S 2.22 Escrow of passwords

Initiation responsibility: Head of IT Section

Implementation responsibility: IT-users

If access to an IT system is protected by means of a password, precautions must be taken to ensure that, should a member of staff be away e.g. on holiday or due to illness, his/her substitute can access the IT system.

Depending on the IT systems and applications used and the IT security guidelines of the organisation concerned, there are a number of possibilities here. Thus, for example, the password can be lodged in a suitable place. On typical multi-user systems, the Administrator can release the user access rights required or change the password to a new value. In many IT systems and applications, however, groups can be configured so that if someone is absent his/her registered stand-in can access the system.

All the solutions mentioned have not only advantages but also disadvantages so that careful consideration is required as to which solution is the most appropriate to a particular situation.

The following examples are intended to illustrate this point.

The bookkeeper, Mrs Müller, is working on a Windows PC which is connected to a LAN as a client. To cover any potential problem areas which might occur during Mrs Müller's absence, her areas of activity have been gone through with her and solutions have been devised.

• She is responsible for handling all transactions involving partner companies A-K. The data to be processed is located in a database on server PF1. In the event of her absence, her colleagues Schmidt and Eifrig can process this data under their own user IDs as they have the same database permissions.

• Some of the documents created by her are located on her PC. It has been agreed that she will place all files that are important to operations in project directories on the server. Should access be necessary when she is away, the Administrator can arrange this. This must be documented in writing. Mrs. Müller is then informed of this by e-mail.

• Many of the companies looked after by Mrs Müller send information by e-mail. As the e-mail system used does not provide for deputisation rules to be defined within access authorisation, Mrs. Müller's stand-in, Mr. Schmidt, is given the password allowing access to her e-mail. In this way he can answer any incoming e-mails that arrive during her absence quickly.

1. A few finance-related operations have to be authorised with a digital signature. For this purpose, all staff have been issued with personal cryptographic keys on smart cards which they are not allowed to pass on to anyone else. In the event that the person who normally signs is absent, his/her stand-in signs with his/her own digital signature.

Escrow of passwords always entails a significant amount of organisational effort since each employee has to lodge the necessary current passwords in a suitable place (e.g. in sealed envelope in a safe in the secretary's office). Whenever a password is changed, this must be updated. It must not be possible for any password to be forgotten. (Sometimes up to five different passwords are needed to access an application on a computer.) It must not be possible for unauthorised persons to access the lodged passwords. Should it become necessary to use one of the lodged passwords, this should be done observing the two-person rule. Records must be kept of every instance of access to the lodged passwords.

If possible, passwords should only be lodged if there is no other (technical) solution. It should be noted here that the fact of escrow of passwords conveys a false sense that passwords are being handled securely. Passwords must not be "lodged" underneath keyboards or in other similar cases, nor passed on to other colleagues simply because this is easier than asking the Administrator to issue the necessary access rights.

But if the use of passwords is the only way of accessing an IT system or application, then they must be securely lodged. This is generally the case, for example, where Administrator access rights or single-user systems are involved.

There should therefore be fixed procedures which specify how passwords are to be lodged and what framework conditions must be created for this.

In the case of teleworkers, steps must be taken to ensure that the passwords they use to access IT systems on the home workstation are also lodged at work, so that if an emergency arises, a stand-in can access the data stored on the teleworkstation.

Regular checks must be carried out to ensure that current system administrator passwords relating to all systems looked after by administrators, especially networked systems, have been escrowed.

Additional controls:

• Are there any fixed procedures relating to the escrow of passwords?

• Are the escrowed passwords complete and up-to-date?

• Have provisions been made to ensure proper handling of escrowed passwords?

• Is the system of password changes controlled on the basis of the updating entries for escrowed passwords?

• Has consideration been given to the question of whether any alternatives to escrow of passwords are available?