There’s a password discussion ongoing today in the section of Reddit populated by system administrators and it was prompted by this lament:
I work in sales now, and I was a former Network Administrator. Today I got an email from management that is asking everyone for their recently changed domain passwords (apparently this is a common practice for the company).
This immediately throws up a red flag to me as the last thing I want to do is email/send/distribute my Domain password to someone else. Management or IT. I went to management and explained the security risks with storing everyone's passwords …
His warning apparently went unheeded.
The ensuing discussion was predictable in that everyone agreed that what management was asking for is crazy from a security standpoint, not to mention a legal one.
Somewhat surprising, however, were the reports that this is not an isolated case … or even rare. From another participant:
In smaller shops it is pretty common. I know a lot of places that do this or just assign users passwords. Hell a lot want everyone’s to be the same. We had a client get angry that someone was in another user’s email and demanded to know how it could happen. I pointed out that we had multiple talks and emails about this and if everyone’s password is the same then anyone could log in as anyone else. They finally took the hint.
Assign everyone the same password? Now that’s one I hadn’t heard.