Ask HN: How to address security incident without offending coworker?

[BaronVonSteuben]

Recently at work I had a friend use an insecure medium to send me a password to a production account. This is a big security faux paus, and means we need to rotate that password ASAP and consider the old one compromised. But this question has nothing to do with the technical side.

The friend that sent me the password was trying to be helpful, and truly I appreciated his help. If I blow the metaphorical security whistle in his face regarding this security issue, it will probably hurt his feelings and may provide a disincentive to be helpful in the future. However, I obviously want to prevent disclosures like this in the future.

How would you handle this situation?

[ergothus]

Ask them to lead the clean up it themselves. This let's you acknowledge their good intentions and doesn't feel like you are throwing them under the bus behind their back (bad analogy).

They screwed up, but this lets them look responsible and self accountable. There is no cure for bad management, but with decent management the friend will be more embarrassed than anyone would be judgemental - screwups happen, coverups or ignoring them is the thing that is far worse.

[KineticTroi]

If it's really that important to be secure, I'd use an electronic password generator fob that intermixed the password list with a universal cosmic radio background radiation signal.

Perhaps he just gave you a one time use password. Or maybe not. I just know, if you want the password delivered in person, only ask for it, in person.

I'd probably rethink the whole system, and not the user.