Passwords and interviews

Employers who ask for passwords are missing an obvious problem.

Facebook password field One of last week’s big stories was a new interview question: employers asking job candidates for their Facebook usernames and passwords so they could check on their social history. There was a not-so-surprising amount of commentary, and Facebook pointed out the obvious: giving out your password violates their license agreement, they’re not happy, and they’re backing legislation to make this practice illegal. (They’ve backed off on hints that they might take some employers to court.)

However, most of the commentary has missed the obvious point:

What the hell are these guys thinking?

Seriously: have you never heard of social engineering attacks? Have you never heard about attackers calling someone up, saying there’s a problem with his computer and they’ll need his password to fix it? Or any of a million variations on that theme? You don’t have to read much about security to know that the biggest problem isn’t obscure bugs in Internet Explorer, it’s social engineering. Promise some technical support (possibly for a problem the victim doesn’t know he has), or pay for a few drinks in a bar, and you’re in. You’ve got the password, and whatever data lies behind that password. And even if the victim is a low-level employee without access to anything interesting, getting one password makes the next password infinitely easier to get. Sooner or later, there goes the product plan; there goes the HR database; there goes the customer list.

If a candidate proves that he’ll give out his password in an interview, hasn’t he proven that he’ll give out his password in other situations? Hasn’t he proven that he’s fundamentally unreliable, fundamentally unable to keep secret information secret? On top of that, it sounds like the practice is particularly common in security-related jobs. Where are employers’ brains?

I can see one, and only one, reason for asking for a password in an interview: as an underhanded way to weed out candidates who are unfit for any job requiring any serious responsibility. As soon as a candidate gives you the password, the interview’s over, and “don’t call us, we’ll call you.” But I’m not advocating that, either: it’s just a bad practice. And if you’re a job-seeker: I don’t really care how badly you need the job, you don’t need that kind of employer.

Related:

tags: , ,
  • Aaron Gilliland

    I envision a clever and/or smug candidate making a fake profile just for interviews.

    “If you’re reading this, you’ve fallen into my clever and/or smug trap. hire plz”

  • ananymous

    You are missing the important point… what if you just don’t get the job if you fail to comply?

    Or worse, what if you lose your current one because you care for your privacy.

    Take a look outside of a cozy and safe environment.

  • http://sworddance.com Pat

    And if you’re a job-seeker: I don’t really care how badly you need the job, you don’t need that kind of employer.

    Someone who has run through their 99 weeks of unemployment and is living on friends; charity does not have the privilege of saying “No” to such a request. Reread the original article.

    http://articles.boston.com/2012-03-20/business/31215793_1_social-networking-password-facebook :

    Back in 2010, Robert Collins was returning to his job as a security guard at the Maryland Department of Public Safety and Correctional Services after taking a leave following his mother’s death. During a reinstatement interview, he was asked for his login and password, purportedly so the agency could check for any gang affiliations. He was stunned by the request but complied.

    “I needed my job to feed my family. I had to,’’ he recalled,

    “I needed to feed my family” – most people do not have the option of being selective. They have a family to feed, bills to pay, sick family members to provide for. They are the victims here. They are not stupid nor ignorant. They are just trapped.

  • Burnsie

    Perhaps you should only give over your password if they also hand their password over to you.

    As good practice, you should also make sure that none of your personal Facebook information is publicly visible. You can use a tool like http://checksocial.net to help you determine what is publicly accessible.

  • dan

    What a complete an total idiotic jump to call the password request as a possible screening technique to see if the candidate will succumb to a social engineering hack.

    The real and obvious point is that you are subjecting the interviewing client to duress if they don’t comply they blow the interview.

  • jefurii

    @anonymous, @Pat. And that’s why we need legislation to prevent these employers from asking in the first place.

  • Jay Kreibich
  • http://blog.purplearth.net Obbie Z

    If someone asks me for my Facebook password, I’ll smile and proudly and truthfully say, “I don’t have a Facebook account.”

    This latest craziness validates one of the key reasons I don’t have a Facebook account.

  • JP

    @ Obbie Z:

    “If someone asks me for my Facebook password, I’ll smile and proudly and truthfully say, ‘I don’t have a Facebook account.'”

    Then the hiring manager will draw one of two conclusions:

    a) You’re lying.
    b) You have something to hide.

    Then what?

  • Mac

    What would stop the interviewer from inserting his own content after the interview?

    Offer to ‘friend’ the interviewer. They should be able to see enough without the ability to post as the interviewee. Explain that they will be ‘unfriended’ after an arbitrary time.

  • Johnny Tabasco

    Mac, they have absolutely no business seeing your Facebook profile at all. Privacy is worth protecting, not compromising.

  • Gar

    Facebook has always caused me to wonder the end game. The system creators are constantly playing with privacy and testing how far they can go with things like automatic sharing of buying habits. Mark seems to talk a lot about information should be open yet has us build groups of Friends that can see and comment on a ‘Friend’s’ posts.
    While I do not post things onto Facebook that are offensive or truly private, some posts could be taken out of context if an outsider wasn’t involved in a offline conversation the posts where built on.`How many friends will a person loose if they found out your employer was now able to look over their posts too?

  • Andre

    Another point, this time for the employee.

    Any manager that asks for a password is not a manager you probably want to work for.

  • Chuck

    During out-of-town interviews, I have twice been given written directions from the airport to the interview location that were missing a key turn. In both cases, my habit of pre-driving the route the night before the interview prevented my being late the next morning. I don’t think it was an accident in either case.

    Personally, I’m a big fan of hidden intelligence tests in the interview process, though I agree that this is one ‘test’ that should be avoided. Your best candidates may get up and leave, or give the wrong password, or for those who have planned ahead, give the password to a fake profile.

  • Sean May

    This is yet another fine example of corporate self-interest.

    Companies aren’t actually worried about things like data-integrity.
    They have IT departments to worry about that sort of thing.

    Even corporations whose vested interests are largely technological/software are frequently top-heavy, with departments running the company, who have no understanding, nor insight into the actual technical aspects of the company.

    Interviews for job positions are going to serve corporate-interest just as often (if not moreso) than serving the needs of the position which required filling by the best possible candidate.

    So when somebody asks why an interviewer might ask for a Facebook password, the only suitable answer is: “Because they haven’t been told they legally can’t”