My coworker emailed me a root password that I'm not supposed to have. Should I tell my boss, and if so how do I tell without sounding petty?

Question

I'm a junior-ish employee at a company (I'm not technically junior experience-wise, but I'm junior compared to the massive amounts of experience everyone else has and I've been here the shortest).

One of my senior co-workers is about to retire and is becoming a bit forgetful. He often doesn't follow the rules, doesn't really understand security and just does his own thing. People overlook this because he's brilliant and a veteran in the industry and we all respect him.

Today, he emailed me the root password to one of the main servers. I know I'm not supposed to have this password because in the past my boss has specifically done things for me on the server instead of giving it to me.

I am aware that this is a big security problem. Aside from the fact that I now know the password, it also was emailed (!) to me, which is in itself a huge security breach.

I think I should tell my boss about this so that he can have the password changed, but I'm struggling to figure out how to go about it. I don't want to come across as a tattle-tale. I like my co-worker and I don't want to cause trouble, but in my mind this is a very big issue that my boss should know about. I am questioning if this is really is as big of a deal as I am imagining it to be. My coworker seemed to think it was no big deal.

So my question is, Should I bring this matter to my boss, and if so how do I tell my boss about this security breach without sounding like a petty tattle-tale?

More detail:

Why he gave me the password:

My coworker wanted to supply me with files from his user directory. I suggested he (1) copy them to a common location or (2) change the permissions on the files so I could read them. He opted to email me the root password so that I could use su and copy the files myself.

Usually the servers have sudo access - I have sudo on another server that's less critical - my coworker could have given me sudo access instead of giving me the password.

I'm aware that root password login is an insecure thing. I don't know if the server has the root password login enabled because I've never tried to use it. I ssh in using my user key-pair.

What he said about giving me the password:

I asked him if it was ok that I have the password, and he said "sure" in a hand wavy sort-of way. He seemed to think it was no big deal. I'm not super comfortable in any case, because I don't report to him, and he's know for not taking security seriously.

The company IT dept

Doesn't exist. There was a linux admin but he left months ago. My boss is the closest thing to an IT dept we have.

Answer 1

First, it is ABSOLUTELY a big deal! Anything that can compromise your data security is a big deal. Your company is not only at risk for the liability of the lost / compromised data, but its reputation is at risk, as well.

You would be extremely negligent if you did not report it. A pattern of breaches is of serious concern.

Now, beyond that, don't try to make any determinations as to why your coworker is doing this. Give only the facts to your manager, and then let your manager handle it as they deem fit. Don't dwell on it. Don't ask your manager for the "results" of your information. Report it, and get back to your role.

Your manager may just decide to change the password and "wait it out" until this person retires.

Answer 2

COMMUNICATE

Go talk to that person and ask them WHY he emailed the password to you. Just emailing a password out of the blue seems rather odd.

Then ask if it is OK for you to have it - explaining what your boss always does for you - and explaining that you don't want you or him to get in trouble and want to make sure the boss is ok with it.

Once you have WHY, then ask the next question: "I was always told not to email passwords due to security risks. Is that safe to do here?" Wait for the answer. Perhaps he knows something you do not.

Then ask the next question - "Why are we using root passwords anyway?"

If this guy is as brilliant as you say he may have a valid answer to all of them.

But, at the end of the day, he needs to fix the problem (if there is one) and this gives him a chance to do so without you looking like a tattletale.

Answer 3

Let your boss know, but do it in a way that isn't "tattling".

There's a difference between asking "Is it okay that Bob did X" and "Is it okay if I do Y (given X)". Go to your boss ask for permission for yourself to use the root password. You said that your boss always does these things for you, so the answer is likely no.

Hey boss, I was wondering, do you need me to check in whenever I want to make changes as root on Server X in the future, or can I just go ahead and do it? Bob emailed me the root password, so I could do it myself if that's easier.

This notifies your boss of the security threat, but also isn't flat out snitching on your coworker. Your boss can decide how seriously to treat this (though I would hope he at least changes the password). If he acts shocked and starts pushing you on the details, you could even throw in

Yeah, I thought it seemed pretty odd, which is why I wanted to ask you about it.

Answer 4

A small startup with <10 employees, no IT staff, no Linux admin and everyone else has been there much longer? Chances are good that everyone else knows that password as well, and everyone knows that everyone knows, and nobody thinks it's serious enough to do anything about.

