64

I worked for X company as an applications developer and one of my former coworkers (not my supervisor or an IT person) asked me for my BitLocker password. I left the company 2 weeks ago for a new job. I cleaned my computer, but I didn't clean my network folder. I don't have anything to hide (illegal or other non work related documents), but I don't want my coworkers accessing my data. Also, I might have SSN or other Personal Identification information in there (for the on-boarding process etc).

Is this coworker out of place asking for that information? How can I professionally decline his request?

PS. This question is not a duplicate, because it's not my former boss that is requesting the password. It is a coworker and I don't have knowledge of that being done for a previous employee that left the company. In fact none of my coworkers were allowed to keep this ex-employee laptop around 'just in case I need his data'. That computer was formatted right away when he left the company.

Resolution

I told him that:

  1. I had wiped out my data, because of personal information, but that I had transferred important folders and files to team/shared drive.

  2. I told him that another coworker knew which files those were and where those files were located on the shared drive.

  3. I told him that I couldn't share my password because I used it in other accounts.

  4. Asked him if he needed something specific and offered to go to the office and type in the password directly into the computer.

His response:

"We just needed to send the licenses for ReSharper and RedGate back to the license server so that they could be reassigned.".

My opinion; There aren't new developers since the hiring process takes ages. No one needs those licenses AFAIK. I honestly don't know why IT didn't contact me officially...

He dropped the issue.

NL - Apologize to Monica
  • 656
  • 4
  • 10
Fran Martinez
  • 643
  • 1
  • 5
  • 8

7 Answers7

84

I cleaned my computer, but I didn't clean my network folder

Is this coworker out of place asking for that information?

They are not out of line for needing to access whatever was left in your network folder. But there's no need to hand over your password to give them what they really need.

How can I professionally decline his request?

No need to lie about it. Just say, "Sorry, but I won't give out a password."

Offer to come to the office (or to remote in), and transfer the contents of the network folder to a shared location. Then delete any remaining (personal) contents and delete the folder, if you have that level of access.

Next time you leave a company, try to remember to transfer all company files, and nuke all personal data before exiting.

Joe Strazzere
  • 382,456
  • 185
  • 1,077
  • 1,492
  • 82
    This brings up an important point that everyone should know. Don't keep anything personal on your work computer/network that you would object to them having, in case you have to leave your computer without warning I worked for a company that was under investigation and suddenly we were told, "everyone back away from their computers immediately and do not touch the keyboards!" It was surreal. Also, you could have the same thing happen if you're suddenly fired (with or without cause, which I've also seen). – Chris E Jun 08 '17 at 13:47
  • 1
    @ChristopherEstep - Lesson learned. I suspect I might be in a difficult situation if I refuse to give the password since the laptop is a property of the federal government (United States). – Fran Martinez Jun 08 '17 at 15:38
  • 11
    sigh @CodeHierarchy that's rather different. maybe edit your question and mention that? – Fattie Jun 08 '17 at 16:56
  • In the UK at least, you have no reason to give them the password. Normally for accessing an employees files after they leave, requires clearance from HR, normally a board member (at least it was this way in most of the jobs I've had). Obviously if you felt like it you could give this person that password, but you're not obliged to in anyway. – djsmiley2kStaysInside Jun 08 '17 at 16:57
  • 2
    the problem is @djsmiley2k, really we simply have no clue of the situation. It's unfortunately totally unclear what the OP locked up or didn't lock up. (indeed, the central news that it's "the feds" has just been revealed.) – Fattie Jun 08 '17 at 17:24
  • 3
    @PatriciaShanahan Sometimes that's not possible. At my last permanent job, I ended up leaving in a hurry. It wasn't entirely unexpected, so I'd had time to prepare in advance, but I could only do so much. Essentially when I gave notice my boss then threw me out of the office. He wouldn't let me delete remaining personal information and I had to invoke a failsafe: shutting down the computer. Even doing that caused him to attempt to take keyboard and mouse away from me. I did get a call from my coworker a day later asking for the pw. I declined and told him where the data he needed was instead. – Draco18s no longer trusts SE Jun 08 '17 at 18:42
  • 1
    Government Furnished Equipment (GFE) is not only used by government employees. It simply means the equipment was purchased with government monies (e.g. bought with contract funds). In any case, I don't think it's relevant to the issue. The OP is likely still under no obligation to give out this password (may be legally barred from doing so, in fact), and the person requesting it is almost certainly not authorized to do so. It's in the OP's interest to not release it unless onsite with authorized personnel and paperwork involved. And even then, only under careful discretion. – Bloodgain Jun 08 '17 at 19:06
  • 2
    Offer to come to the office OP doesn't work for free! OP, tell your former employer that your current employer prohibits you from moonlighting and that you could lose your job if you help them out. That should put an end to this. – user2023861 Jun 09 '17 at 12:46
  • When I left a similar situation as the author, I removed all personal files (personal work files which legally would be tough to stored anywhere else) from my drive, and removed the encryption for the next user. Any work files were placed on the network share. – Donald Jun 09 '17 at 15:55
  • @ChristopherEstep Data kept on company computers is often accessible by IT staff even while you still work there, so it's not only a problem if you have to leave suddenly. Also, once you've stored something on most of the servers I have administered, I can recover it even years after you've deleted it, so it's no good to put something personal up and then delete it. Just don't use work devices for personal anything. – Todd Wilcox Jun 10 '17 at 06:18
  • @ToddWilcox for all of your experience, it doesn't appear you understand BitLocker. – Chris E Jun 11 '17 at 20:59
  • @ChristopherEstep Almost all of the computers I've managed in my career have been domain-joined and when BitLocker was introduced, it topped my list of new features to always double check the group policies on. Perhaps the asker in this case was not using a computer with BitLocker recovery information in AD DS, and obviously BitLocker was allowed by GPOs (not normally something I allow). Notice I said "often accessible" (not "always") and even BitLocker can't keep out a competent and determined domain admin. – Todd Wilcox Jun 11 '17 at 22:40
50

