Passwords and interviews

Employers who ask for passwords are missing an obvious problem.

Facebook password field One of last week’s big stories was a new interview question: employers asking job candidates for their Facebook usernames and passwords so they could check on their social history. There was a not-so-surprising amount of commentary, and Facebook pointed out the obvious: giving out your password violates their license agreement, they’re not happy, and they’re backing legislation to make this practice illegal. (They’ve backed off on hints that they might take some employers to court.)

However, most of the commentary has missed the obvious point:

What the hell are these guys thinking?

Seriously: have you never heard of social engineering attacks? Have you never heard about attackers calling someone up, saying there’s a problem with his computer and they’ll need his password to fix it? Or any of a million variations on that theme? You don’t have to read much about security to know that the biggest problem isn’t obscure bugs in Internet Explorer, it’s social engineering. Promise some technical support (possibly for a problem the victim doesn’t know he has), or pay for a few drinks in a bar, and you’re in. You’ve got the password, and whatever data lies behind that password. And even if the victim is a low-level employee without access to anything interesting, getting one password makes the next password infinitely easier to get. Sooner or later, there goes the product plan; there goes the HR database; there goes the customer list.

If a candidate proves that he’ll give out his password in an interview, hasn’t he proven that he’ll give out his password in other situations? Hasn’t he proven that he’s fundamentally unreliable, fundamentally unable to keep secret information secret? On top of that, it sounds like the practice is particularly common in security-related jobs. Where are employers’ brains?

I can see one, and only one, reason for asking for a password in an interview: as an underhanded way to weed out candidates who are unfit for any job requiring any serious responsibility. As soon as a candidate gives you the password, the interview’s over, and “don’t call us, we’ll call you.” But I’m not advocating that, either: it’s just a bad practice. And if you’re a job-seeker: I don’t really care how badly you need the job, you don’t need that kind of employer.


tags: , ,