In some environments and in certain situations, users share their passwords with IT admins. Whether or not this happens in your workplace, it should be factored into your cyber security awareness and training.

When policy allows IT or other staff to request user passwords, it creates a risky situation.

Two problems may arise:

1. Phishing is more likely to be successful. Employees will be much more likely to share their credentials with someone impersonating IT staff, via phone or e-mail, since providing that information is considered acceptable.
2. The opportunity exists for a malicious insider to steal from or harm the workplace under the cover of another user’s ID.

If IT staff needs access to an employee’s password, there should be a defined procedure that specifies which accounts can be shared and under what circumstances. For example, is divulging a password permitted for the user’s domain account or a legacy app? Perhaps access is granted only in the physical presence of the administrator where the employee changes the password first and provides that. After completing work, the password is changed back to his/her personal password. Wherever possible, limit the possibility to the two scenarios above.

Once you have a defined procedure for limited password sharing, teach it in your security awareness materials and then test users on it.

If users are prohibited from sharing passwords over the phone, do some vishing (voice phishing) tests. Call users and request their password, providing a plausible reason. If users are not permitted to share their password through e-mail, do some phishing to see if they’ll reply with it.