Should I know my employees’ passwords?

If you’re a business owner or manager, you might feel that it’s your duty to maintain a list of your employees’ passwords. After all, you might need access to their documents or email when they are out of the office. Even worse, an employee could resign without notice. So knowing their passwords seems the logical thing to do, right? WRONG!

If identity and access management is set up correctly in your systems, there is no need to know employee passwords.* In fact, it could be a legal liability if you know their passwords. When only one person (i.e., your employee) knows the password, there is accountability in their actions. When you know their password, the worker could always claim “well, my manager knows the password too.” Your corporate information security policy should mandate that employee passwords are never to be shared.

There are plenty of legitimate reasons to have access to your employees’ work. This access should be handled via administrator accounts. These accounts are highly privileged. This means that you can get to the content you need without knowing employee passwords. As administrator accounts are critical to the operation of your business, there should be multiple managers set up as designated, trusted administrators. (I.e., One administrator for a company is not sufficient. This would be a “single point of failure.”) Each administrator would be given his or her own set of administrator credentials.

*Encryption is one notable case when administrator accounts can’t always provide access to employee data. For example, Mac administrators cannot unlock employees’ keychains. With most simple encryption techniques, there is no way to decrypt the data without having the decryption key or password. That said, applications can be engineered to encrypt/decrypt content for multiple users. Apple’s FileVault is a perfect example of this. Behind the scenes, multiple keys are used for each user.

Leave a Reply

Your email address will not be published. Required fields are marked *