Cyber Security

Why I Can’t Send You Your Password

Every once in a while, someone loses their password and asks me if I can send it to them. Just today I had someone ask me for the password(s) for the mail boxes of a former client.

My answer is always the same. I can’t send you your current password. The reason for this isn’t because I don’t want to. Actually, that’s not right. That’s exactly the reason. I don’t want to be able to send it to you. I don’t know your password.

When we send out a password to a client, that password is always considered temporary and invalid as soon as I send it. Because of security reasons, I assume that the client will change the password as soon as he receives it.

Of course I’m not naive. There are plenty of clients that never change their password, and that keep using that pasword I sent them (over e-mail, no less). If there is no system that bans them from doing that, 90% will keep using it.

Services like Office365 try to fight that. By default, the password you generate is temporary. You’ll be asked to change it as soon as you login. It’s possible to override this behaviour, but I’m not a fan of this concept unless it’s for my own use.

There are two main reasons I don’t know what your passwords are. And neither of those are going to change.

  1. There’s no reason for me to know it. I don’t need access to your services, and in the few cases that I do I can usually override your access or simulate what you are seeing. On top of that, I can just reset your password when you forget it. That’s faster than digging in a database to find a password.
  2. It’s incredibly dumb of me to store passwords. With GDPR lurking around the corner, I am already anxious about storing your shipping address. There is no way I am storing passwords to your accounts in a database or in a file. Do you want user accounts to get hacked? Because that’s how user accounts get hacked.
  3. 90% of the time, you don’t know the difference anyway. If you tell me that you can’t login to (insert something) and ask me for the password, I can give you any password I just generated and it won’t make a difference. Let’s face it. You forgot what it was to begin with…

You don’t want me or anyone to know them either

Trust me on this one. It’s safer that I don’t know your password. On top of that, you should be wary of anyone that can provide you with your current password. Password resets are now widely available. With systems like the Password Manager by Quest you can even automate password resets so your IT guy doesn’t even know you forgot MyDogIsAwesome201706.

Nobody who wants to take his job and data seriously will remember the specific password you are using. So suck it up, reset that password and just enter the password again in your Outlook client when it asks for it. We are all better off that way.

Advertisements