Should I tell my boss I have discovered their passwords and they are too weak?

Question

I'm on a temporary job so they don't give me any passwords to access the sites and resources I need. Instead, they tell me to move to another computer where a regular employee is and where every password is already set and saved on the browser.

I have to be honest, I got into the router (as they are using default credentials) to get the WiFi password so I can use it on my phone and found that it had a lot to do with the activity the company does (e.g. if they were a restaurant, their password would be coffe123). With that in mind, I just wanted to see if the same pattern was used for other types of resources such as the email address, hosting accounts, etc. and yes, they were.

When registering another domain with a new account, I guessed the password by seeing my boss slowly typing on the keyboard and, again, weak as f*.

Should I tell them? I'm afraid I might get in trouble for lurking too much.

Just as a clarification: it's not a big company, we are just a few employees and none of them but me know about computers and security, so there's no way of anonimously reporting the issue or contacting a sysadmin or IT related guy.

Answer 1

While there is no doubt that weak passwords are an issue for your company, I would strongly advise against telling your boss about the things that you have done.

Your company decided against giving temporary workers access to sites and resources for a reason. Not only did you gain unauthorized access to the wireless LAN by guessing the password to the router, you also extended that access by probing the credentials against other resources - Resources that you were not supposed to have the password to. You then basically shoulder surfed your boss.

While there seem to be flaws in your employers policy concerning the access to company resources, and their password policies, all of these things could be considered 'hacking' by your employer and were definitely outside of your authorization.

If I were you I would log off the WLAN and ask your employer for the password if you want to have access to it. Apart from that you should stop trying to use other peoples passwords on any access points just 'to see if the same pattern was used'. Depending on the legal system of the involved countries you can very well face legal problems for these kinds of acts.

So what should you do with the information you have?
If your employer gives you a password to a service or a resource you could point out, that e.g. that password would easily be guessable for other people. I would not mention the other password here directly though.
If your boss seems interested you could volunteer to research password best practices for the company. If they are serious about it, this would eliminate your concerns.
If there is an IT person in the company you could bring these concerns to him as he will probably understand the need for a secure password policy better.

Answer 2

Unless you have received an explicit or implicit(*) mandate for doing so, trying to guess passwords to access resources that were not granted to you is a hostile action, even if the passwords are trivial or written in a place that you should not have read. If you find a leaflet with "Confidential - reserved for allowed people" on cover page and you read it nonetheless, it is also a hostile action.

The most you can do is in the case of the leaflet say "I've seen there a confidential document there, that someone could read without anybody else noticing it. Does it really contain sensitive information and if so shouldn't it be stored in a more secure place?" -> meaning I have seen a possible security problem and I warned you but I have respected the confidential mark.

Or if you have discovered the password of a co-worker (and if the following story is possible): "Hey I had to log on a computer, I was thinking about something else, and I entered a password I use at home. Then I realized that I was logged on your account. I immediately logged out, but you really should change that password for a professional account"

---

*Mandate can be implicit if you are in charge of evaluating the overall security. But in that case you should ask whether you can continue as soon as you have discovered a trivial password.

Answer 3

I'm saying much the same thing as others, but this really could be a legal concern for you (I'm not a lawyer). In the UK (*) one relevant act is the Computer Misuse Act 1990 which says right at the start:

1 Unauthorised access to computer material.

(1)A person is guilty of an offence if—

(a)he causes a computer to perform any function with intent to secure access to any program or data held in any computer

(b)the access he intends to secure [F2, or to enable to be secured,] is unauthorised; and

(c)he knows at the time when he causes the computer to perform the function that that is the case.

i.e. if you so much as try to access anything that you know you shouldn't.

Subsection 2 says it doesn't matter what computer, what data, or what kind of data, nothing makes it OK.

Subsection 3 says:

(3)A person guilty of an offence under this section shall be liable—

(a)on summary conviction in England and Wales, to imprisonment for a term not exceeding 12 months or to a fine not exceeding the statutory maximum or to both;

And then section 2 of the act says Unauthorised access with intent to commit or facilitate commission of further offences. - you committed an act of unauthorized access (gaining router access) so that you could commit another act of unauthorized access (wifi access).

In one of your comments, you say

no harm meant to be done

But Section 3 of the act is Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc - even if you don't intend harm, if you act recklessly, that's enough. Joining an unsecured, unknown, unauthorized, personal device (phone) to the company network 'could' put them at risk of all kinds of cryptolocker style blah blah.

I can strongly doubt that this will apply in force to someone in a small business accessing a router, but if they want to argue it, you've taken a temporary job, broken into their network, their email, their domain / website hosting, carelessly put their network and therefore their company operation at risk, and who knows what theft, blackmail, extortion or damage you were planning to commit.

And what's worse, they don't understand IT, they aren't interested in how much fun it is or how curious it is, or how serious or trivial your actions were, if they get the wrong end of the stick it won't look good for you.

Should I tell my boss their passwords are too bad?

Yes, you should. But don't unless you have reason to think they will take it well. And they should care. But they don't. And it's not your company and not your problem. If they show interest, suggest why (in principle) stored browser passwords are risky, or shared accounts are risky, or simple passwords are risky.

If there is no backup, encourage them to have backups. "Hi, I was reading this news item about GitLab almost losing 300Gb of data and it made me think we don't have good backups here - we could set one up for $xyz, what do you reckon?"

(*) Other jurisdictions are available.

Answer 4

I put myself in pretty much your exact situation once when I was young. I got bored at a temp job and started probing around for security weaknesses. I tried to end it by sending an anonymous email to the sysadmin, which backfired in the following ways:

• They freaked out, thinking the threat came from outside the company at first.
• They combed through the system logs and interrogated and nearly fired one of my coworkers who I was friends with and had nothing to do with anything.
• They eventually tracked it back to me and fired me.
• I was very lucky they didn't do worse.

