10% of IT Pros Can Access Previous Jobs' Accounts

dinscott writes "According to a survey that examines how IT professionals and employees view the use of policies and technologies to manage and protect users' electronic identities, the sharing of work log-ins and passwords between co-workers is a regular occurrence. It's no wonder then that half of them are concerned about insider threats to network security in their company's current infrastructure! But one of the most surprising results shows that one in 10 IT professionals admit they have accounts from previous jobs, from which they can still access systems even though they've left the organization."

Re:well, i can

[John+Hasler]

> but is it my responsibility to suggest they change the password?

You should do so for your own protection. Do it in writing. Don't check to see if the password has been changed, however: you could be accused of "breaking in". Just send them a letter reminding them to make the change.

> especially since a 'professional' it outsourcing company took it over?

Which may look around for a scapegoat after they screw up. You really don't want them to discover that a break-in occured via an account for which you, a "disgruntled former employee", had a password.

It's quite common

[ledow]

Most places will happily give you every password in the world when you start a job there. And sometimes the "intermediate" stage between you leaving and someone else doing your job is filled with outside contractors and random people who "need" your passwords.

Whenever I leave an employer, I make a BIG list of everything I know in terms of passwords, passcodes, keys, etc. and compile it on paper or a CD. I put literally everything in there, even down to little foibles of the system and the reasoning for strange configurations. I then furnish the boss with one copy of that CD, hand him another copy to "put in a safe place" (usually a safe) and then leave.

I did this at my last workplace. They were getting increasingly silly and employing people with zero expertise, and I already had another job already lined up so my entire notice period was spent house-cleaning and compiling lists while taking care of the mundane jobs.

Technically I reported only to the headteacher of the school in question, having been employed by him without any formal assignment in a staffing structure (to the point where the local borough phoned up to complain that I was earning too much for any of their pay-scales and had to be put on my own unique one).

When I left, there was no replacement for me (because they weren't interested in employing the only guy out of all the candidates that *could* do my job because he had formerly worked in Tesco's supermarket rather than sit on his arse in the middle of a recession) so I handed off to the headteacher. This immediately caused an argument because one of the new staff who was the new "second-in-command" there (and that decision was partly responsible for me wanting to leave in the first place!) DEMANDED the "admin password for the network".

He wasn't an IT guy. He knew nothing about computers at all. He just wanted it because he was sure that the dozens of digital voice recorders that he'd bought on a whim (without IT authorisation) could be made compatible with the non-networkable, kiddified, decades-old audio editing software he'd bought on a whim (without IT authorisation) on the network he didn't know how to manage, no matter how many times I told him they were incompatible. He was convinced that if he somehow got the "magic" administrator's password and then let 1000 kids loose with it so they could listen to themselves talking, it would solve his problems with not teaching part of the IT curriculum.

Obviously I must have been deliberately lying when his DRM'd-AAC-only recorders couldn't be opened in a program that only took WAV's (not even MP3's!) and that an intermediate conversion step (which he DEMANDED shouldn't be necessary and refused to use) was required.

Apart from the fact there were three networks, there were dozens of different passwords, and he wasn't getting *ANY* of their passwords until I was way outside the building and long gone, I had a duty to protect the information secured by those passwords (information on kids, people's salaries etc.). If you read the rules precisely, that means that I had to hand off ONLY to the headteacher, who could then hand off passwords to others as they saw fit.

So I did just that, in the process making my own day by telling the guy "No." even if he WAS second-in-command there (he didn't seem to understand that I didn't report to him, no matter what he thought of that idea). He was rather miffed. I also, with the head's permission, gave a copy of the CD to the lead governor of the school who was a big-iron IT guy for his day-job, that we both knew we could trust - he would be fixing any major issues that occurred in the school until they could find a replacement and he was there to sign-off on my hand-over.

A week later, a phone call from the second-in-command. He'd got the administrator password, tried it out on several PC's and couldn't do what he wanted (ignoring the fact that he wasn't using ANY of the network software management that we had in place). So he demanded that I give