This answer is from the perspective of someone who manages information security.

You mentionned (case 1) a "Bitlocker password" so this is either the boot password for your PC, or a Bitlocker encrypted USB drive.

Then you mention (case 2) that you did not clear your "network folder" - which I assume to be a CIFS (SMB, windows) share. It cannot be encrypted with Bitlocker.

Case 1: if Bitlocker was set up with some forward thinking, the recovery key will be on Active Directory. If it is not then bad luck, they hopefully have backups. If they do no then bad-bad luck -- but in any case you should never provide your password because in that case it is YOU logging in and not someone else.

If you have some extraordinary incentives to help to recover data from this PC, you can offer to do that, provided that a clear written log of actions is maintained, and that the whole activity is generally agreed upon in writing. You come in, you unlock you computer, you copy what is required and then you lock it back.

If you do not have these incentives then you just say that you cannot give your password (which should by the way be in the information security policy, if there is one).

Case 2: data on a network share. If they cannot access them, then something is seriously wrong with the IT of this company. The same incentive-based approach as the previous one is to be used. But again, there is no Bitlocker involved so I believe that this is not the case you mention.

WoJ
  • 5,814
  • 17
  • 27
  • 3
    I used your resolution for Case 1.

    I wanted to err on the side of being cautious so I referred him to the files I copied to the shared team network drive. However, I offered him to also go to the office to type in the password and offer him help until he completed the 'work'.

     – Fran Martinez Jun 08 '17 at 21:48
  • 2
    I err on the side of being paranoid :) so please try to maintain some kind of written logs (even if these are just emails) – WoJ Jun 08 '17 at 22:05
  • @CodeHierarchy: You're not "offering him help"; you're protecting yourself. – Lightness Races in Orbit Jun 09 '17 at 00:02
  • @WoJ it's not necessarily the boot password of the PC. You can bitlocker encrypt fixed hard disks other than the boot disk, or even additional partitions separate from the main one, and use a password that's entered after user has signed into the PC; dependent upon local or group policy settings. – schizoid04 Jun 09 '17 at 00:43
  • @schizoid04: yes absolutely - I was referring to the fact that the encryption is local to his PC (or an attached disk), but not over the network. – WoJ Jun 09 '17 at 05:19
  • Good answer! the only thing which is missing is that a possible objective reason (which I still do not approve) under these circumstances to get the Bitlocker Password (assuming it is the boot drive) is to circumvent the IT policy (and possibly associated costs/waiting time) to wipe, reformat and reinstall the machine. – Sascha Jun 09 '17 at 09:22
  • I agree Sascha. It seemed like a bad approach and everything to get access to two licences that aren't critical for day-to-day work activities.... – Fran Martinez Jun 09 '17 at 11:23
25

How can I professionally decline his request?

I would politely decline their request, for the reasons you stated as part of your question. Another option is to state that you forgot the password/key, as mentioned in the comments.

In the future I recommend deleting any personal or sensitive information from all the company resources (PC, Network Drives, etc) before you leave the company.

