Can I refuse to give them my password?

Given that this is Germany, I would be very surprised if you wouldn't be required to refuse. Every single German working contract I have seen contained a paragraph about never under any circumstances giving out your credentials to the company's systems. To anybody.

So go back home, check your contract to make sure it's standard and refuse to give your credentials to anybody. If needed, your IT can impersonate you legally, by leaving a correct audit trail in their system. Making that crappy software work in combination with your cheap supervisor is not your job. That's the IT departments job. Your job is to not break your contract.

It might help to word your refusal non-aggressively and offer solutions (although you know just as well as I do that it's not actually a real solution to change your contract. HR will just tell your boss to do a better job):

"Hey boss, I just came across this part of my contract where it says I may never give out my credentials. I feel very uncomfortable giving out my credentials given that I signed a document saying I never would. I would very much prefer IT to solve this. The alternative might be to go through HR to get this clause out of my contract."

This might shift the conversation from a feeling of you not wanting to help, to you wanting to help but being hindered by the company's paperwork.

Ask for a new account and laptop.

If you, yourself have put personal information/data onto your company-provided (and owned) laptop and account, that's your problem.

However, if the credentials for that account allows access to your details in the HR system and other employee confidential information, then sharing that account is a problem.

If this piece of software is meant to be shared, then leave the laptop and account as a pool device and move to another account.

The real problem here is the difference between account and identity.

Normally a systems account represents a person's identity. In this case it looks like the OP's company has failed in respecting the non-mentioned software's license clause which is bound to an individual by means of his (domain?) account. But accounts are still computer objects, they can be created and deleted at IT administrator's will

With this answer I would like to highlight that, in my understanding, the company provisioning software for a single licensed account and allowing others to use it, is willingly committing into software piracy. They may have had at least the smart thought to license the software to a fictional account. Technical/service accounts are widely used for any kind of purpose, including illegal/unethical ones. I am not to discuss about the goodness of this practice

Definitely, I see two options here.

Switch accounts

One is to discuss with IT the opportunity to switch the license to a service account. This might not be done easily, as it could be impossible under the software's license. Another option, or better trick, is to make your current account (which is a software object) a shared account. Even if it carries your name, your company may establish that the john.doe identity is a shared identity, and give you a new personal j.doe account. A different object, but at least one that you can bound to your identity and use private information with. The old john.doe must be detached from anything personal to you, or better any enterprise resource than the software you are licensed to.

The above fixes the privacy issue but not the piracy issue.

Put constraints

Since you know that multiple people can access your account, you must make constraints, better in written form, to prevent things turn against you. First, you have to establish with senior management and HR that your account can be used by different individuals. Then you must, if you can, purge any data that you can deem sensitive from your account. A lot of employees store personal information such as their Google account in their workstations. While not acceptable in large organizations and theoretically unacceptable in general (as a work computer can't be used for anything rather than work), it is an established practice of the kind "we don't ask, you don't tell".

Then if your account is enabled at accessing work data that is very personal to you, like payroll, and you have real concerns about people trying to abuse them, you have very little options:

• Supervise interactions (you type the password and overwatch coworker until logout)


• Demand audit logs, and regularly check them


• File a written complaint to HR or even escalate to labour authority in your jurisdiction (this one will turn really bad against you)

Eventually, if your employer insists in demanding others to know your system password you won't have a good time dealing with this.

A story about sharing passwords

One of my customers, either from past or current, was a well structured financial institution with severe policies. One day our IT representative helped us remoting into employees workstations on different branches by typing his administrator password and witnessing our work.

It happened that this individual was called by his manager for a meeting that could not be rescheduled, and no IT replacement was available. Rather than letting us go he gave us his password (he could change it priorly) and politely told his manager that he was about to report the event to Security management, just to notify them that a different individual was temporarily and exceptionally approved for administrative access.

That was a strong act of trust to us, which was well repaid with excellent professionalism.

You should not be sharing your password and your employer should not ask you to do so. If its simply that the software can only be installed on one machine it should be possible to create multiple user accounts on that machine, and make the application available to both, so that more that one user can log on securely without the need to share passwords. This is possible on Windows and OSX.

