Convince people not to share their password with trusted others

Question

IT workers are usually trusted by their family members who readily share passwords (Facebook, email, twitter, you-name-it!) so they can get easy help to set what-ever-parameter they don't find or explanation of a challenging situation.

I always try to convince and explain why this is a bad practice and that I do not want to know their password. However, I usually fall short on argument when I get answered "But I know I can trust you" or "I know that you will not use this for evil acts" to which I can't really reply "You don't know" as it would imply they can't trust me (remember, they are family members).

What list of arguments (the longer, the better) do you use to explain the risks of having such bad practice?

---

Here is my own small list:

• That's a bad practice and you should not trust anyone with.
• That's not respectful for the people sharing intimacy with you (you gave me your Facebook password, I have now access to all the very personal details of people that trust you and not me).
• That's a responsibility I do not want that you force on me.
• If I use this password carelessly (i.e., without checking over my shoulder) someone can read this password and I would be the one that leaked it.

Most of them usually don't understand, become suspicious or just assume that we are just paranoid.

---

Please, avoid cases when harm is done using passwords. While this is mostly funny or creative, that does not answer to my answer where people trust you and this must be kept as is. Note though, that the comments stating you didn't realize they'd find what you did a problem or changing the password by a secure one and sending the password reset link are somehow valid in a way ;)

Answer 1

The nice and educational way

This is a bit similar to your third bullet point.

Nobody else should know your password, not even people you trust. That is the only way you can be sure only you have access to your account. Let's say you give me your Facebook password and a week later rumors start spreading about what you did in Las Vegas last year.

Only a few people you trust knows that, and well, potentially me since I have your Facebook password. If that happens, I do not want to be a suspect. I do not want to be in a position where every privacy-related incident that happens to you could have been because of me.

Giving information they should not have to people you trust can end up destroying that trust instead of reinforcing it.

If countered with "but I really do trust you completely", highlight that the person also completely trusts Eve and Mark, the only two persons in the world who know about the Vegas incident, and if the word gets out clearly someone trusted must have broken the trust. A key message is this:

I do not want to be party to all your secrets.

If need be, make up a white lie about a friend of yours who got in trouble in a similar scenario to make it more concrete.

The not so nice and educational way

To teach people not to share their password, I post all passwords people give to me on Twitter. No exceptions. If you give me your Facebook password, within five minutes it will be on Twitter together with your username. [Open up Twitter and get ready to type.]

If you still want to give it to me, that is fine, but you have been warned.

This is probably not a good idea since you should not make threats you are not prepared to deliver on, and you should not deliver on this threat. But sometimes I am tempted...

Reversing the roles

Sometimes it is easier to understand someone else's position if you reverse the roles. Give the person a sealed envelope and say this:

This envelope contains a piece of information that would completely ruin my career, my marriage, my life if it ever came out. You must hold on to this envelope forever, and make sure that nobody - including you - ever see what is inside.

But don't worry, I trust you completely.

When they refuse to take the envelope, explain that you don't want their Facebook password either.

Answer 2

This post is about communication with people that have absolutely no technical knowledge or interest; especially people afraid of technology.

Don't explain, don't complain

It is incredible hard to change other people, especially if they are IT laymen and you are the expert.

This is the same issue as in general communications. Avoid all sentences that somehow contain "you", and stick to "I". They cannot argue against "I".

Example:

• They: "Here is my password, please configure my facebook account for me."
• You: "No, I never take passwords from other people. But if you log in, I'll show you."
• While they type it in, pointedly look away.

It is as simple as that. It's the same as being a parent/teacher, you don't always have to explain everything in great detail. Do it by example.

Corollary

IT laymen are often not interested in actual technical or security-technical reasons at all. It confuses them (because they have no technical background), and they already have been told lots of confusing and alarming things about IT security by their TV or newspapers. So, trying to force some explanation on them does nothing for your cause. It will not help them, and it will not help you. Of course you can try to explain things if they actually are genuinely interested (in very simple words), but I found over the years that even trying to explain something in this case can do more harm than not. I will usually explain stuff in very easy similes (e.g. email <=> snailmail) and not go into specifics at all.

Answer 3

Funny enough, I actually don't accept your premise. As an IT professional you can read other people's emails and other communication, delete their directories etc. It is part of the professional code of conduct not to abuse your position. People trust your integrity, the same way they trust their bank's employees not to steal their money, although they could.

