In my workplace, sometimes my boss reactivates my computer from hibernation and reset my password to get into my Windows account.

I know that the computer belongs to the company, but I'm used to save my passwords in that computer, and I'm worried about what he can do with them.

The reason he uses to justify this, is that sometimes he wants to know if there is anything uncommited in my computer, so he can commit in my name.

  • 52
    Most likely, your boss did look at your private email messages and other personal information (because his other explanation doesn't make sense unless he's really incompetent). Consider the information you had on there compromised. The cookies, the passwords, keys, etc. Assume he was able to recover them. Change them all. And assume that he's going to do the same thing over again. Commented Oct 7, 2016 at 1:40
  • 3
    Why don't you just automatically commit everything every 10 minutes (or more frequently, if the boss so desires)? It may not solve your problem, but at least your boss will have to think of a new excuse.
    – Masked Man
    Commented Oct 7, 2016 at 16:45
  • 31
    I don't know how big your company is, but if you have dedicated IT staff, you should ask them if this is a legitimate use of the admin account (and whether your boss should even HAVE access to the admin account). If he's resetting your password via offline means (via ntpasswd boot USB for example) that's almost certainly a violation of IT policy, assuming your company is large enough to have a formal IT policy.
    – Doktor J
    Commented Oct 7, 2016 at 19:16
  • 5
    If he has to reset the password, then your company isn't doing things right. There should be software that audits use of the system, your boss resetting your password and accessing your account to audit is simply wasting valuable time and may be breaking I.T policies to boot.
    – AStopher
    Commented Oct 7, 2016 at 21:42
  • 11
    I don't understand how this could even be a question. No!!!! Commented Oct 8, 2016 at 0:58

10 Answers 10


He should have access to the computer, but not the accounts.

From your description, he specifically wants access to the accounts to act in your name. This should violate your IT department's policies for two reasons.

  1. His actions will trace back to you.
  2. Your actions trace back to him. This muddies the water and should concern him, not you. Downloading movies illegally? Well, we all know Bob has used your computer on a regular basis ...
  • 95
    It's more serious than petty concerns over pirated movies. "I didn't embezzle that money/steal that source code and sell it/commit that felony hack/etc., my boss did, using my account". Thus, it should concern everyone - the OP and boss for both being potentially culpable for any malfeasance done with the user's account, and the company for not being able to attribute actions on the OP's account to the account owner. Commented Oct 6, 2016 at 14:42
  • 6
    "He should have access to the computer, but not the accounts. " Most large US government agencies follow this approach. Commented Oct 6, 2016 at 15:30
  • 1
    This answer is spot on but OP still can't solve his situation. I suggest adding a suggestion to explicitly give boss an account on the machine which can access the development folders and educate boss about the git --author command or whatever their version control system's equivalent is, so boss doesn't need to log in as OP to achieve his goal. Commented Oct 6, 2016 at 17:50
  • 11
    @Sumyrda True, but only if you give credibility to his boss' explanation, Does he like untested, broken code? The solution would be a policy that you need to check in any work in progress at the end of the day in a branch, which is easily verified.
    – jimm101
    Commented Oct 6, 2016 at 18:06
  • 19
    The term for this in the IT Security world is Non-repudiation
    – Anketam
    Commented Oct 6, 2016 at 19:50

Check your IT policy, most places have a rule that this is not ok, ever.

Two things to think about:

  1. if you were discussing a complaint about your boss with HR, they would be able to find out.

  2. if your boss has access to you machine and breaks something, it will appear to have been you that did it.

In every place I have ever worked, this behaviour is completely against company policy for the reasons outlined above. It opens the company up to potential legal issues should they ever decide to dismiss you.

