Our CISO's office sends out a Cybersecurity Bulletin each month. I forwarded this to him and suggested he include it in this month's Bulletin. His response was "LOL, I would be everyone pretty much already has mastered that task".

Before taking the infosec gig I supported a fairly large US sales force. If a rep forgot to include their password when they sent in a laptop to be worked on (which has its own problems), all I had to do is look up when their password expired, go back 90 days, and then try %season%YYYY!. It worked 99 times out of 100.

A few ears back when I was repairing computers for the general public, someone brought in a computer that they "found" and needed the password reset cause they didn't know what it was.

Password hint was Yes.
First thing I tried was correct.
No

Found out the computer was in fact just left on a bus stop bench by the original owner.
The original owner left it for anyone who wanted a free computer.

I found their phone number by digging through their files....
They did not delete anything off the laptop.

I've had fights with support on this one. I will not give them my password.

I was always okay with this, just so long as the person didn't mind that I was going to then change their password for them and then tell them what it is going to be. There's a delay between user password changes to prevent password reuse, so it gave enough of a window to reimage the computer or whatever I had to do before they could change it again.

And they shouldn't ask. If one of my support techs does that, they know they are likely to face a disciplinary action.

WRONG! My password is BasicB!tch2021 so HA.

Sent from my SM-G975U using Tapatalk

Huh. I would have guessed it was I<3v@xines.

Nah that shot was annoying shouldn't have to do it as a healthy man who was probably already exposed 100x

Sent from my SM-G975U using Tapatalk

If they need to log in as me, I need to be there. Or they need to be on NDAs, or I just can't get help and always need to reimage. They cannot be given access to some of the things they could access if logged in as me.

Mind you we're talking about 15 or so years ago here, but there were a few people who thought like that. Back then it didn't last very long. This is with the caveats that IT was already under a blanket NDA, and it was a manufacturing company. So while people there may have thought like that, it wasn't as true as they would like it to be.

As long as they are indeed included in all NDA I'd be fine, just need to do full resets on browsers to clear out saved passwords and stuff. The code I walrite, etc. Is already shared... email might be an issue, still not sure.
In that case I'd just change my password before handing it Over,albeit reluctantly.
It's easier now with far more needing 2FA... Not everything forces that though.

Fill in the blanks as you will.