Controls & Accountability

Why Shouldn’t I Share My Password?

How would you feel about being interviewed by the Police or Internal Audit as a suspect in a crime? If you happen to share your password with someone who embezzles funds, you will be considered a suspect because your name is associated with those transactions. You are sharing your identity when you share your password. Your UCD Login ID and password are your signature and are the only way the computer has to identify you. Even if you can clear yourself, you will know that you created the opportunity for the other person to commit the crime. You may also face disciplinary action for violating policy.

You were given a unique UCD login ID/password and a specific role in our financial system (e.g., Document Initiator, Fiscal Officer) to ensure that no one person has complete control over a transaction. This separation of duties takes away the opportunity from someone motivated to steal. Think of what could happen if a dishonest person had Fiscal Officer privilege.

Fraud is not the only risk caused by sharing passwords. The likelihood of errors and omissions also increases when you share your password with untrained persons. While every good manager will closely supervise and train new employees, having new employees use their own UCD login ID makes it easier to identify the transactions they create. Errors and omissions reduce the accuracy, and hence the value, of the information recorded. KFS is the official record of the university and is the basis for financial management and reporting. If the people interested in the way we use our money perceive that our financial reports are not accurate, we can lose the funding (e.g., research funds, state appropriations, bonds, gifts, etc.) and the prestige UC Davis has enjoyed.

Reasons given for sharing passwords have included: “Our Fiscal Officer is going on vacation (or is out sick)”, “It takes too long to get a KFS user account for a new employee”, and “I use temporary or student employees and can’t get them accounts.” While we are all looking for ways to ease the burden of our daily workload, sharing passwords is not an alternative as it puts both you and the university at risk. (Answers to these, and related, problems can be found below).

Facilities Services is an example of an organization that has taken workstation security seriously. They have issued an internal policy that includes: “Each person accessing a computer system must be provided a computer account username and password. It is the responsibility of each person to secure and protect their password. You must never provide/divulge/share your password to/with anyone (including your supervisor or computer support personnel).” Their Computer Resource Manager has also instructed their computer support group to immediately lock/disable any network account for a person who has violated any of their policies. The locked account will not be reenabled until a meeting between the employee, the employee’s supervisor, and the Computer Resource Manager has been arranged to discuss system security.

No one needs to know your password – including your supervisor and network administrator. The technical support people in your unit have the access they need to perform their duties. In summary, there is absolutely no legitimate reason to ever share passwords. Sharing passwords severely weakens the security of our systems. Make sure that all employees that need access to KFS have their own user account.

If you have any questions please contact Controls & Accountability.

Here are ways to solve the problems associated with the reasons listed above.

Our Fiscal Officer is going on vacation/is out sick. 
This problem can be resolved with the Account Delegate Global/Account Delegate Global documents in KFS. See the Account Delegate resources for instructions on using the various Account Delegate documents. All accounts should have at least one non-primary delegate who can approve documents when the fiscal officer is away.

It takes too long to get a KFS user account for a new employee. 
In most situations, setting up a new user takes less than 48 hours. The first step is for the employee to obtain a UCD login ID. The next step is to have an active KFS user process a KFS User document, adding the new user to your organization. For information on obtaining a UCD login ID and on completing the KFS User Document, see How Do I . . . Create a KFS User . Once the KFS User document is routed and approved, the employee will be able to log in and use KFS.

I use temporary or student employees extensively and cannot get them accounts. 
The Fiscal Officer can give access to any employee, including temporary and student employees. The procedures are the same as for new employees (see above). Fiscal Officers can easily revoke KFS access for temporary and transferring employees simply by deactivating them on the KFS User document when they leave the department. KFS only allows a user to be assigned to one organization at a time. Deactivating people that leave your department greatly reduces the risk of unauthorized access to your accounts. 

"Our Fiscal Officer is leaving and it's easier to wait until a new Fiscal Officer has been hired." 
The Account Global document makes it very simple to change the Fiscal Officer for all of your accounts at one time. This document should be processed BEFORE the current Fiscal Officer leaves the department so that this person can approve the document when it routes to him/her for approval. If there is no one in your department who can act as a temporary Fiscal Officer until another one is hired, contact your dean or vice chancellor's office for assistance.

Supplemental content

Controls & Accountability