Disclosing passwords to IT professionals falls in the same category as disclosing your earnings to your tax adviser or your health issues to your doctor. We are professionals that people come to in order to get problems fixed; that often cannot be done without passing on sensitive information.

Edit: Family members whose rooms you have access to must fully trust you in any case because of the old rule that a system to which an adversary has physical access cannot be reliably protected. It would be comparatively easy for you to install a keylogger or monitor their WLAN traffic. In effect, they trust you already with their passwords, whether you like it or not.

If you don't want to handle your family members' IT problems (the same way as you wouldn't want to do their taxes if you were an accountant, or advise them on their health problems if you were a doctor); if that is the issue, come forward and say so. It is a problem we all face.

On a friendlier note your posting this question makes me trust you, paradoxically :-).

Answer 4

Just change the password after you're done helping them, and send them a password reset link. They will soon learn that it's easier to keep their passwords safe than to restore them.

Alternatively (e.g. for a primary e-mail account), simply change their password to a strong one and communicate it to them. Explain that changing passwords and using computer generated passwords is recommended. Either they will learn to keep the password for themselves, or at least you'll teach them some good practices.

Answer 5

Knowledge leads to responsibility. Imagine you gave me your password...

I have to keep your password (which happens to be beerbar2) a secret. The next time I'm at the beer bar, I must actively avoid thinking about it, because I might accidentally spill it out. This is mentally taxing on me. That I might drink a beer in that situation is not helpful, either.

I must also be careful not to confuse it with the password of my other friend, who chose barbear3 and regularly forgets it, so I have to send him his password again.

Finally, if my computer ever gets infected with some nasty information extractor, your password ends up being collateral. I'm probably more careful than you are about those things, but it is obvious that the surface increases.

So, yeah, we trust each other at a certain level, but unless our bond is so close that we regularly use each other's account, I don't want to have to bear this additional responsibility, and you don't want that the password is less secure by definition once shared.

My point is that explaining to someone that password sharing is a bad idea does not require eroding trust, which seems to be implied by another answer.

Answer 6

One thing you might consider trying is, "If you trust me, then trust me when I say that you shouldn't give your password to ANYONE."

Answer 7

Don't give them opportunity to give you their passwords.

For one thing, never do tech support "free for family" over the phone. That's a quick way of ruining a good relationship. Only ever do tech support in person. Then, when the login screen comes up, pass the keyboard over to them. Let them enter the password.

Answer 8

What else are they giving you access to?

Someone who's willing to share passwords probably has the same passwords for everything. By giving the Facebook password, they've also giving access to every email they've ever sent, online banking, online retirement accounts, etc.

Hopefully the mention of their financial security would be enough to dissuade them.

Answer 9

Offer them an alternative.

People are giving you their password for a reason. They want you to do something with it. Find out what it is, and find another way to do that.

1. They want you to log on and "do" something for them? Fix, post, explain?

Have them log on instead, and help them afterwards. Use remote assistance or teamviewer to take over their screen, or easy enough just Skype to share the screen and tell them where to clicK.

2. They want you to have the password in case they can't access a computer and the account needs work? Might be in case of death or illness, or just a coworker during a vacation time.

First of all, same principle: try finding another way to do what it is they want you to do. Memorialize the facebook wall - there are procedures for that. For a co-worker, maybe the IT department can give you the same rights to do what he can?

Second, find an alternative to having the password: have them put it in their will, or in a vault where you can access it but they'll see you have done so when it happens.

Answer 10

Once I was given a master-key to a building as part of my work and was showing it off proudly to my manager. He said that he refused to have one. When I asked why, he said that although it was useful, if something, such as a burglary, happened in any of the locked offices then those people who held the master key would be under suspicion and he didn't want that responsibility.

I think the same is true for family members sharing a password, everyone who has the password is now jointly responsible for anything that happens with that account. So it really depends on what you can do with the account. Posting to Facebook, Twitter etc could destroy a person's reputation. Shopping sites and anything to do with money could be used fraudulently. So, by not having the password it actually lessens your risk, that you get involved with something relating to that account by someone else who is also a password holder.

Answer 11

You increase your legal liability

In the case of financial applications (such as online banking), sharing passwords may result in you surrendering certain rights of recovery should fraud occur.