Neo
  • 84,783
  • 53
  • 276
  • 322
  • 13
    Or better yet, don't keep them on company resources in the first place. usb drives, cloud storage and phones are good alternatives. – Chris E Jun 08 '17 at 13:52
  • 7
    Most people don't think about it, but your passwords are personal data. Before leaving a company you probably should change your password and give the new one to your supervisor. – Nelson Jun 08 '17 at 16:22
  • 8
    @Nelson Honestly, if your company has no way to access files on a work computer without their employees personal passwords, they have bigger issues. – JMac Jun 08 '17 at 18:40
  • This is not always possible, a typical case would be backups or the deleted emails dump on an Exchange server. – WoJ Jun 08 '17 at 19:01
  • @JMac: Really? I'd say that if your company gives out laptops without hard drives encrypted by their employees passwords, they have massive issues. – Lightness Races in Orbit Jun 09 '17 at 00:04
  • @BoundaryImposition IT administrators have accounts with elevated permissions on all the work devices I own. They don't need your password; they have accounts on all the computers on the network. Everything is still password protected. – JMac Jun 09 '17 at 00:10
  • @JMac: There is no such thing as "elevated permissions" when it comes to encrypting the contents of a hard disk. There is an encryption key that is some function of the user's configured boot-time password and that's that! – Lightness Races in Orbit Jun 09 '17 at 00:16
  • 1
    @BoundaryImposition You picked up on something irrelevant in what I said... The IT department has administrator accounts on every computer in their network of work computers. If they give you a computer, they have an account on it as well as you, and it has permissions to access everything (including things you do not). When you leave, they will still be able to log in and access the computer. You shouldn't have to change the password and give a supervisor the new one unless it's a really small company with a very relaxed IT department. – JMac Jun 09 '17 at 00:20
  • 3
    @JMac: No, they don't, if the hard disk is encrypted, which (as was the point of my comment) it should be. Once the employee has left either the password is changed/revealed (in which case all the data is available by definition and the topic is moot), or the data is erased and the laptop "refurbished" for use by the next employee. In short, in my response to your comment "Honestly, if your company has no way to access files on a work computer without their employees personal passwords, they have bigger issues", I'm saying "no, the company should actually have no physical way to do this". – Lightness Races in Orbit Jun 09 '17 at 00:24
  • .. and that's not because they deliberately hide their employees files from IT, but it's a consequence of having hard disk encryption, which is a good idea for other (unrelated) reasons. So it's not "irrelevant" - it's the entire premise of my response :) – Lightness Races in Orbit Jun 09 '17 at 00:25
  • From an IT security perspective, having the IT department able to access everyone's data is a single point of failure, and that's pretty bad. A compromised IT department, whether it is an infected system or a rogue admin, takes out the whole company. That's probably not a good thing. – Nelson Jun 09 '17 at 03:05
  • 4
    @BoundaryImposition Enterprise implementations of full disk encryption typically have (optional) master/recovery key data to allow decryption of disks without the user password, e.g. for Bitlocker. You are completely correct that this has little to do with accounts on the machine since this all happens before before the OS is even booted at least in the case of full disk encryption. The use-case of decrypting drives after an employee has left is explicitly mentioned in the link. – Derek Elkins left SE Jun 09 '17 at 03:46
  • Personal files could be as simple as your annually appraisal, or training certificates, both would have been created at work – Donald Jun 09 '17 at 15:56
16

Refer them to IT

Sharing passwords is usually a bad idea - and oftentimes a violation of company policy which could get you and/or your former co-worker in trouble.

Tell them - "Ouch, sorry, I don't have it handy at the moment. You should ask IT to get you access to the drive, but all of the files on that drive should be located on the LAN at XYZ anyway. Are you looking for something specific? Maybe I can help you find it."

That protects you and them.

  • And leave it at that. You don't work there anymore. It's their data anyway. You don't owe anybody anything, not an excuse, an explanation, certainly not a lie. – quadruplebucky Jun 11 '17 at 13:07
6

Is this coworker out of place asking for that information?

Yes.

How can I professionally decline his request?

"How are you, I don't have access to that any more. Anything else I can help with? Hope all is well."

Note that you literally "don't have access to it any more".

Is this coworker out of place asking for that information?

As I say "Yes", but... It's possible the person needed something specific ("that old license key we can never find!"). In that case, your best response is remains something like "Sorry, I don't have access to that any more."

Sometimes, "white lies" are the only solution. However, there is often a better way than making a "white lie". If you think about it ... you, truly, do not, in fact, 'have access to it' any more. Totally setting aside technical issues (passwords etc), it's simply not your property, business, affair or issue any more. You literally do not have access to it. Just leave it at that.

