Q

Is it illegal to ask a fellow employee for his or her password?

Password protection is a vitally important piece of data security. In this identity and access management expert response, learn best practices for keeping passwords safe.

This Content Component encountered an error
Is it illegal for anyone in an enterprise, outside of the IT department, to ask an employee for his or her password? Are there compliance issues? What are the binding restrictions on keeping passwords safe?
Protection of passwords is a cornerstone of all regulations and industry standards but, at the same time, isn't a legal requirement. The loss or theft of a password could lead to regulatory action or civil litigation against an offending enterprise, but such a loss doesn't have any other legal implication.

Most regulations, including SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require auditing of user accounts, including user IDs and passwords. The main focus is on safe password practices, such as requiring strong passwords and encrypting passwords stored on systems, and auditing who has access to systems. Regulators and auditors require regular reporting on user accounts.

So, even though it isn't illegal to divulge passwords, protecting them is required for compliance and will go a long way toward keeping a company out of legal hot water.

Requirement 8 of the PCI DSS is a good example of a standard for benchmarking protection of passwords on systems. This section calls for each user to have a unique user ID and password. If several users share a password, and that account is compromised by a malicious individual, it would be impossible to track down the offender.

Requirement 8.4 calls for encryption of all passwords both in transit to and storage on systems, but Requirement 8.5 goes into more detail about the type of password policies and restrictions. Most of these are industry best practices for IT security, including password complexity, expiration, length, lockout after failed logins, session expiration and revocation of access for terminated users.

More information:

This was first published in July 2008

Dig deeper on Password Management and Policy

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close