You might breach your terms of use

Sharing your online password may be considered a breach of your end user agreement.

You may be violating the law

Sharing passwords may be a federal crime in some cases.

Answer 12

For these kind of situations I use to say that "I have a personal policy of X".

Example:

"I have a personal policy of not knowing other people's passwords."

If they ask why, I'll reply:

"It's simply a personal decision."

If they still insist (not common), it's up to you to provide an in-depth explanation. In that case, the suggestions from other answers come in handy. As for myself, most often than not, I'll just say:

"I'd rather avoid discussing that."

Answer 13

Your passwords are private. And like other private information about you, I simply don't want to know it.

I wouldn't discuss this alot, I'd rather state that I simply don't want to get this information and ask them to type them in themselves.

Answer 14

Identity.

Obviously security is the most pressing concern, but before security can be enforced, one has to enforce identification. Passwords protect by identifying a user, letting them in and no one else, that's why they usually are paired to a username. Therefore they serve the same purpose as your ID or Passport.

You don't share your ID, because it would defy the purpose of having one. It's like doing a plastic surgery on your face and using you friend's ID.

For exactly this reason most online services also state in their EULA's that sharing access to your account is not allowed, and could potentially lead to the account being terminated.

Answer 15

Just convince them to make the password literally be some embarrassing fact about themselves. It will likely be more secure than the typical "myname1995" passwords, be less forgettable, and they won't want to share it with anyone due to what it says! Make it a phrase like "I am in love with my best friend", eeek, do you really want to say that out loud!? (though I wouldn't make it too sensitive out of fear of some nefarious server transmitting/storing it in plain text and it ending up out in the open that way... but strike the right balance)

Then, of course, point out that what it leads to likely holds even more embarrassing secrets that is really easy to accidentally see, even without intention. Imagine your tech guy being logged into your facebook right at the time your best friend sends you some personal message on the chat. It literally pops up, hard to not at least glance at the text.

Answer 16

I usually go 'please, please share your Facebook credentials with me, so I can write posts, you know I don't have my own Facebook account'. This works very well, at least everybody has refused.

Answer 17

Many a Times, One Means All

Explain to them that giving just this one password is going to make it easy for you to guess the passwords of other accounts. Most people use the same password everywhere or a slight variation depending on the website.

What do I mean by slight variation?
Say your brother John wants to give you the password to his Paypal account and his password is "PJkfadkf!1". If you have a few other passwords of his you can easily guess that P stands for Paypal and J for John. So by that logic his Facebook password would be "FJkfadkf!1".

---

Loads of Tools and Clutter

Explain to them that you're an IT professional and you use a lot of tools. It isn't humanly possible to keep a track of all the detailed aspects of every tool. If any of those tools infect your computer with a virus/malware you'd be putting them at risk. Then explain them the first point.

They probably will realise that they're potentially giving access to all their online accounts in case you accidentally misplace their password.

---

If he/she's younger than you, you can be a little firm and deny taking their password.

You need not be rude.

---

Alternatives approaches that will enable you to take passwords.

Use one time measures wherever possible. Example:- Take an one time password.

This way you cannot harm them in any way. I've also seen many websites that provide an alternative way to login via links in emails. Perhaps you could use those as well.

---

If you need to take their password, ask them to change it and then give it to you.

Do not forget to tell them to change it after you're done using their account.

Answer 18

Remind them that they are responsible for everything that happens using their password, regardless of who actually did it, and that you would prefer not to put your reputation at risk should anything go wrong.

Answer 19

If more than 1 trusted person knows your password they are more or less anonymous. In other words if you tell 3 people your password and one abuses it then you can't blame anyone, because it's impossible to know which of the 3 people abused it, or it's really hard to find out.

Additionally hackers may ruin your relationship even if you just share it with 1 person, because most people don't believe they are ever hacked, so they will be more likely to blame that 1 person that knows their password, than their own behaviour.

Kind of like people are more likely to say: "My computer is slow ever since you installed that video game tom, this has nothing todo with me installing 50 toolsbars with every installation of freeware on my computer and clicking every ad on the internet."

Than they are to say: "Wow, those toolbars I installed really slowed my computer down, and thanks for that video game tom."

Answer 20

My usual answer is to stop them immediately and say

I don't want to know.

