

Please don't ask me for my password - ajhai
http://blog.ajhais.com/2011/09/please-dont-ask-for-my-password/

======
robertskmiles
No employee should _ever_ ask for a password. The way is see it is that it's
not a matter of corruption, or people eavesdropping on the connection (what a
targeted attack that would be, targeting a specific, short, rarely occurring
chat session). The point is that if your employees never require a password,
you can put in big letters OUR EMPLOYEES WILL NEVER ASK FOR YOUR PASSWORD, and
attackers imitating your employees are SOL, because they can't ask for the
password without it being obvious that they're not real employees.

Surely you can just give relevant employees admin powers so they don't need
the password.

If you don't trust them enough for that, it's relatively simple to set up a
proof that the person has the right password without actually transferring the
password itself, so that the employee can't change things about the account
without express customer permission.

------
wccrawford
That's an absolutely ridiculous policy for them. No support person should EVER
ask you for your password.

~~~
ajhai
I'm not sure if it's their policy or just the support person.

~~~
wccrawford
Not having a 'no asking for passwords' policy is just as bad. Most companies
with online an online presence will tell you in their form emails that an
employee will never ask you for the password. This one not only doesn't, but
obviously regularly asks for a password.

------
pavel_lishin
My employer asked me for my password once, for some site. I forget why -
someone needed superadmin access, and this was the fastest way to give it to
them.

I gave in, and promptly changed my passwords across all sites (this was back
when I just had the Three Passwords) - and changed all of my work-related
passwords to something stupidly simple, fighting off the urge to change them
all to "fuckyou" and "shitslapbananamonkey".

------
vedantmisra
This is bad, but not as bad as what I experienced with my hosting service---
the employee I was chatting with straight up gave me my password.

~~~
bryanlarsen
I hope that was a new account or new password and he just forgot to add "now
change it" after the "here's your password".

