As a user, you should never share your password with anyone. It is used to track who had access and made changes to specific information. You are responsible for everything done on the system using your ID and password.
As a manager, you must set up the processes and procedures so that your staff and customers do not need to share their passwords. They need a simple rule that anyone asking for their password is running a con.
- The user's co-workers should never have access to each others' passwords. If work needs to be shared, use shared folders or other collaboration tools that maintain tracabilty in the logs about who did what. If a co-worker needs temporary access to the user's files (for example, if covering for someone on vacation or emergency medical leave), have IT use their administrative tools to grant the access rights under their own ID, not by compromising the ID of the person who is out of the office.
- Not even your own IT staff should ask for a user's password. If IT needs the password to complete a repair, the IT person should insist that the user type in the password.
- You don't need their password either. If you need to access their files, you should have IT set up your rights so that you can monitor their work under your own ID and password. No one ever wants to be in the middle of an investigation but, if you are, you really don't want to have counter-accusations that the chain of evidence was compromised.
Too many people are running phishing and other cons that try to trick people into sharing their passwords. Make it possible to say with confidence that no one at your organization will ever ask you for your password.