I am aware that this is a big security problem. Aside from the fact that I now know the password, it also was emailed (!) to me, which is in itself a huge security breach.

Breach of what, specifically? General industry good practice, your company guidelines, specific industry regulation that you need to comply with, or specific orders from your boss?

All too often random people will know root passwords, the domain admin passwords, each other's passwords, and all sorts. It feels like it should be a big security problem - but most employees aren't hostile and most companies aren't hiding nuclear secrets and mostly life goes on. Ideally they should be changed regularly as a procedure, so when they inevitably leak, there's a limited time window where they can be used harmfully.

You're in a trusted position as a small company employee. Be trustworthy by not abusing the things you accidentally learn. But so are all the other employees, and it will likely take a big security fail before the company internalises and enforces anything like "less convenient, more secure procedures all round".

• If it's a regulatory compliance thing, with customers at risk, fines possible, definitely tell your boss. In that case, it is your job to be a tittle-tattle because you work for the company, not Bob.
• If it's about covering your butt in case your boss finds out you know and gets punishy, definitely tell your boss, but perhaps leave Bob out of it. "Hey, I asked for access to some files on this server, but someone sent me the root password instead. I don't want to drop anyone in trouble, but you should probably reset that password if I'm not meant to know it".
• If it's a company policy thing, probably tell your boss. You say that "He often doesn't follow the rules, doesn't really understand security and just does his own thing. People overlook this because he's brilliant and a veteran in the industry and we all respect him." - well if everyone knows Bob is lax about security, then you are neither a tittle-tattle, nor throwing him under a bus, you are a junior working picking up menial problems on behalf of a veteran and tidying them up, and helping the company deal. Great, no problem.
• If it's about industry good practice, well congratulations, security is now your job if you want it, because clearly nobody else there wants it. Write a short report for your boss, extolling the virtues of sudoers, a shared password vault, auditing, regular password rotation, nobody having root passwords, etc. Offer fixes and how you would implement them and how long it will take. Boss will like you more. Maybe.

And if it comes down to it, and you have to take sides between Bob (soon to retire) and your employer who pays you and you might work there for a decade yet, your loyalty should be to your interests (i.e. the company). Annoying Bob annoys Bob a bit, a security breach which causes the company to fold makes everyone unemployed, a reputation for being the sneaky junior obtaining passwords he shouldn't have access to could drop your reputation into the gutter.

[This is not in anyway intended to approve of his approach, but to put it in context of a real world small company with no dedicated security stance, and your role as an employee out for your own interests rather than a manager or director].

Answer 5

Since you've stated that your company doesn't really even have an IT department, I'd say that for the specific context, which some of the other responses don't seem to consider, you'd probably be wasting your time.

There's an assumption upon which you are basing your question: "I know I'm not supposed to have this password because in the past my boss has specifically done things for me on the server instead of giving it to me." How do you know?? Have you actually asked the reason why you weren't given the password? Sometimes, busy bosses will handle a task themselves rather than taking the time to make sure their reports are doing things correctly -- in small shops, there aren't always many other options. And quite reasonably, when the boss needs to take a day off, other employees will eventually need things like administrative account access to get things done.

That said, do not be so quick to react. Leave the e-mail where it is. You might mention, in passing conversation, that you have the password for the box and ask your boss if he feels comfortable with you logging on and taking care of things here and there. Don't make the other guy the emphasis of your conversation, because that's not your job. You may get a yes, a no, or he may put it off. Be prepared to accept any of these responses.

Stay out of the business of what this other person does on your job, UNLESS that's in your job description or causes a conflict with you getting your work done.

Answer 6

Don't assume there's a problem.

Maybe you're getting a promotion. (Even if not a financial raise, or a new title, you have now been given access.) If the person who is leaving had many elevated responsibilities, there may be an expectation/hope that people will step up and start taking over new roles.

When you go to the supervisor, don't approach the giving-you-access as a problem. Inform your supervisor that you now have access. If it's a problem, then corrections can be made. If not, then enjoy the fact you've now been entrusted with this.

If you approach this as telling your boss about a factual matter, just so the boss doesn't get surprised in a more unpleasant fashion, then this needn't look like a tattle-tale issue. This is simply bringing someone up to speed about the latest security settings. Not a problem.

Chances are that this old-timer knew that you didn't have access; that is why the password was shared. (If he thought that you should have access, and already had the password, then he wouldn't have shared it.) This may well have been an intentional, and approved, act.

