How to refuse to give an access to passwords to a customer without being unprofessional or rude?

Posted by MainMa on Programmers See other posts from Programmers or by MainMa
Published on 2012-06-02T09:44:47Z Indexed on 2012/06/02 10:50 UTC
Read the original article Hit count: 228

Let's say you're creating a website for a customer. This website has its own registration (either combined with OpenID or not). The customer asks you to be able to see the passwords the users are choosing, given that the users will probably be using the same password on every website.

In general, I say:

  • either that it is impossible to retrieve the passwords, since they are not stored in plain text, but hashed,

  • or that I have no right to do that or that administrators must not be able to see the passwords of users, without giving any additional details.

The first one is false: even if the passwords are hashed, it is still possible to catch and store them on each logon (for example doing a strange sort of audit which will remember not only which user succeeded or failed to logon, but also with which password). The second one is rude.

How to refuse this request, without being either unprofessional or rude?

© Programmers or respective owner

Related posts about security

Related posts about customer-relations