User Passwords

Best Practice: Never ask for a user's password

IT organizations should never ask an individual to reveal their computer, email, or any other password. This allows users to keep their passwords confidential, so they will be less likely to provide that information in response to a phishing email or the like. Password confidentiality not only keeps the user’s data secure, but also helps prevent the unauthorized use of an individual's credentials to access the organization's data.

The use of distinct and separate login credentials for users and technicians, along with password confidentiality, protects technicians from accusations of accessing an individual's computer inappropriately or without their consent. Conversely, if separate user and technician credentials are not maintained, a technician could be implicated for any inappropriate or criminal activity conducted by the user. If the technician has the user’s password, there may not be a way to prove it was the user and not the technician that carried out those actions.

Most IT tasks on a user’s computer can be carried out with the technician’s own login if it has admin privileges, or via a separate administrator account. Some tasks, like configuring a computer for a new user, cannot be fully completed without the user logging in. In those cases, the user will need to be present to enter the credentials themselves. Alternatively, if the user gives consent, technicians can reset their password to something temporary the technician knows. Once the work is completed, the technician will need to have the user reset their password back to something confidential. Keep in mind that this may impact access to other services that share that username and password, such as email.