In addition to redundantly agreeing with other answers that you absolutely should refuse to allow others into your account due to the personal information that is accessible through it, I also suggest the following dead-simple way to fix this problem:

Get the special software registered under an account that doesn't belong to any person at your company. There can still be only ONE registration if that is what the company wants to do, but then, giving out the password to others doesn't expose your own personal information.

If this is absolutely, completely, categorically impossible, then ask for a new personal user login, and get all your assets/accounts in the other systems at your company transferred to that login. Your old "personal login" is no longer your personal login and can only access that one system. If you were jsmith before, you can be jdsmith or jsmith2 or smithj or something else.

There is no reason to do anything else. Demanding you use your personal account is akin to demanding that you share your salary details with everyone, while they need not share theirs with you. It's a violation of your privacy and something you have every right to politely, but inflexibly firmly, insist on.

I think you should push @Pete answer and ask your manager to buy a different pc for that software. You can justify the $400 investment because while someone else is using the software you cant be doing your work. Managers don't like to waste money, so just document the number of hours you waste because this, pro rate with your salary and report to your manager.

Still If you are using Windows you don't need a separated PC. You only need have separated usernames on the same PC. You can create a GUEST account and that account can login on your PC and use the software, but cant access your personal email or other software. When you install a software, Windows will ask "Want to share this application with other or just this user"

So if anyone need to use the software you only give the GUEST password.

For the sake of completeness—and not because I'm convinced this is the solution for your case—

There is a technical solution for Windows if this is a genuine case.

I am going to assume you are technical enough to do this. It's not hard if you know how, but if you don't know how, chances are high that you'll mess things up and your computer will stop working. And I highly doubt your IT department will be interested in making this work for you.

1. Make a sector-by-sector .VHD image of your disk composed of only your Windows partition somewhere.




2. Create a "native VHD" boot entry for that image with an appropriate name they'll recognize.
   
   This is where you'll likely mess up if you don't know what you're doing.
   
   You'll have to take care of a lot of things besides knowing how to do the boot manager stuff, like making sure each OS assigns the same drive letter to the corresponding partition, which can be tricky since the copies are identical.




3. Boot into that copy of your OS, then delete everything in your account that they shouldn't see.
   
   If you manage your files like most people, this will be a lot of work. You'll have to not just remove documents but also scrub histories and temporary folders, etc.




4. Change or remove the password for that account.




5. Change that account to a limited account and change file permissions on the outer OS as needed so that people can't use the inner OS to spy on the outer OS. This may take a while.




6. Disable any "backdoors" that might exist, e.g. put a password on your BIOS/UEFI settings and lock them to the internal disk so they can't boot off a USB drive or CD, or remove any hidden administrator accounts, etc... again, if you don't know what you're doing, you'll mess up.




7. Once the system is secure, tell your coworkers that they can reboot the computer and log in with the inner OS to do their work in "your" account.




8. You can just use the outer account to do your regular work.

While not impossible, it is very unlikely the software will fail to work in this scenario. If it does, one possibility is that the disk or partition serial number is being checked, and the virtual image's is different. You can try to fix that manually and it may work. If it doesn't, then the program is doing a really invasive inspection of your system's hardware configuration.

Linux has the ability to do the equivalent. If this is a Mac, though, you might be out of luck.

However, it sure smells like this is not a genuine case

and your coworkers might be using this as an excuse to see files they shouldn't see.

Absent a boss's order, I would personally only do this if the coworkers were close friends I trusted before we even became coworkers. It can be lot of pain to go through, is not foolproof in terms of security, and likely not something reasonable to expect given your job description.

Don't give them your password.

Give them the password. Do this after making sure that the password is not your password.

Get this documented in official policy: "The 'user account' named Jsmith is a shared account. Authorized people can read the password by accessing the following document which only authorized people have access to: ..."

Then, when the account is used, nobody is using your password, because it really isn't yours. Despite what some software might call it, this isn't really a "user" account, but Jsmith is just an account name that happens to look very similar to the name of a person who previously had exclusive access to the account's password.

Maybe a shared account is lousy security. Oh well. This can be one of the features that gets fixed by moving to a better solution. In the mean time, risk can be minimized by implementing some controls on who has access to the latest password. And, you can rest easily knowing that, despite the name looking similar to your name, this isn't actually your account that only you need to protect. The fact that this isn't actually your account is even in officially management-accepted policy.

Issue avoided.

