I work in IT for a retail company, supporting the employees. One big thing that is stressed as much as possible is to NEVER SHARE YOUR PASSWORD. Unfortunately, a lot of the store users either don’t see a problem with it or just think it doesn’t apply to them. Whenever we find out that someone is sharing passwords, we’re supposed to reset the password that’s being shared and submit an incident report to our security team. The user whose password we reset needs to call in for a new one, and they’re given a reminder that they shouldn’t be sharing passwords.
When I am still new to the company, I get a call from a user who says she’s having trouble with her email. We go through some remote troubleshooting, and I end up having to reboot the computer. It comes back up and I get reconnected to the workstation.
Me: “Okay, go ahead and sign in. I want to see if the error continues to pop up before you access your email.”
The user enters credentials that don’t match her account information on the call ticket in front of me.
Me: “Um, you’re [User], correct?”
User: “Yep.”
Me: “Okay, but it looks like you didn’t enter [User’s account username].”
User: “Nope. It’s my manager’s email that’s having issues, so I’m using her account.”
Me: *Head-desk* “Is [Manager] your manager?”
User: “Yes.”
Me: “Is she in the store?”
User: “No, she went home for the day and wanted me to get this fixed.”
Me: “Okay. Unfortunately, I’m going to have to reset [Manager]’s password and end this call. I’ll also be submitting an incident report to our security team, and the two of you may be contacted by them. You’re not supposed to be sharing credentials like that. She’ll need to call us to get a reset.”
User: “Well, she said it was okay for me to use her account to get this fixed.”
Me: “I understand that, but she was mistaken. It’s not okay to share credentials. If she’s having email issues, she needs to call us while she’s having trouble so we can investigate.”
User: “She doesn’t have time to do that, which is why she told me it was okay.”
Me: “Unfortunately, this is company policy. You are not supposed to be sharing credentials, and I am going to be resetting her password and ending this call. She’ll need to call us back to have her password reset.”
User: “You know what? Fine.” *Click*
I fill out my call ticket and note what happened. I also reset the manager’s password and submit the incident to security.
The manager does call back later that day to get her password reset. (We have a Single Sign On setup, so the manager was trying to check something from home and couldn’t. Also if I had to guess, the user I was talking to called and complained about me as soon as she hung up my call.)
I’m not there when the manager calls, but my coworker takes the call and tells me about it the next day.
Manager: “Someone from your team reset my password earlier for no reason! She should be fired!”
[Coworker] is able to see [Manager]’s account status, and he was sitting right behind me when I took the initial call, so he knows what happened.
Coworker: “I see that your password was reset because you gave your credentials to [User].”
Manager: “Well, of course! She was the only one who had time to call you and fix my email! The girl she was talking to shouldn’t have reset my account! I didn’t do anything wrong!”
Coworker: “Ma’am, you should not be sharing passwords. That’s why your password was reset.”
Manager: “I told [User] it was fine! I said it was, so she can use my password! Why did the girl earlier reset it like that and not give me a temporary one?”
Coworker: “Because you were no longer in the building for us to verify. I can provide you with a temporary one now and help you reset it; I just need to ask a couple of verifying questions.”
Manager: “Why do you have to do that?”
Coworker: “Company policy. I need to confirm your identity before I can reset your password. And you should not be sharing it with anyone else.”
Manager: “Ugh. Why not? I told [User] it was okay!”
Coworker: “It’s a security measure, ma’am. Just like the identity verification. It helps ensure that you’re the only one actually signing in with your credentials.”
The manager apparently grumbled but finally went through the verification steps, and my coworker was able to get her reset with another warning not to be sharing credentials. I did not get fired or even talked to or written up for doing my job, so there’s that.