T 3.43 Inappropriate handling of passwords

Even the use of well-though-out authentication methods is not very helpful when the users do not handle the necessary access resources carefully. Regardless of whether passwords, PINs, or authentication tokens are used; such items are disclosed to others or stored insecurely again and again.

Users often give their passwords to other people for reasons of convenience. Passwords are often shared by the members of work groups to make accessing the shared files to be processed by the employees easier. Requiring the use of passwords is often considered to be a hassle and avoided by changing the passwords seldom or never or by all employees using the same password.

If a token-based procedure is used for user authentication (e.g. chip cards or one-time password generators), then there is a danger that the token will be used without authorisation when it is lost. An unauthorised user may be able to successfully establish a remote access connection using this token under certain circumstances.

Due to the large number of different passwords and PINs, users are often unable to remember them all. For this reason, passwords are constantly being forgotten, which sometimes results in a lot of effort to enable the user to resume working with the system. Authentication tokens can also be lost. In very secure IT systems, the loss of a password or token can even lead to the loss of all user data.

Passwords are often written down so they are not forgotten. This is not a problem as long as they are stored carefully and protected against unauthorised access. Unfortunately, this is not always the case. A classic example is storing the password on a note under the keyboard or on an adhesive label stuck to the screen. You will also often find authentication tokens under the keyboard.

Another trick used so that passwords are not forgotten is to select a "suitable" password. If users are permitted to select the passwords themselves and are not adequately sensitised to the problems relating to this selection, trivial passwords such as "90210" or the names of friends are selected in many cases.

Examples:

• In one company, it was discovered within the framework of random checks that many passwords were poorly selected or were changed too infrequently. The users were then forced technically to change their passwords monthly, and the passwords were also required to contain numbers or special characters. It turned out that one administrator selected his passwords as follows:
  
  January2009, February2009, March2009, ...
  
  These passwords conform to the password policy, but are easy to guess.
• In a government agency, it was discovered that users whose offices faced the street often used the same password: the name of the hotel across the street the large, illuminated letters of which dominated the view from these offices.