As for the part about it being in E-Mail, that might be a very big deal or not at all, depending on factors like how secure the E-Mail tends to be and how important this particular password really is. If you have higher standards, live up to them (by not sending such E-Mails yourself), but I don't recommend faulting your friend (who entrusted you with a password) until you confirm the organization's stance on what is or isn't acceptable handling of this data.

Answer 7

First, as a practicing InfoSec professional (IT auditor), I wholeheartedly agree with the remaining answers

You must tell your boss and IT Security function if you have one

How do I tell my boss about this security breach without sounding like a petty tattle-tale?

You did not say what content is stored on the server, whether it contains sensitive information, or whether its a "live" production server. You also don't know whether your coworker emailed the ROOT password to other unauthorized employees at your company or to external third parties. Unlike yourself, others may be just like your coworker and brush off the incident.

However consider this fact : Who knows what malicious intent a particular insider employee, competitor, or cyber - criminal may have?

As to what can happen once the root password is compromised from a security CIA perspective:

1. A malicious individual now can get complete control over the server and override other security settings set by your IT folks.
2. He can delete / steal sensitive data that may happen to reside on the server (violation of integrity)
3. He can bring the server offline and deny access to legitimate users (violation of availability)
4. He can intercept communication (violation of confidentiality)

If your work in a regulated field such as health care, certain regulations apply such as HIPPA. Penalties for incidents can be severe. Even if your industry is not regulated, consequences can still be severe in the form of lost current business as well as prospective future business if the password incident exposes customer data.

To summarize my point:

The security implications of this incident is far more serious than a perception of you being a "tattle tell" would be. How would you feel if a data breach happened and you did not tell your manager, who could have mitigated any fallout?

Answer 8

While it is true that this is a security issue (first of all, to give you the root password; second, to send it by mail, which is in itself not secure), there does not need to be an issue for you to solve with your boss.

A diplomatic and yet ethical solution for unwanted passwords is: un-learn the password. This means deleting the mail you got, cleaning your mail system trashbox, not copying it into your personal password safe. If the password is easy to memorize, so that it is hard to erase from your brain, then make a point to never use it although you know it.

The next, equally important, step is to let the sender now. This can be done in completely neutral, "egocentric" fashion: "I feel uncomfortable having that root password; I have deleted it and will not use it. I know whom to contact when I need access and will work on that machine together with them, if need be." If they are at all sensitive to security topics, they will get the point. If not, then it does not matter anyways. Do this communication in the same medium you got the password (just reply to the mail you got from them, obviously replacing the actuall password with "***") to get a paper trail, just in case.

Putting blame on them or even taking it to your boss seems to be a sure-fire way to not having such a great social environment afterwards, and will likely do nothing at all to further the security of your place.

There is a reason that larger companies have a separate entity (CISO or something like that) to handle these issues outside of the general managerial hierarchy.

Answer 9

Personal anecdote time (because it's always personal anecdote time):

I left a company under, uh, less-than-favorable circumstances. I had been the CTO, so naturally I had access to every system. A few weeks later, I noticed that my user-name and password still worked on the production database.

This was typical of the kind of slip-shod behavior that led to my leaving in the first place. Disgruntled ex-employees are always the first suspects if there is a hacking attack, and if one happened, I didn't want anyone to be able to say that "Well, Malvolio still knows the password."

So I sent an impersonally worded email to the CEO, telling him to change it.

Two weeks later, I checked again, and it had not been changed. I sent the CEO an even more impersonally worded email, to the effect that if my password still worked in 48 hours, I would post the username and password on Hacker News.

My sources reported back that the CEO instantly called a meeting of all the remaining engineers and ordered that every password and every username in the system be changed.

He wasn't very bright.

But that wouldn't be a good solution in the OP's situation, even though he is in almost a precarious position as I was.

Since he does not wish to appear petty, this is the perfect time to rely on the passive voice:

• the password "was mailed to him"
• the email "might be read"
• perhaps therefore the password "should be changed"
• and even a new policy "could be promulgated"

It's not great prose, but it's good politics.

Answer 10

My first thought would be to go to the person who sent you the password and tell him that he really shouldn't be doing this. I wouldn't see any need to get him in trouble with the boss. Your co-worker was trying to help you out. It seems pretty slimy to report him to the boss for breaking rules in the process of trying to help you. If I thoughtlessly broke some rule company policy when trying to help another employee and he promptly turned me in, you could be sure that would be the last time I did anything for him. His next request I'd tell him he must submit a request through his manager to be processed through proper channels.

