
Ask HN: How to address security incident without offending coworker? - BaronVonSteuben
Recently at work I had a friend use an insecure medium to send me a password to a production account.  This is a big security faux paus, and means we need to rotate that password ASAP and consider the old one compromised.  But this question has nothing to do with the technical side.<p>The friend that sent me the password was trying to be helpful, and truly I appreciated his help. 
If I blow the metaphorical security whistle in his face regarding this security issue, it will probably hurt his feelings and may provide a disincentive to be helpful in the future.  However, I obviously want to prevent disclosures like this in the future.<p>How would you handle this situation?
======
ergothus
Ask them to lead the clean up it themselves. This let's you acknowledge their
good intentions and doesn't feel like you are throwing them under the bus
behind their back (bad analogy).

They screwed up, but this lets them look responsible and self accountable.
There is no cure for bad management, but with decent management the friend
will be more embarrassed than anyone would be judgemental - screwups happen,
coverups or ignoring them is the thing that is far worse.

------
KineticTroi
If it's really that important to be secure, I'd use an electronic password
generator fob that intermixed the password list with a universal cosmic radio
background radiation signal.

Perhaps he just gave you a one time use password. Or maybe not. I just know,
if you want the password delivered in person, only ask for it, in person.

I'd probably rethink the whole system, and not the user.

