Can a boss request from IT to change your password and log on your PC as you? [closed]

manpreet Best Answer 2 years ago

My Boss requested from IT to change my corporate password while I was out of office without telling me. He used the new password to log on my PC as me and copied my project (I don't know what else he did).

When I was back in office, a yellow sticky with the new password was on my desktop. He told me that is my new password when he saw me in office. Is this violation of security? A privacy breach?

manpreet 2 years ago

You should not expect to have privacy on a company-owned machine. However, in a healthy IT environment your manager would do this by asking IT to send him the files he's looking for, which they can retrieve by accessing the computer using their own administrative accounts, not by accessing with your account. If they do it this way, there is never an auditing question of who accessed the files, or whether an action taken by your account is actually an action you took. Your IT department should also follow any guidelines they've been given to facilitate the access - this might include getting permission from your company's legal counsel, providing justification documentation, etc.

Whether or not this is a security violation depends on company policy and applicable law/contractual obligations. You can bring this up with your manager if you want and voice your concerns, and there are quite a few valid ones. As mentioned, logging into your account directly defeats auditing - your security team can no longer be reasonably sure actions taken by your account were taken by you if other people log into the account. Depending on your job, you may also have access to information your boss does not - this could include HR-related information, client data for contracts your boss is not on, and so on. However, changing the system to allow for this kind of access may not be considered a worthwhile investment for a small company that doesn't handle sensitive information.

Also, as Edgar mentioned leaving your password out on a sticky note exacerbates the auditing issue, since now anyone in your company could have accessed your account while you were gone. At the very least, if the company is unwilling to change their policy on resetting accounts, you should ask your manager to tell you the password in person when you get back in the future, or have IT reset it again to something generated by a secure random password generator and don't write it down, then reset and allow you to pick a new password when you get back.