  • 6
    +1 for making the point that the person going in can cause trouble and it will appear as if the OP did it. There is nothing wrong with the boss going in as ADMIN, but not as the user. As you said, some places have IT policies that are much more restrictive where only an IT Admin Is authorized to go into the machines. Personally, I smell a rat. Commented Oct 6, 2016 at 13:26
  • 2
    @RichardU Or a paranoid boss.
    – cst1992
    Commented Oct 6, 2016 at 13:41
  • 2
    @cst1992 the reason sounds to muddled to be paranoid "commit" in the OP's name? I think that manager has a tail. Commented Oct 6, 2016 at 13:44

So I take it boss is coming in as an Admin and resetting your password so he can log in as you. The act of resetting a password is recorded. The account that resent you password is recorded along with the time.

This just makes no sense. If he can come in as Admin then he can view all files. There is no purpose to log in as you unless the intent is to impersonate you.

The reason he gives is

He wants to know if there is anything uncommitted in my computer, so he can commit in my name.

That is not a reasonable purpose. If the code was ready to commit then you would have committed it. If he wants to commit the code then he should do it under his name.

I get maybe an emergency build but not accepting this should happen on a regular basis.

It is company equipment so in US probably legal. It would not pass any legitimate IT policy. A user not in IT to have Admin rights is not common. For developers some times they are in IT and some trusted developers are given Admin rights but they are expected to not use those writes to change passwords and log in as that person.

  • Usually a developer has admin rights on his own box only, not admin rights to log into other people's boxes. This sounds like a small company where they don't have a real IT dept, and the owner/boss person has domain admin rights, which is just bizarre. Commented Oct 8, 2016 at 6:22

Others have already mentioned why someone committing code without knowing why you didn't do it is stupid and that using your account is high probability against company policy. In some jurisdictions illegal.

But you hinted that your primary concern is stored passwords. Put them in a password manager program that requires a "master password" (which only you know) to get to them, such as password1 or KeePass (or Firefox). And if possible, put that app and its DB on a USB stick.

  • 1
    Do those passwd managers have an option to forget the master PW on hibernate/resume? If not, you def. need your passwords on a USB stick. Commented Oct 8, 2016 at 2:49
  • I know nothing about password1. KeePass I used four years ago, so it may have changed. You launch it, enter the master password, grab the stored password you want, and then close it. FireFox, you have to enter the master password at least once each browser launch before you can get to the stored ones.
    – WGroleau
    Commented Oct 8, 2016 at 3:41
  • If a password manager is not an option, then at least an encrypted file. With existing software you should be able to make an encrypted zip, or excel file. Commented Oct 8, 2016 at 14:26
  • And if an encrypted file, I would also recommend that be on a USB stick. (Which, of course, you take with you when you leave!)
    – WGroleau
    Commented Oct 8, 2016 at 15:50
  • 2
    With LastPass, I have the session logged out after X minutes of idle time. Usually I keep this low, like 3 minutes or something. You can also use two-factor authentication to prevent login without both the password and the hardware component (e.g. OTP app on your phone, SMS, or something like Yubikey). Those are available to free-tier accounts. You should also be using passwords on your SSH keys, so that pushing any changes is impossible without the key password. It is only slightly inconvenient, but you know what is more inconvenient? Being framed for embezzlement by your boss.
    – L0j1k
    Commented Oct 10, 2016 at 5:18

As you pointed out, the company owns the computer. Since they own the computer, your manager or anyone with the authorization and admin rights can log into your computer as long as they aren't abusing the access in such a way to jeapoardize your job. Rule of thumb is don't keep your personal financial information or resumes on your computer. Let work be work so as to not just protect your personal information but to limit the damage that can be done if someone with access did attempt malicious activity under your name.

In one of my previous environments, it was commonplace for managers to access their employees computers because people kept project files and customer mortgage documents locally on their machine; so when that person was out sick and the customer needed to change their closing date, a manager had to access that employees computer to get the original document. Archaic system I know, but that's just one case of legitimate reason a manager would need to access an employees computer.

