Ars Technica had an article today about insecure password practices at Best Buy. There is a “PC Recommendation Worksheet” used by GeekSquad employees to setup a customer’s new PC and there is a space for the customer’s password. While I don’t particularly care for Best Buy or GeekSquad I don’t really have a problem with this, assuming they are stored in a safe place and destroyed after use(that’s a big assumption).
Now you might ask “You would trust a random Best Buy employee with your email password”? No, of course not, but this service isn’t for me, these services are used solely by people who are not tech-savvy.
I think the alternatives to that are more insecure or to costly for Best Buy to support, here are some examples:
Don’t have a password on the admin account – ’nuff said.
Use a default password for everyone (w/ explicit instructions to make their own later) – Nearly as useless as no password at all, it does not work, people are lazy and will keep the default password nearly every time.
Randomly generate one – What if the customer forgets it? If Best Buy keeps a copy around that would be just as bad as if they had the customer’s email password written down. Customers would call Best Buy when they can’t remember their new, complicated password and need it reset. This either cost Best Buy money to support or makes customers pissed at lack of support.
When issues like this pop up that affect non-tech-literate people, I use getting my car repaired to draw a parallel to what they experience. I don’t go around giving my car keys to strangers all day but if my car needs fixed, I have to give my keys to a mechanic, who I don’t know that well. I guess you can call it professional trust, the mechanic trusts that I will pay and I trust that my car won’t be stolen.
If you don’t trust Best Buy, don’t get your computer worked on by them, same with any other service out there.