The part about my friend nearly getting fired threw me for a loop. In my hubris, I was completely unaware of any collateral damage I might be causing. Also what surprised me was when I got called into that room to be fired, how scared people were of me. Dismiss any thoughts you have of people responding rationally.

My suggestion is immediately stop using any unauthorized access. If you really can't do your job without a password, point that out, and if they give you that password, point out how weak it is. Other than that, leave it alone. I know it's difficult. One day you'll be in a better position to influence these sorts of policies. You just have to be patient.

Answer 5

Don't start by talking about the insecure passwords. Instead start by pointing out that it's not a secure practice for you to use another employee's computer to access systems because it puts the other user's data at risk (of an accident even if you aren't malicious or as nosy as you are). Try to convince them that it would be more secure to give you the passwords that you need to do your job. It would also be more efficient since you wouldn't have to block the other user from working. If they want you to have access they should give you that access. If that works, then you can comment on the insecure passwords that they reveal to you. If they are concerned about you knowing the passwords after you leave they can change them at that time.

Answer 6

Most companies of any size have a mechanism by which you can make anonymous reports of wrongdoing by members of staff. It may be called an integrity of a compliance reporting system.

This sort of whistleblowing is encouraged to protect the company from more damaging revelations.

I would check if your employer has such a system and, if so, use it. Report the names of people involved and, if you feel it appropriate, even the password they are using.

Where I work, such reports are encouraged. You would be helping the company secure its data without risk to yourself.

Answer 7

Should I tell my boss their passwords are too bad?

When I am working on a project, and I am given the password to a server/router etc, and it's a bad password I will always say something, and recommend using stronger passwords/a password manager etc.

I think that this is a reasonable thing to do.

With that in mind, I just wanted to see if the same pattern was used for other types of resources such as the email address, hosting accounts, etc. and yes, they were.

Yeah, definitely don't do this. It is against the law, and you could end up with a criminal record if your employer found out.

Answer 8

By telling them you would end up revealing the actions you've taken to gain that information and that might get you in trouble.

If you want to educate them about the importance of strong passwords, you might be able to do so without divulging what you know.

Answer 9

While I agree with the others that you have gone too far in probing the security, and that you should not tell your employer about the passwords/systems you have compromised, I think you have a responsibility to tell them that their security practices appear to be poor and ask for their permission to investigate further.

(but make sure you have a go-ahead in writing, off-site before you go any further)

Answer 10

Honestly, it all depends on your boss' personality and how much you know/trust each other. There's many employers that couldn't care less about their employees and would take advantage of such situation by suing you, but at the same time there's many that would be very grateful for such advice, and befriend you for doing extra work.

You could say something along the lines of "I was watching tutorials on network security and I was wondering whether the system here had such flaws" or if not, you could find a trustworthy employee to say that, which would probably be more accepted by your boss.

And finally, there's always the dont-say-anything approach and just do your job, mind your own business, and forget about it. Seems wrong, but nowadays there's too many bad people that want to take advantage of genuinely good deeds (like pointing out flaws in a business' security) that it's not really worth the risk of going to jail and paying fines for trying to be a nice person.

The only one that can make a move is you, and that all depends on how good your judgement of people's personalities is.

Answer 11

And finally, there's always the dont-say-anything approach and just do your job, mind your own business, and forget about it. Seems wrong, but nowadays there's too many bad people that want to take advantage of genuinely good deeds (like pointing out flaws in a business' security) that it's not really worth the risk of going to jail and paying fines for trying to be a nice person.

And that's exactly what you should do. If you say a word, even a hint, to anybody--anybody!, not just the boss, or others at that company--you are putting your safety and liberty in his hands. Keep your mouth shut, do your job, and go somewhere else to work after your contract is done. Your situation is dangerous. Prosecutors are rewarded for number of convictions, not the evil of the perpetrator.

Answer 12

Depends on the personality of your boss. Is he intelligent, smart and understanding? If yes then you can tell him. That will not be the cause to fire you or demote you by any chance. Instead, you might be rewarded for your talent and who knows, may be a promotion too.

But if the personality of your Boss is rather ordinary, then just forget this.

Answer 13

Try asking them for the password, because of blah blah blah. If they know that you know the password, you can tell them it's insecure and they'll, most likely, agree to changing it! And since you got the password in a "good" way, you will be FINE.

Answer 14

Note: take everything said there with a grain of salt, I'm trying to provide a point to why you might not need a high security, but that does not mean you should not have any security.

---

I might play the devil's advocate here, but security is risk vs reward.

So him having a weak password might not entail much, worst case scenario being a few of hours of slowdown if someone gets access to the IT system.

But him forgetting his password "h1Ed4H£2h~zE{G~b#1$ù%µ454" and/or wasting 5-10 minutes per day by entering it and him being frustrated because he gets it wrong a few times would probably be worse in the long term.

What I mean is that sometimes we get caught in a security paranoia and forget that the risk of someone willing to attack the company is not really high, and even a full IT failure may only mean having to go back to paper for a few days.

---

As for how to deal with it, I suggest casually talking with your boss about IT security, and if he thinks it's important or not. You may argue if your points hold.

If your boss agrees that IT security is important, you might want to ask him if you can probe around to see if there are any problems with the security. Do what you did, conscientiously and report on him via a mail with every problem you find, what risk that means, and how/how much to fix it.

Most of the time the problems with IT security come not from external sources, but from (ex-)employees with a grudge, so that's probably why he doesn't want you to get the passwords.