  • 33
    there's a big difference between using the computer and using your individual account. Almost every company with a policy for this has a policy that you never log in to another user's account without their presence or without specific access granted by the IT dept. Otherwise, there is no way to prove that anything done on somebody's account was actually done by that person.
    – Kaz
    Commented Oct 6, 2016 at 13:20
  • 12
    @Kaz Yep, MAJOR security breach. I know several employers that would march that manager right out for pulling that maneuver Commented Oct 6, 2016 at 13:35
  • 1
    There's no problem on access company's computers by admin staff. On THEIR ACCOUNT. This is not the case here. Commented Oct 7, 2016 at 20:51

This depends on the country and the specific IT policies in place.

In the UK, by default this would NOT be acceptable. Your boss would be entitled to monitor your work activities, but if you had logged into your personal email account, your boss would not be entitled to monitor that.

However, to counter this, it is standard practice to include a clause in your contract or acceptable use policy that says "company equipment cannot be used for personal use". If that clause is present, then your boss IS entitled to monitor all usage of a work computer.

Many countries have similar laws to the UK, but there are notable differences. For example, in Germany you have a stronger right to privacy.

Source: I've worked in infosec for some years and have learned this on various courses I've attended (e.g. SANS). I'm afraid I don't have links immediately to hand, but you should be able to find them easily enough.

  • 3
    +1 I have worked at companies where having anything of a personal nature on the firm's PC would be regarded as a serious offence. Although this was some time ago - before the days of BYOD, and in fact B'ing YOD and plugging it into the company network would have been viewed as an even more serious offence.
    – peterG
    Commented Oct 8, 2016 at 21:37
  • @peterG - One of the concerns with BYOD is the company doesn't have a "right to audit". Some companies make you sign over a right to audit before using a BYO device. More commonly, they only allow remote desktop (or similar) access from a BYO device, so actions relating to company data can be audited on the server.
    – paj28
    Commented Oct 9, 2016 at 8:25
  • Note that the JohnHC answer above "your boss can see any messages between you and HR" makes the personal/work distinction somewhat less clear than your answer suggests. Is your immediate manager entitled to monitor the progress of your complaint about him? Or worse, reply to those emails using your account/name?
    – Móż
    Commented Oct 10, 2016 at 3:20
  • @Móż - That's an excellent point, and one I fear the SANS trainer hadn't considered. In practice, HR have an aversion to email for sensitive issues, but this is more because emails can be misinterpreted rather than confidentiality.
    – paj28
    Commented Oct 10, 2016 at 7:03

The simple answer is don't store your passwords on your computer or use some kind of keychain application that doesn't use the login password system.

As other people have mentioned, your manager is probably not compliant with IT security policy. It might be worth tactfully mentioning to your IT support that your password has been reset on multiple occasions and let them take whatever action.

Something missing from the other answers so far, is that in the case of uncommitted changes, it should not be your boss who commits them and that is not a reasonable excuse. I'm thinking in terms of software development versioning systems but this is equally applicable to legal documents or other "vital" work that might need to be committed in a timely fashion: how does your boss know that the changes are complete, tested, verified, ready, etc ?

  • The boss doesn't know, that's why he commits under the poster's name and not his own :-(
    – gnasher729
    Commented Oct 9, 2016 at 22:40

The reason he uses to justify this, is that sometimes he wants to know if there is anything uncommited in my computer, so he can commit in my name.

While I doubt this is true, if it was this should be handled differently.

Setup a shared drive where the work related content resides. Or setup a policy that the work related files in your account in a special directory are read-only accessible by other employees. etc

There are plenty of ways to allow access to the files in question that do not make it necessary to impersonate you in any way.

It might be reasonable to create such system/policy, so that work related files can be accessed in case of an emergency for example where you would be unavailable.

I would ask the boss why this is not an option.


There are three levels to this.

Level 1: Does my manager have the right to access MY work computer? That depends. Your company will have defined what rights anyone in the company has. Your manager has that right if the company says he has the right, and he doesn't have the right if the company says he doesn't. I would agree with my manager accessing my computer let's say if I had an accident and there was important information only on my computer. If it happened without a very good reason I would be very, very angry and that wouldn't be a good thing.

