T 3.43 Inappropriate handling of passwords

Even the use of well thought out authentication procedures will be of little avail if the users are careless in handling the necessary access-granting means. Whether the access-granting means used are passwords, PINs or authentication tokens, in practice they are often disclosed to other persons or not kept safe.

Often users disclose their passwords to other users for reasons of convenience. Passwords are frequently shared within teams so that it is easier for individual staff to access shared files. The obligation to use a password is often experienced as onerous and, to make life easier, passwords are never changed or else all staff use the same password.

Where a token-based procedure (e.g. smart card or one-time password generator) is used for user authentication, if this is lost there is a danger that the token could be used by unauthorised persons. An unauthorised user might thus be able to establish a remote access connection using this token.

Where large numbers of different passwords and PINs are used, often users cannot remember them all. Frequently this results in passwords being forgotten, which sometimes means that extra work is required in order to be able to continue working with the system. Again, authentication tokens can get lost. With very secure IT Systems, the loss of passwords or tokens can even result in loss of all user data.

Often passwords are written down in order to prevent their being forgotten. This is not a problem as long as they are carefully looked after so that they are protected against unauthorised access. Unfortunately this is not always the case. A classic example is to keep the password written underneath the keyboard or on a sticker attached to the screen. Keeping authentication tokens underneath the keyboard is also a popular habit.

Another means of avoiding forgetting passwords is to choose "suitable" passwords. But if users are able to choose their passwords themselves and have not been made sufficiently aware of the problems, they will often choose trivial passwords such as "4711" or the names of friends.

Examples:

• It was established in one company using spot checks that many passwords were not suitable or were not being changed sufficiently frequently. Technical means were employed to ensure that passwords were changed every month and also contained numbers or special characters. It turned out that one administrator was choosing his passwords as follows:

january98, february98, march98 etc.

• In a government organisation it was discovered that users whose offices faced the street often used the same password, the name of the hotel over the road which, with its large illuminated letters, dominated the view out of the window.