Fattie
  • 32,594
  • 12
  • 67
  • 99
  • 16
    "A fantastic lesson in business" is that it's a bad idea to burn bridges by responding with cryptic seemingly-passive-aggressive answers to simple requests or saying things that will make people think you're lying to them, especially if you want to use those people as references. – Bernhard Barker Jun 08 '17 at 16:26
  • Federal government enforces good practices and to the surprise of everyone if I asked to the IT security people of my department I'm pretty sure they should have asked me to go to the office or to simply reject the request. The feds aren't bad, and contrary to popular belief they protect those employees that want to stand their ground when they believe something is wrong. The office of ethics and bla bla bla gets involved and all that. Thankfully it was a honest mistake from his behalf asking to share a password on an e-mail. – Fran Martinez Jun 09 '17 at 11:28
  • 1
    @Fattie. Remember I'm not an employee. I'm an ex-employee;therefore the presumption that now I'm not longer protected is still there. It was a valid question and we had to look for all the angles. In this case it would have been his word against mine. – Fran Martinez Jun 09 '17 at 11:59
  • 2
    @Dukeling Another comment that you're right, you don't want to come off as passive aggressive. If the OP has an issue with the white lie of "I've forgotten it" and really wants to double-down on the inappropriateness of the asking, "I can't tell you the password, it is a violation of company policy, and if I violate company policy as a terminated employee, it would certainly look like I was trying to hurt the company out of spite. Now, is there another way I can help you without risking legal action against me for divulging passwords?" And be very careful about the tone when saying it. – Edwin Buck Jun 12 '17 at 18:53
3

If they have a legitimate business reason to access some of the data in that Bitlocker (i.e. company-owned data, not your personal info) then you have to be very careful in any refusal to provide the password as depending on your locale it can end up in an absurd legal mess. You really don't want to become the next Terry Childs!

Chris E
  • 43,237
  • 26
  • 142
  • 177
motosubatsu
  • 107,822
  • 51
  • 290
  • 367
  • ha! It is with government... – Fran Martinez Jun 08 '17 at 14:53
  • 1
    Terry Childs changed all passwords to prevent access to city-owned equipment. Definitely not the OP's case. – tricasse Jun 10 '17 at 22:23
  • Childs restricted access so that the city could only come to him. He wanted them to come to him, and he wanted them to depend on him so he could blackmail them for his own profit. Hardly what the OP is doing. – Dan Jan 03 '19 at 20:48
  • @Dan while I have no reason or inclination to doubt the OP's honesty or intentions if we play devil's advocate from the question as written (before the resolution update) then there is a container of encrypted data that belongs to the business which only the OP can facilitate access to. You don't see how someone could misinterpret his actions as Child's-esque? (to reiterate I am NOT suggesting that is what he was doing), heck some people were suggesting he charge the company for providing access to the data! – motosubatsu Jan 03 '19 at 22:06
  • @motosubatsu Childs went to court. The facts were presented to a jury who found him guilty after listening to all the facts. It should be noted the company cannot bring criminal charges against someone. Only someone within the state could do so. With that said, if the OP is misinterpreted as a "Child's-esque" as you call it, I highly doubt an average jury would even find him guilty of anything but being a worker who quit and did not want to help his previous employer. – Dan Jan 07 '19 at 16:59
-2

There are some nuances here that I don't think others are considering. First, it sounds like you left the company voluntarily and when you did you failed to remove licenses from your computer and created a burden on your coworkers. Having worked with a number of license management programs in the past I can assure you that checking in the license is the path of least resistance. Adobe, for example, can take an administrator an hour or so to release a license that is locked to particular hardware. Some companies, though rare, actually will not release a license and require a new purchase.

Second, and more important, did the IT department set up bitlocker on your computer? Or did you set it up without the approval of the IT department? These are completely different scenarios. As others have already said if IT set up bit locker direct your former coworker to contact IT. If you set up bitlocker then YOU have made company data unreadable and unrecoverable by your actions.

Your offer to enter the password is an excellent show of good will. Though the easiest path forward may be to remove or change the password in other places and simply e-mail it to your former boss and include that your are concerned about your personal information from the onboarding process being available to former coworkers. In truth, there isn't much difference between typing in the password for a coworker or disclosing it to them for the exposure of SSN or other personal info.

As far as a legal requirement you are in pretty good shape as long as you are willing to expend the time and expense in entering the password and/or removing the encryption. See the Terry Childs case.

John Michael Law
  • 101
  • 1