Problem solve Get help with specific problems with your technologies, process and projects.

Is it illegal to ask a fellow employee for his or her password?

Password protection is a vitally important piece of data security. In this identity and access management expert response, learn best practices for keeping passwords safe.

Is it illegal for anyone in an enterprise, outside of the IT department, to ask an employee for his or her password? Are there compliance issues? What are the binding restrictions on keeping passwords safe?
Protection of passwords is a cornerstone of all regulations and industry standards but, at the same time, isn't a legal requirement. The loss or theft of a password could lead to regulatory action or civil litigation against an offending enterprise, but such a loss doesn't have any other legal implication.

Most regulations, including SOX, GLBA and HIPAA, and industry standards like the PCI Data Security Standard, require auditing of user accounts, including user IDs and passwords. The main focus is on safe password practices, such as requiring strong passwords and encrypting passwords stored on systems, and auditing who has access to systems. Regulators and auditors require regular reporting on user accounts.

So, even though it isn't illegal to divulge passwords, protecting them is required for compliance and will go a long way toward keeping a company out of legal hot water.

Requirement 8 of the PCI DSS is a good example of a standard for benchmarking protection of passwords on systems. This section calls for each user to have a unique user ID and password. If several users share a password, and that account is compromised by a malicious individual, it would be impossible to track down the offender.

Requirement 8.4 calls for encryption of all passwords both in transit to and storage on systems, but Requirement 8.5 goes into more detail about the type of password policies and restrictions. Most of these are industry best practices for IT security, including password complexity, expiration, length, lockout after failed logins, session expiration and revocation of access for terminated users.

More information:

This was last published in July 2008

Dig Deeper on Password management and policy

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.