[lopsa-discuss] Password demands and recently-ex employees

Fri, 11 Nov 2011 12:22:08 -0800

I've just run into something I haven't before, and I'm a little unclear about where the footing is. We recently let go one of our remote workers, and in the process retrieved all of the company hardware that they had (phone and laptop). We're one of those smaller enlightened companies that attracts people because we let you use the laptop you want (within a budget), so we're seriously lacking in the centralized management department.
This particular user had gone so far as to have their home directory encrypted. We didn't do this for him, but this is good! This laptop traveled with the user, and we really didn't want a "left in a taxi" information breach. 


However, the hardware didn't get into my hands until after the user was 
formally severed and I've been asked to get the data off of it[1]. 98% of 
which is in that encrypted home directory. I can certainly ask him to 
divulge this, and if he does great! No problem.



The problem comes if he, like so many people, reused the laptop password 
somewhere else and says, "Um, no. Sorry." because that would give us 
access to more than just the home directory. The Company CEO is of the 
opinion that this is company property, the password is part of the 
property, to ex-user has to divulge it. A nice legal theory, I just don't 
know if it holds up to common practice[2].



Clearly, we need a method of admin-access to masively heterogenous 
hardware (we have all three! Windows, Mac, and Linux (two flavors even) 
users). But that's for later.



The employee agreement doesn't cover this specific example, just property 
and documents at termination. Interestingly, the paragraph in question 
doesn't mention "in a recoverable form", so we just might be up a creek 
here. Thus the question about the password.


Is this kind of password demand at all common?


[1]: So we can have it just in case. This is not a forensic, 
evidence-preserving move. I checked.
[2]: I can argue that the laptop only stores a hash of the actual 
password, not the password itself, and this is a false argument, but 
that's getting to a level of brass-tacks I don't want to get into quite 
yet.


_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/






















					Reply via email to