I'm leaving a company I've been with due to the boss reneging on various promises, bonuses, etc. After declining counter-offers and other incentives, the boss started become hostile towards me, and she's now demanding that I hand over account credentials for various company accounts (third-party services for code storage, version control, etc), all of which she can easily reset by logging in as an administrator. She has also demanded that I hand over credentials for my personal email account to make sure I don't have any company emails or IP.
I replied that my personal email is my own property, and that it was never used at the office or for my work. I also noted that the other accounts could simply have their respective passwords reset by using the "administrator tools", and that I will not be providing the logins, as I've already agreed to the legal terms of service for those other websites, which demand I do not share my credentials. I finally noted that she can contact those respective sites for help resetting the passwords, and that there would be no loss of data by doing so.
Did I conduct myself professionally? Are there any circumstances under which I should provide those account credentials (other than my personal email)? Finally, should I just outright tell her "I can't give you those because the only reason you could need them is to impersonate me".
This is in Eastern Canada.
( 6 months ago )
Any security professional would state the obvious: If it is a personal account, do NOT give your credentials to her.
She is able to reset the passwords via IT for your work machine, and she is able to legally obtain subpoena if they decide to take you for court for having confidential documents. If they don't want to take that step, then they have no need of your personal credentials. If they're concerned that you have confidential information, then it's up to them to obtain the legal documentation and authorization to obtain them.
If they're concerned that you will be able to access third-party code, then they can (a) change the login information on their end and/or (b) go the legal route if they think you've been in there. Since the documents are in a third-party repository I'd doubt that organization would jeopardize themselves by collaborating with any nefarious activities.
Do NOT accuse her, even tangentially, of wrongdoing. Simply state the facts and leave it at that. You're not required to give reasoning to retain your personal information. Even the passwords you DO use for your work account can sometimes be considered private information, as people routinely reuse common passwords across their accounts. If they have the ability to reset them, then they shouldn't be worried about anything.