You didn't say what sort of information is on this server. If it's something that, if compromised, could get people killed or at least cost the company a lot of money, more forceful action would be called for than if all that's on it is the archive of the past 50 years of the company's newsletter. Likewise, is it a server that is accessible over the Internet, or is it only available on an internal network? Etc.

Answer 11

I think I should tell my boss about this so that he can have the password changed, but I'm struggling to figure out how to go about it. I don't want to come across as a tattle-tale.

So I don't think you need to be told that your boss needs to know: the goal is merely to inform your boss in a way that your co-worker will not perceive as calling the cops on him.

The first thing is to realise that this may not be possible -- if he's absolutely determined to be offended then there's no way to tell your boss and not offend your colleague. But then, that's his tough luck for (intentionally or accidentally) creating an incentive for others to conceal his errors.

Next, go back to your colleague and tell him (don't ask him) that unfortunately you're not allowed to have the password he's just given you. You know this because your boss controls that password and has refused it to you in the past. So, because you now know it: either you need permission from your boss to have the password, or else the password needs to be changed. This would be the case regardless of how it was given to you.

Furthermore, because it was given to you by email, most likely the password needs to be changed anyway even if you are given permission to know it. If the password in question is very low-value, and your email system is reasonably secure, then your boss might choose to accept that risk, but that would have to be due to a specific calculation. For a somewhat contrived example: if remote password login is disabled, the machine is virtual (hence has no way to login from a local terminal) and you were the one person left with access to the machine who doesn't already know the root password, there may be no immediate risk in painting the root password in 10 foot letters on the side of the building. But it's still not good general practice, so your boss might well opt not to do that!

This lays out the problem, as you see it, to your colleague. Crucially, focus on the problem being "I know this thing I shouldn't know", not "you did this thing you shouldn't have done", and don't talk about blame. You could then offer two solutions:

• Your colleague approaches your boss to sort this out.
• You handle that for him, and approach your boss yourself.

Now, at this point the colleague might offer a third option, "do nothing and don't snitch on me". In that case, you cannot avoid offending him and must do as your conscience dictates regardless of the unpleasantness associated with that. But if he takes the first option, let him do his own damage-limitation with your boss and then ask your boss some time later what the outcome was so far as it affects you. This serves two purposes: you want to know your level of access to the machine, and it keeps your colleague honest if for whatever reason he'd prefer to say he'll approach your boss and then actually not do so.

If he takes the second option (because he feels there's no damage to him in you going to your boss), you can go to your boss and not worry about the consequences. If you're correct, that he's uninterested in security, careless, and completely secure his position, then I think it most likely he'll take the second option. If he wants to cover himself he might well take the first.

You may also wish to take up with your boss the issue of why anyone is using the root password at all, in preference to properly managing the list of sudoers. But that's a separate task. It's one of the causes of this problem, but acknowledging it doesn't clean up the mess.

Answer 12

Nah, it's probably fine. Do mention it to your boss to check if they want to reset the password after you're done with it. If they don't, ask whether you need to follow any additional protocols now that your access level is elevated. The thing is, if your coworker was in position to give somebody the password it means lax security whether or not they actually gave to anyone like you.

On a security note, consider re-configuring your servers so that root access is managed without sharing passwords (special account with sudo privileges is a common pattern).

Answer 13

You can deal with the tattle-tale issue in a way that managers sometimes do. Identify "everyone", without singling out the person. Unless pressed on for information.

You: Boss, I need to "copy files" from "server" to complete my task. I find it that I can do it myself as I am now in possession of the root password to the server. Will it be okay for me to go ahead and copy my files?

Boss: What? OMG! Password?! Security! How?!! Who did it?!

You: Someone from staff sent me the password when I asked to help me with my task.

Boss: Who did it?? It was Bob, wasn't it?? He always does this stuff.

You: I prefer to not throw anyone under the bus, but perhaps point out that we have a culture of lax security in the office, and I think we can improve on it. Password was sent to me by email.

Boss: Tell me anyway or everyone will lose.

You: It was Bob. Bob did it. Also, sending a plaintext root password over email is a big deal and a major security problem that puts entire company at risk and liability.