

Passwords and interviews - Garbage
http://radar.oreilly.com/2012/03/facebook-password-interview-social-engineering.html

======
SoftwareMaven
_And if you're a job-seeker: I don't really care how badly you need the job,
you don't need that kind of employer._

Unfortunately, that isn't true for some people. When unemployed and living
paycheck to paycheck with few, if any, marketable skills in a depressed area
with a spouse and kids, the employer/employee power balance shifts
_dramatically_ to the employer. If I were in that situation and I thought
giving up my password was the only thing between me and the job, I would
probably consider it.

~~~
Jach
You're right that it isn't universal. Just like any compromise or "selling
out" of principles in the name of short term gains, though, I think the
empathy should only go so far. Pity those people but don't desire to be them
or think it's okay that they compromise on principles.

"Take as your life's objective the goal of getting money for doing your own
thing. You were born to do this. Never lose sight of this and settle for
second best because this is one compromise that will guarantee unhappiness.
Leave that kind of compromise to others - they were born for it. You are not."
\-- Mark Tarver

~~~
j_baker
You've never been unemployed for a long period of time, have you? Unemployment
makes you realize how few principles _really are_ important. At the end of the
day, I'll value being able to eat over some abstract sense of morality. But if
you _have_ been unemployed for a long period of time and kept to your
principles, more power to you.

~~~
einhverfr
I have been unemployed for some period of time--- six months. After which I
decided that the best course of action was to become self-employed.

I can completely understand why someone would hand over their passwords to a
prospective employer when asked. There is a huge power differential as you
point out. However it is no less stupid.

Here's a basic rule I try to keep in mind, and I think it is extremely
important in a hard job market as well, and that is to keep options open and
work on ensuring you aren't on the bad end of such a bad exchange. The way you
do this is by doing what odd jobs you can to put food on the table, so that
even if you need the job you don't need it so badly to take a shit deal.

~~~
qq66
Not everyone is capable of being self-employed. A lot of people are willing to
work hard, but need the structure of being told when and where to show up, and
what to do.

The fundamental nature of any transaction is that when one party is in a tough
position (the formal term is having a poor "best alternative to a negotiated
agreement") that person is going to get screwed over. When your BATNA is to
have your kids go hungry, most decent parents will gladly give up their own
dinners, let alone their Facebook password.

~~~
einhverfr
Everyone can do at least odd jobs to reduce the impact of being unemployed.
The general point is that you want to maximize your strength so you can
negotiate from the strongest position you can....

------
balloot
Anyone else notice that there have been exactly zero specific cases of an
employer asking for a FB password? It seems that "Employers ask for FB
passwords!" is more of an outrage tool than an actual issue.

For those who watch TDS/Colbert, they poke fun from time to time at Fox News
et al for making up scary things that kids supposedly do - the latest was
soaking tampons with vodka and sticking them up your butt. This feels like the
"soaking tampons with vodka" of the professional world. Someone probably has
done it, but it is really uncommon and not worth losing sleep over.

~~~
pangram
It definitely happens; here's a case from last year that the ACLU was looking
at: [http://www.aclu.org/blog/technology-and-liberty/want-job-
pas...](http://www.aclu.org/blog/technology-and-liberty/want-job-password-
please)

The insidious thing about this is not if it happens for people looking for
tech jobs (they're generally clued in enough to refuse, or go somewhere else,
or make a fake Facebook account filled with stuff like "I love working so
much!" and "I saved a man's life with a quick appendectomy at my volunteer
gig"). People looking for lower-tier jobs are in less of a position to be able
to refuse.

------
clarebear
My husband, Rob, interviewed at a firm where his HR contact could not
understand why my he was upset when an automated email that appeared to be
from the HR contact sent Rob his password in plain text. Rob replied to the
email to complain, thus actually giving his password to Mr. HR. When Rob
continued to complain about this problem, Mr. HR accused Rob of not trusting
him and insinuated that maybe the hiring process should stop right there. Rob
could not even explain to Mr. HR why he was so upset in a way Mr. HR could
understand. So HR departments tend to have very different ideas about
passwords than, for example, HN readers.

~~~
lukejduncan
The university I attended did something similar.

To graduate you had to apply online. However, they never actually integrated
the graduate application process with their auth process. So when you applied
to graduate you had to "sign" your application with your password. This app,
password and all, would then be emailed out to everyone in the Records and
Registration office. I presume they then manually logged into my account, and
if that succeed I had verified my identity. If this password wasn't tied to,
say, the ability to take out a student loan then maybe it wouldn't be a big
deal.

I tried explaining to the person who answered the records office phone that
this process was broken and I needed another way to identify myself (I'm an
out of state student). They didn't care and didn't understand the issue. No
one took me seriously until enough people tweeted about it that a PR person
contacted me and had IT fix the problem.

So: Mr(s). Non-technical also tend to have very different ideas about
passwords than, for example, HN readers.

------
For_Iconoclasm
I would answer that rhetorical question with no, HR departments have _not_
have heard of social engineering attacks in computer security. Almost any
company asking for a password will have a brain-dead HR department in charge
of that policy; it's not like your fellow future programmers thought that one
up.

~~~
tokenizer
I agree with you, but isn't this problem?

I mean, I'm not a fan of people not understanding a tool(service) they use,
but if your job pertains to asking for passwords, then you should definitely
need to understand the repercussions of such a request, at least on a social
engineering level.

It's not even programming, it's privacy. If companies are going to continue to
hire non-technologist that use technology especially in a specialized way like
this, then they're going to continue to make common-sense mistakes like this.

~~~
For_Iconoclasm
Oh, it is absolutely a problem! But, having people not knowing what they're
talking about has always been a problem. Nothing short of a strictly-enforced
policy mandating that HR departments need to have decent knowledge in a
certain area will change that.

Besides privacy, it could turn out that HR involved in other domains are
broken relationships. If anybody has any examples, I'd love to hear them.

------
duck
Exactly what I said in the last thread. :)
<http://news.ycombinator.com/item?id=3746005>

------
espinchi
I really want to think that this is a extremely rare case.

