Ask the Expert

Is it illegal to ask a fellow employee for his or her password?

Is it illegal for anyone in an enterprise, outside of the IT department, to ask an employee for his or her password? Are there compliance issues? What are the binding restrictions on keeping passwords safe?

    Requires Free Membership to View

Protection of passwords is a cornerstone of all regulations and industry standards but, at the same time, isn't a legal requirement. The loss or theft of a password could lead to regulatory action or civil litigation against an offending enterprise, but such a loss doesn't have any other legal implication.

Most regulations, including SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require auditing of user accounts, including user IDs and passwords. The main focus is on safe password practices, such as requiring strong passwords and encrypting passwords stored on systems, and auditing who has access to systems. Regulators and auditors require regular reporting on user accounts.

So, even though it isn't illegal to divulge passwords, protecting them is required for compliance and will go a long way toward keeping a company out of legal hot water.

Requirement 8 of the PCI DSS is a good example of a standard for benchmarking protection of passwords on systems. This section calls for each user to have a unique user ID and password. If several users share a password, and that account is compromised by a malicious individual, it would be impossible to track down the offender.

Requirement 8.4 calls for encryption of all passwords both in transit to and storage on systems, but Requirement 8.5 goes into more detail about the type of password policies and restrictions. Most of these are industry best practices for IT security, including password complexity, expiration, length, lockout after failed logins, session expiration and revocation of access for terminated users.

More information:

This was first published in July 2008

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: