A new external contractor approached me:

Contractor: “How do I get access to your password store?”

Secretgeek: “You don’t. Why?”

Contractor: “Uhm, why not?”

Secretgeek: “Because it stores all root passwords for all servers. Why do you need access to it?”

Contractor: “Hans told me that you will give me access.”

Secretgeek: “Uhm, sorry, don’t take this personal, but no I won’t. If you absolutely need root access to any server, let me know which one and we can roll out your ssh key.”

The contractor understood perfectly well why I wouldn’t give him access. I then took the liberty to send an email to all the people (that I know of!) who have access to our passwords, and reminded them that giving out this access to contractors is a little careless.