Today, I was asked by my employer for my GitHub password. This is something I'm not willing to give out, especially since I work on other projects (outside of work) and am not willing to compromise anyone's data.
Anyone have any advice on how to respond to this request?
This may be more of a rant here:
I ask this because the manager in question demands passwords from everyone for every bit of software and every single device their subordinates use. That data is kept on a spreadsheet right on their desktop!!! They also remote in to work devices using unsecure software and I'm basically waiting for the next data hack.
- This has progressed a little more than I thought it would.
- I let me employer know that I am responsible for more data than just their company's and I am not willing to compromise anyone's data. As it would be a security issue for me to disclose my password, I am unable to provide my login credentials to them.
- Within 5 minutes of that, two managers have now scheduled to have a meeting with me regarding this.
- This seems awfully strange. I'll keep updating as new events unfold.
- Wow! Thank you everyone for responding! Ended up getting an engineering team together to educate the management on the risks of their current system.
- It sounds like management is going to take this advice to change their password control situation. Sounds like they were not used to hearing "no" (more or less) from an employee.
I'm going to respectfully disagree with the other answers. Jobs are hard to come by, and sometimes we have to stay in abusive relationships in order to put food on the table.
Your long term plan should be to leave this company, or get them to change their policies.
Your short term plan is this:
- Set up 2FA on GitHub. Use a token rather than SMS if possible.
- Change your GitHub password to a random string of letters, numbers, and symbols. Make sure it is different from every other password you use for other services.
- If your employer threatens you into handing it over, you can do so in relative safety.
Your employer will not be able to log in without your 2FA code, and you'll be able to check for failed login attempts.
To be clear - this is not a long term practical solution. If you work in a large company, you should contact their information security team. If you work in a regulated environment, you should discuss this with your regulators.
If you are being threatened or bullied, talk to your Trade Union to see how they can help.
And, of course, start looking for a new job.
Ultimately, no, you shouldn't have to hand over your password. But 2FA will give you some protection and some breathing room until you can find a better solution.
As other people already clearly expressed, it's a big no.
Then you have two choices:
- A: you just realized (if it was not the case) how bad the security hygiene of the company is (or they know they shouldn't but still ask, which is even worse), and you have to deal with it (work around or find another work)
- B: if you believe there's hope, you can transform this in a opportunity to educate the team and make them understand why accounts (Github or anything else) should never be shared. Even pure professional accounts. This is not just a privacy issue. Sharing credentials is also a good avenue to be unable to identify the origin of a leak, to now be able to control who has access to what.... in short, it might be a big cause of trouble for the business.
Sharing passwords usually comes with other bad hygiene: sharing ssh keys, sharing certificates, sharing API tokens with privilege rights, ....
If you manage to make them understand that making sure any employee is responsible, has his own credentials and never share them with anyone is a very good way to avoid big problems later.
In short, it's a big red burning flag with loud air horns and huge flashing lights. But at least you might try to get something positive (for you, or at least for them, it's good karma!)