Most regulations, including SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require auditing of user accounts, including user IDs and passwords. The main focus is on safe password practices, such as requiring strong passwords and encrypting passwords stored on systems, and auditing who has access to systems. Regulators and auditors require regular reporting on user accounts.
So, even though it isn't illegal to divulge passwords, protecting them is required for compliance and will go a long way toward keeping a company out of legal hot water.
Requirement 8 of the PCI DSS is a good example of a standard for benchmarking protection of passwords on systems. This section calls for each user to have a unique user ID and password. If several users share a password, and that account is compromised by a malicious individual, it would be impossible to track down the offender.
Requirement 8.4 calls for encryption of all passwords both in transit to and storage on systems, but Requirement 8.5 goes into more detail about the type of password policies and restrictions. Most of these are industry best practices for IT security, including password complexity, expiration, length, lockout after failed logins, session expiration and revocation of access for terminated users.
Related Q&A from Joel Dubin, Contributor
After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ...continue reading
In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well ...continue reading
When working with PeopleSoft and Unix, which single sign-on (SSO) vendors offer the most effective products? Learn how to choose an SSO product in ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.