Reality should match the rules. If the rules don't work with a situation, it's better to change the rules so that then the rules are being followed, rather than breaking the rules.

Although there already are a lot of answers, I want to offer a somewhat different perspective.
Normally, your machine at work and everything you produce on it during your working hours belong to the company. The only exception is, if your company policy allows it, E-Mail clearly marked as Private.
It is not mandatory for a Company to offer you a private account or to keep company-communication private.
In fact, it could be considered unprofessional to have "secret" communications or work-areas in some environments.

In your situation I would do two things:

1. Get your private files and communications off your work-machine. That´s what webmail and personal online-storage are for.


2. Get a written proof by your superior that your password should be shared with your colleagues. Make sure they understand the ramifications.

Ramifications: These are actually mainly a concern for your Company:

• Possibilty of company-communication getting to parties they are not intended for.


• Open door for "social engineering" hacker attacks.


• Non-provable identity of a possible misdemeanor. This kind of protects you.

Anecdote: The last one actually happened to a friend of mine. He worked at a German tax consulting office, and all the employees knew each others passwords. The Boss found it more practical. One day they had a really bad hire, who send out an email swearing at a customer in a really bad way. Normally this is a valid reason for an instant termination and so she was fired. She filed for wrongful termination. She won the case, because they could not prove conclusively that the mail was really sent by her.

Conclusion: While you superiors can absolutely decide to employ a bad password-policy, the risk of doing so is entirely on them!

It sounds to me like there is a bona-fide reason to need to access your account, due to the software on your PC being linked to your account. I would suggest that you request that, if access is needed while you are absent, the IT Team simply reset your password and inform you of the same. You shouldn't need to give up the password.

You say you are "strongly convinced" that people have been snooping. If you have an attitude (to others) that you have something to hide, then they will be more likely to snoop around and see what they can find out. Although this of course would be incredibly unprofessional. You work with these people on a daily basis - do you really distrust them that much?

The computer is a work computer, and if you are storing anything on there that's personal or confidential, shouldn't really have anything personal on there. If there's stuff that has to be on there, then consider password-protecting certain files.

A new shared PC is the "right" solution, but if you are unable to obtain that, your assigned work laptop can still support multiple login accounts. Many corporate environments allow any domain user to log in to any laptop, have they tried it with their credentials?

Have I.T. create a new domain user, that is clearly dedicated to sharing this software license. I.T. must allow this shared user to log in to your laptop. Now anyone can connect to the laptop with the shared credentials, and use the software. You can even ask I.T. to enable Remote Desktop to this account on your laptop, for your co-workers convenience.

If the software license checks the username, your manager will need to transfer the license to the shared account, and unfortunately you must log in to the shared account when you need to use this software.

(If the laptop is powerful enough, IT may be able to set up a virtual machine for only the cost of a Windows license, and move the software into the virtual machine.)

If the technical approach fails, solve it through people

From the question and comments I make out that the issue is NOT that you are worried that people abuse this method to gain access to confidential corporate data, but that your privacy is at risk. For instance because the password could be used for the HR system.

As technical solutions don't seem to have worked, consider a different approach. There are many possibilities from a simple but clear talk to the one who gets the password, to what I have described below:

Four eyes principle

This method is not foolproof, but probably as good as it gets without seriously upsetting either your boss, IT, or HR.

1. Create a password that is practically impossible to remember


2. Give this to someone that you trust with it (For instance because they already have a way to access your account anyway).


3. Whenever a colleague needs to work, let the trustee enter the password.

An additional step that is mostly relevant if you are in a place where you don't need to re-enter the password to go from regular work access to HR access etc (For instance because of Single Sign On).

4. Agree that the colleauges are only allowed to work on a location where others can see the screen at all times.

It is of course possible to find ways around these measures, but unless someone is willing to make an effort it should practically stop curious colleagues.

I'm going to take an alternative to the "never share your password" line because as correct a rule as it is, in practical situations, in some companies, employees sometimes have to share passwords to keep the company or a particular job running.

First of all set up a new account just for this software - the license will be linked to that account instead of yours. Anyone, including you, who needs to use it will log into that account. This should remove (or at least reduce) the excuses to ask for your password.

Secondly Do not store any personal stuff on your work PC! Take this as a lesson that your work PC is not private. If you must store something personal on it, then have it encrypted or store it in an obscure location that they wouldn't look.