (password on a post it), then sending malicious emails to another staff member.

• 

  bongom on 18/10/2022 - 10:27

  I came across a govt office where the passwords were written down on a post it note and stuck on the pc case. Reason given was so anybody could log on to the computer as they didn't realise that you could logon to the network with any account credentials. The old people didn't understand that the computes were connected to a domain network.

• 

  GG57 on 18/10/2022 - 11:25

  As an employee, you would be required to follow your employers instructions / standards.
  I don't see it as your problem TBH.

  • 

    morse on 19/10/2022 - 03:52

    As a gov employee it is their problem. Pretty much all gov depts have a code of conduct that says you need to speak up if you see something that could be fraud, mismanagement or place the public at risk - no matter your level in the organisation. Also their problem if someone logs into their account, does something untoward and blames them for it.

• 

  [Deactivated] on 18/10/2022 - 16:54

  OP - I'm trying to understand the implications of your post.

  For example, does that mean that someone can login as Mr S. Oz, Head of Non-Diversity at the fictional state government department and by using the same password as everyone else that works there, someone can start sending out emails under Mr SOz's name, as if they were actually actually him?