IT staff at school asking for passwords [closed]

security passwords

Solution 1:

Previous answers seem to be primarily of the tone "they can access your files anyhow, so it doesn't matter if they have your password". This is incorrect. Many users re-use passwords or generate them according to an obvious scheme (e.g., appending "1" to "12" to foil your school's password rotation policy or using "pass-so" on StackOverflow, "pass-su" on SuperUser, etc.). If such a user gives their password to the school's IT staff, they are not only providing them the ability to access information that the IT staff can already access via their admin privileges, but they are also providing access to other, unrelated, resources that the IT staff have neither admin access to nor any legitimate reason to be able to access.

Furthermore, there is always the possibility of fraud and social engineering - I don't know about you, but my spam filters catch a constant barrage of "Hi, I'm from your email server's staff and I need your account name and password for some ridiculous reason or other" phishing attempts. It's much easier and more effective to teach users that they should absolutely never give their passwords to anyone than it is to first carve out an exception for IT staff and then expect them to be able to correctly and consistently determine whether they're dealing with actual IT staff or with impostors.

Finally, writing the account details on a post-it note (which is likely stuck to the machine itself, making it easy for any passer-by to identify where those credentials will be usable) seriously compounds the problem unless the post-it and the machine are both kept in a secure location (so that only IT staff can gain access to them) and the post-it is destroyed (shredded, purged with flame, etc.) before either leaves the secure area.

The correct course is for the IT staff to not only stop requesting user passwords, but also to take the same approach as PayPal (among others, but they're the first to come to mind) and tell users "we will never ask for your password; anyone who claims to be from IT staff and asks for your password is lying, so don't give it to them". There's no time like the present to start teaching students good security habits. Schools, of all places, should not be teaching the opposite.

Solution 2:

You could ask them to update the Terms of Service with an exemption for the I.T. department but with the condition that when a student who is informed [that a new password can be assigned] chooses to provide them with their current password, that the I.T. staff would also be taking responsibility for securing that password against theft, observation by an unauthorized third party, etc. (clauses about the destruction of hand-written passwords, such as cross-shredders and time-frames, is also important).

In addition to resolving a technical violation of the Terms of Service, this solution also makes sense to end users because the majority tend to naturally trust I.T. staff with confidential information (such as passwords) anyway.

Related

Running unidentified developer Applications as a Non-administrator
How to update all contacts from Active Directory
Can the order of Byobu tabs be rearranged?
Synology DSM 6.2.x: How to SSH as non-admin user
No Sockets found in /var/run/screen/S-root. when using `screen`
wdWord and wdExtend commands not working in Excel Macro
What is Entry in Windows 10 IoT Enterprise LTSC Entry?
Correct word for a 5-part piece of art?
Is "under tension" a widely enough understood phrase to explain the presence of electric current? [closed]
The term for a kitchen device [closed]
"have dinner" vs. "have a dinner"
How to paraphrase "not to mention" [duplicate]