Level 2: What about my privacy? Depending on the country where you are, private information may be strongly protected, even if it is on a computer owned by the company and that shouldn't be on that computer. Or it may be totally unprotected on your work computer.

Level 3: Legalities. And here we have a big, big, red flag. The CEO of your company has no right whatsoever to access the computer of his accountant. Your manager has no right whatsoever to commit changes under your name. As a software developer, the uncommitted code on my computer is under development, and at any point in time it could be in a state that could be between costly and fatal if committed and shipped to customers. (I might write software that ships goods to customers, sends a bill to the customer, and records that the customer owes the company money. If only two of these three parts are finished, and my boss commits this unfinished work, that would be fatal). There are many industries where access to data is strictly controlled and what the boss is doing here could cause criminal charges and enormous liability for the company.

  • 1
    "free" levels should probably be "three" levels. Unless you really meant that they are gratis.
    – user
    Commented Oct 9, 2016 at 13:54

The security breach nonsense is just that, ridiculous nonsense.

You enter a password on a private computer, hence it may or may not be available to its owners. If there is a domain set up, it may or may not be in plaintext on the domain controller already. The password is not your secret, it is a shared secret. Shared secrets allow for trusted and possibly encrypted channels to be established. That's not your identity!

It's my company, I may as well set up an account with identical user names and passwords on each of my computers, which everybody knows, and who is to say its not within my right to do so? I worked in such an environment, there was no trouble whatsoever. It's not your call.

Putting someone's real name in the real name field of some domain account changes nothing, it is not nearly enough to prove anything in court. No, even if your boss have not ever logged in (which is basically improvable), that IT guy fed up with stupid stuff probably has superuser rights and could do whatever he wants and no one will ever know.

The idea that company-generated credentials automating authentication and delivery of access to company-owned infrastructure and information that the company willingly shared with you to automate some work processes in the way the company sees fit somehow entitles you to anything is blatantly, irrefutably absurd.

The company can set up whichever automation and authentication procedures it wants and yes, your boss can do whatever they wants. Unless, of course, their boss says they can't, then you go to their boss.

Surely, nothing implies whether these are some good or bad practices in some particular senses. That's for the company to decide, not you.

Surely again, if we're talking some kind of fraud, that's whole other issue. Logging into your company-provided e-mail account may be A-OK, but sending an e-mail to your wife with your signature at the end is not.

Please notice it is not necessary to log into any of "your" accounts to do so, but that still constitutes wrongdoing.

Committing the code you wrote in working hours on company's private computer, which you got paid for, to company-owned repository and build farm is A-OK (from whichever corporate account the company wants it committed from), but adding malicious backdoor code and then claiming you did it is not.

Please notice it is not necessary to log into any of "your" accounts to do so, but that still constitutes wrongdoing.

See where I'm going here?

  • 11
    Here's another downvote. Yes, IT guys have superpowers and could do all sorts of nasty things if they go rogue; however, this question is about the OP's boss, for whom there really is no good reason whatsoever to impersonate the OP. Yes, it's possible (if unlikely) that this is within company policy, but it's still terrible policy. Commented Oct 6, 2016 at 19:46
  • 3
    No, not really. Commented Oct 8, 2016 at 0:58
  • 1
    Do not engage in "edit wars". That statement was 100% inappropriate for an answer (and would be best not even left as a comment), and should be removed. You do not "own" your answer. Furthermore, comments are liable to be deleted at any time for any reason and without notification, especially when they are just pointless bickering; if you have a problem with that, then this may not be the site for you. Fortunately, there are plenty of other websites (and real life places) to choose from! Commented Oct 8, 2016 at 12:30
  • 1
    Since the accounts are supposedly shared how does org monitor usage by personnel other than user the account was created for? Excel spreadsheet? I am also going to assume that safest way to avoid misuse of such lovely practice on pinky swear Huzzah in front of HR rep? Commented Oct 8, 2016 at 14:03
  • 4
    @dbanet stop rolling back that edit. Answers are for answers, not for meta-commentary on voting. Commented Oct 9, 2016 at 2:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .