Is It Legal for IT to Ask for Email Passwords? Exploring Risks and Alternatives

Concerns About Sharing Email Passwords

Our IT admin person is asking everyone in our company to share their official company email passwords. The IT admin person already has access to the main admin account of the email management system and can change the password of anyone at any time. Many people on our team are concerned because if a list of passwords is leaked, anyone can access anyone's account and send emails. This could put the person whose email account was used in trouble (IT Act, etc. - what if someone sends inappropriate pictures or threats).

The IT admin person has not even asked to submit passwords via an official document; he has just asked for it verbally, and the main HR person is also pressuring the employees to give their passwords.

Request for Legal and Alternative Solutions

Can anyone explain the implications and legality of this? Are there any other alternate solutions?

Concern About IT Security Policy

This is a concern since it is not likely to be within the guidelines of the IT security policy. You can ask them to send a notice by email to everybody to provide this. Do this through your manager. Maybe it could be escalated to senior levels.

Secondly, do not use official email for any form of personal discussion with anyone. If you have done so already, please delete it immediately.

Hope this helps.

Regards,

Dear Anon, I echo Ryan and request you to explain why the IT Department would need the passwords. Which password are they asking for? Is it the login password to the laptop/desktop or to the mailbox?

They have access to every interaction within their network, including the intranet and mailboxes. Asking for the password separately seems like an initiative to alert employees about their interactions. Please try to understand why the system has been set up. Sharing passwords is against the Code of Conduct of every firm.

Looking forward to hearing from you!

Password Sharing Policy and Security Concerns

This is not a normally accepted policy. As per the IT security policy, password sharing is not allowed. IT should be able to reset the password whenever they require. This should be logged with reasons, and you will be aware when the password is changed.

If the password is to be shared for any reason, it should be well-documented and notified to stakeholders to avoid any disputes later on.

You should also confirm how responsibilities will be fixed in case your email account is misused. (This is a rare chance but still a grey area).

Code of Conduct Concerns

That's actually against the Code of Conduct. People can misuse the profiles. IT employees have access to all accounts and may create or delete profiles. As you already mentioned, it is requested verbally, so please do not take any action. If someone pressures you, please share a wrong password  Hope it helps!!

Concerns About IT Admin Access and Security Policy

The IT admin person in your company might be taking advantage of their position. If they have admin access, they can change the password of any user at will and access the user's email. This situation seems suspicious. Please review your IT Security Policy for any potential vulnerabilities.