Why you never need to give out your password to your work's help desk

Help desk staffBy now, those of us who follow advice on sites like this are fully aware that Microsoft is NEVER going to call us up at home to offer technical support.

Additionally, if you receive a Blue Screen of Death message on your PC that contains a phone number to call, you should not call that number.

In fact, any unsolicited offer to fix your PC should be ignored.

But what should you do when you work in an office, and the help desk calls to notify you that there is a problem and the caller needs your password to fix your computer?

Your password should be treated with almost the same regard as your toothbrush and used chewing gum.

That is, it should not be shared with anyone other than someone you know intimately, such as a spouse, or someone you pay to protect you, such as your attorney. (Still not a good idea to share that chewing gum or toothbrush)

The scammers who try to steal passwords will not hesitate to call you at your office. In fact, a popular technique in some companies is to hire ethical hackers to test their network security by staging phoney help desk calls to employees.

So what should you do when that tech support person calls and requests your password?

The caller may tell you that they must login under your identity to work on the computer. That is a perfectly reasonable request, however, they do not need your password to do that.

Reset passwordYou see, any system administrator has the ability to change your existing password. The sysadmins (as they are known) cannot see what your existing password is, but they have the ability to change your password.

How else do you suppose they shut down your account when you change jobs?

The sysadmins are all-powerful entities in the corporate network world. Many of the recent breaches of corporate data were achieved by gaining sysadmin credentials.

If the sysadmins can change your password, one way to be sure that the caller is not a scammer masquerading as a help desk technician is to ask them to reset your password to anything they would like so they may login as you, and then, when they are done, they could set it so you have to create a brand new password on first login.

This is a simple click of a button in a Windows network environment.

Practice the same password security at work as you would anywhere else. If you didn't initiate the call to the help desk to work on your PC, chances are that they are not going to call you with an odd request to reveal your password.

Even if they do call you, remember, if they cannot change your password, they may just be masquerading as a helper while trying to steal something from you.

Similarly, you are the sysadmin of your own home computer. So, if you are taking your personal computer to a repair shop, you should change your password before giving the PC to the technician.

Chances are that you are using that original password somewhere else (not a great idea, but people sadly still behave that way), so you don't want to give that password away to the repair technician.

When the PC is returned to you, you can change the password back to what it was before the repair job.

Safe computing, friends.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

2 Responses

  1. Simon

    July 24, 2015 at 1:36 pm #

    While I wholeheartedly agree with the content in this article there are "complications" that business users experience when changing a password for the purposes of handing over to a troubleshooting tech. Once such complication is the need to change that password on any mobile devices they have while their device is "In the shop". Having to change a password on a multitude of devices that work with that password means people just give in and hand over their real password.

  2. John

    July 25, 2015 at 9:31 am #

    A further complication under Windows is that a password change initiated by an administrator will also destroy any encryption certificates held under that user profile. If you use Windows built-in encryption, be very careful what you ask your Help Desk to do!

Leave a Reply