Password Policy: Sharing Passwords

Wednesday, May 02, 2012

benson dana


At one point in my career, I worked at a place where management in one unit had allowed a senior manager to collect the log on and email passwords of the employees of the unit.

There had been complete resistance to giving up this policy, and the excuse was that this unit's mission and objectives were unique (how many times does the internal auditor hear this excuse?) and that this arrangement was absolutely necessary.

I called a meeting and here is my description of the meeting agenda:

We will discuss the specific IT security policy that prohibits the sharing of passwords. I understand that the unit has a policy that the Assistant Director must have the AD (Active Directory) password of at least a subset of the unit's employees if not all. This would be a direct violation of the IT security policy. I am not interested in discussing any other aspect of IT policies or operations, past or present.

I am not aware of any other unit in the company with a similar policy. If I were, that unit would receive the same degree of scrutiny. I am not interested in discussing any other unit’s policies or procedures, unless anyone knows of a similar policy.

Your AD password is unique to you and is not known by anyone else unless you share it, overtly or inadvertently. The members of the help desk who are so authorized CAN reset your password if you forget it. When that happens, you type in a NEW password that is again unknown to anyone else.

Our IT systems monitor when passwords are changed, but not what the password is.

The prohibition to sharing passwords is a basic and standard internal control around the world. One of its primary purposes is to protect OTHER employees from inappropriate suspicion in the event that account is used for inappropriate purposes.

This is similar in concept to the requirement that each cashier use their own cash drawer instead of a shared cash register drawer. If 2 people share a cash drawer, and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.  

If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal or unethical purposes. One of the 2 WILL be falsely accused of the violation. If the matter is not resolved, they BOTH will remain under the cloud of suspicion. That is a BAD result.

Every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust. The Maine Attorney General’s office recently terminated the employment of an employee, licensed to practice law in Maine, who is accused in connection to a pxxnography violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach. I am not interested in discussing anything related to trusting employees.

Are passwords inadvertently shared? Probably. Does that make it right or smart? No.

In the case when an employee has a planned leave, email can simply be forwarded to another person. In the event an employee is sick, they can usually manage to log on, activate the forwarding feature, and log off. In an emergency situation, the help desk can perform this action.

I’m interested in knowing how many such emergency situations have occurred in the past 6 to 12 months. I am not inclined to plumb the depths of history with respect to this one aspect of the discussion.

I was successful in getting the unit to stop sharing passwords.

I have other stories related to Fraud prevention and accounting and business advice at my site below:

Cross-posted from Internal Control Freak

Possibly Related Articles:
Network Access Control
Information Security
Passwords fraud Authentication Enterprise Security Management Access Control Security Audits Employees Policies and Procedures IT Security
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.