So the real question asked here follows, as to the why. These are normal people I'm talking to, so if I go into InfoSec specifics, I'll likely have to give a huge speech, which typically neither me nor they want.

The shortest answer that I've found that satisfies most people is something along the lines of:

I want to be sure that if something happens to your account, you know for sure that it wasn't me. I know you trust me and I appreciate it, but if there is a problem, we will both feel better if we know for certain. And anyway, you should always keep your personal passwords to yourself, it's a good habit and will certainly save you trouble one day.

There's no point to go into depth about trust or possible threats or elaborate very much.

Answer 21

Reading the other answers I'm expecting this to be down-voted by the IT sec community here, but bear with me...

Frame challenge: I think there are some cases where sharing passwords with trusted family members can make sense. In a sense it's the same as giving someone a copy of your house keys - as a matter of fact it is exactly the same, as per the old adage that physical access to a computer will essentially make it your computer (grabbing the passwords will be trivial after that).

I think it is important to understand the context of the situation where a family member would try to give you a password, the same as with house keys. Would I accept a house key or password from a distant friend or a colleague at the office? Certainly not. But I have a duplicate key to my parents house, because they asked me to hold on to it. Why shouldn't I do the same for a password?

For example, my parents essentially share all their passwords with each other. I was able to make them to use a password manager, and the master password for that manager they know both of them. Why? Because sometimes my father forgets it - and my mom knowing it is still better than the alternative, which would be the simplest imaginable password written on a post-it note sticking on the monitor...

They also gave me a copy of that master password. I now store it safely (on an encrypted disk in a password manager), the same way I store their house key - hoping that there will never be an emergency reason for me to use either.

In my eyes this boils down to two the old saying that "security at the expense of usability comes at the expense of security". Sharing a password among close family can be a safer way of handling a situation than the most likely alternative.

IMHO it can be more fruitful to explain to relatives that handing out passwords is essentially like handing out copies of your house key. You can do it in some very limited instances with people you absolutely 100% trust - but only then, and you need to be aware of the potential consequences if this trust is abused.

Answer 22

In most cases, giving someone else your password is a violation of the site Terms of Service. In most cases, a breach of the ToS requires you to delete the account and never use the service again. In some jurisdictions continuing to access the account in violation of the ToS is felony "Computer Hacking" and can put all involved parties in jail.

Please don't make me an accessory to "hacking" charges. If you give me your password I will be forced to report it to the maintainers of the site and have your account terminated.

For the Skeptics: https://ilt.eff.org/index.php/Computer_Fraud_and_Abuse_Act_%28CFAA%29 http://www.tomsguide.com/us/obama-cfaa-revisions-infosec,news-20330.html https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act

Answer 23

You can always tell the person that you don't trust your computer's security, and that it would be best to not know the password since typing it in to your computer could lead to the account becoming compromised by Internet spammers and the like. I think it would be a very reasonable and polite way to decline.

A lot the bad things that can happen when you tell someone your password aren't because the person is dishonest and misusing your password, it's because they don't know enough to use it in a secure way, and someone else ends up doing something bad with it.

Answer 24

There should be no need to share a password for a social media account, because the owner of this account should be capable of managing it themselves.

When asked for assistance, I would be inclined to direct them to a suitable online tutorial. If they are not capable of following the tutorials, then I would question whether they are capable of safely using the service.

Answer 25

You can always throw out an informative explanation on data leakage and the strain it would place on your relationship.

For example:

Them: Can you help me? My password is...
You: I can help you, but please don't tell/hand/etc me your password.
            // have them type it in or something//
You: We all know sharing passwords is bad but if a company--like your bank--were to be compromised, your information and password could be leaked to the public. If something were to happen, I wouldn't want you to think I misused or lost it.

The above scenario can be modified to how you conversate with the person, but you get the point.

This has worked for me in the past with friends and family. You mention bank or something similar and it catches their attention.

Answer 26

There's actually nothing wrong with sharing passwords. For non security critical applications (i.e.: most things for most people, probably everything but financial apparatus) it is a matter of convenience, utility, and reasonable trust.

It seems like the part you really care about is them abusing your expertise, and want to have a legitimate-sounding way to say "no I can't do that because XYZ". In which case just tell them the TOS for that service will ban people for account sharing, which is probably true in many instances.