I once had a guy ask me what a Social Engineering Specialist was.  I frowned, as I was on a plane and thought this was a pretty random question until I remembered what I was wearing and smiling I turned my back on him.  He laughed, and nodded.  My shirt was from Jinx.com and stated “Social Engineering Specialist” on the front, the back said, “because there is no patch for human stupidity.”
 
That might be harsh, but the events going on up in Bozeman, Montana lead me to think that the Walter Bread Double fibershirt isn’t that far off.  For anyone that hasn’t heard, Bozeman, Montana decided they were going to hire only those people with the highest moral fiber.  This is important to remember, highest moral fiber.  But how can you possibly know if someone has high moral fiber?  Do you ask them how much fiber is in their diet?  Do you call references on their resumes?  How do you really know, in this day and age, if someone is truly a moral person or not?  Their answer?  Ask all applicants that had received job offers conditional on a successful background check for the username and password of all, and I quote, “current personal or business websites, web pages or memberships on any Internet-based chat rooms, social clubs or forums, to include, but not limited to: Facebook, Google, Yahoo, YouTube.com, MySpace, etc.”1
 
Is anyone else seeing the problem with this here?
 
I want to know where their Information Assurance person was in this decision.  Hell, where were the lawyers?  This is so beyond the pale of what is acceptable it’s mind boggling.  Information Assurance relies on three things and three things only.  Integrity, Availability and Confidentiality.  What the Bozeman City HR department has done?  Violates at least two of those principles.
 
The first principle being Integrity.  If you can’t insure that the document or files or the person you’re talking to is really the person, document or file that you need, that it hasn’t been altered or compromised, then you have no integrity.  If, for example, someone in HR took a job applicant’s user information and then posted inflammatory or derogatory statements on their facebook, that job applicant has no way of proving that they didn’t make those statements.  You’ve violated the integrity of that person’s Facebook page, because now the job applicant cannot prove that they didn’t make those statements as they were made under their username and password.  It wasn’t hacked, it was social engineered.
 
The second principle that’s been broken here is Confidentiality.  Basically this is the whole need to know principle.   If you don’t need to know, you shouldn’t have access.  Now this is where I think the Bozeman city HR department was trying to use creative logic.  They’ve decided that because of their high moral fiber, they were entitled to determine the confidentiality of the data.  Which, isn’t how it works usually.  You don’t get to decided what you will and won’t see on the Internet.  You get to see what other people have decided that you get to see, especially when it comes to private information. 
Here’s the problem, I don’t buy it.  Demanding people give up their passwords is bullying plainBully Free Zone and simple.  I would feel outraged about the idiots that gave up their username and passwords, but then again most people will give up their passwords for chocolate.2  It’s a hard economy, and government jobs are usually a safe bet.  Bozeman bullied people into giving them info they had no business knowing or having and that isn’t the work of someone with the highest moral fiber.

It’s none of their business what you say on the Internet.  It’s no different than bitching to your girlfriends or boyfriends about your job.  Yes, you can’t tell confidential information, but here’s the thing, if you’re out in the open?  They don’t need your passwords.  They wanted the back end, the part you don’t put out to the public.  They weren’t saying what they were looking for, but it obviously wasn’t good. 

If all that wasn’t disturbing enough, Bozeman officials weren’t even sorry when they were caught out.  They stopped the practice but not because they thought it was wrong, but because they found that “(t)he extent of our request for a candidate’s password, username, or other Internet information appears to have exceeded that which is acceptable to our community.”1 
 
Really, ya think? 
For the record, you should never, never, never, give out your passwords to anyone.  System Administrators or your IT department shouldn’t need your account to do any maintenance on the system, a banking system should never need to you reconfirm your information (if they do, dump them as they have no system security or backup policy).  Ideally, you should change all your passwords online every six months at a minimum and not use one or two passwords for everything.  Practically speaking, have one password group that you don’t use anywhere else for anything to do with your money and another group you use for facebook, myspace, geekachicas, etc.  Change those as often as you can remember, at the very least once a year.  You should always change them if you think someone’s managed to get it.  The faster the better and yes, it’s a pain but better that than having your information or really embarrassing pictures out on the Internet for all to see.

If you’re not harboring state secrets, you can write passwords down on a spreadsheet and lock Password Keythat down to just you, or print it out and keep it in a lock box.  Best yet, pick something you’ll remember but is hard for others to guess.  What does that mean?  Don’t use words in the dictionary.  If your online site allows special characters, use them.  Pick a sentence, take out the spaces and exchange some of the letters for numbers.  ex: 1h@vetEnf15h$ (I have 10 fishs).  Starting a password with a number or a special character makes it a helluva lot harder to guess or password cracker programs to figure it out. 

Bozeman city officials haven’t said what they’re going to do with all the usernames and passwords they already collected.  Considering they’re of the highest moral fiber, I’m sure nothing will go awry.  Just in case, to all those people that gave up their passwords?  I would go ahead and change them all.  But that’s just me.