It's more likely that the Cards had a Excel file "Master_Passwords.xls" (or similar) with all his department's passwords listed in it on a shared department folder. No encryption, hashing, etc. Maybe they used Excel password protection on the file.
Just a hunch, but I've seen it many times at past employers.
Or something like KeePass or similar, it can be nice to know people's information in case they leave (I'm not advocating insecure practices), though an excel sheet or post it seems as likely.
It's a no-no when the provider has a duty to the user, such as when the user is a paying customer. It's probably OK when the provider is the employer and the user is merely an employee? I say this because employers regularly do much worse stuff, like running MitM proxies that log bank passwords...
No. Every action on a network must be directly attributable to exactly one real person. Every person should have permissions to the data/systems they need under their own account. If that includes subordinates' email inboxes and home directories, so be it.
In some cases it may be necessary to see the application from another user's perspective. In this case you build a function analogous to "sudo -i -u user" which lets the privileged employee use his own account to get a session under another user's account, while generating an audit trail.
However this is usually not the right answer. Google Apps does not provide an "impersonate" function, but API endpoints which let you dump all mail to your own archiving system (where your company can search it for investigations, legal discovery, etc.) This is more efficient anyway, and doesn't require the disclosure of user passwords.
You can also do this crudely by resetting the password in the database, gathering whatever you need to, and then changing the password back by replacing the old hash directly in the database. Then at least the impersonation is evident in your MySQL logs.
If there is an Excel sheet of passwords shared among managers, and someone does something nasty from an account whose password is on that sheet, good luck figuring out whether the perpetrator is the account owner, one of the n managers with access to the passwords list, or someone else entirely.
Context independent, having a store of usernames/ids/emails and plaintext passwords is Bad because it can be cross referenced with a store that actually matters.
Well had they deleted the password and someone still accessed the network without authorization and the FBI investigated the situation (much like they are now) then the Cardinals could have been charged with obstruction of justice under the SOX act Section 802.
