T 4.33 Poor-quality or missing authentication

Authentication mechanisms can be used to authenticate users or components, or to determine the origin of data. If authentication mechanisms are missing or if the quality is too poor, there is a risk that

• unauthorised persons can gain access to IT systems or data,
• the causes of problems cannot be identified or
• the source of data cannot be determined.

Gaps occur in the security

• when users are authenticated, for example if users choose passwords which are easy to guess or if they never change their password,
• when components are authenticated, for example if default passwords are not replaced by individually-chosen ones following the installation of an IT system, if the passwords which are permanently entered in many IT systems are never changed again, or if the passwords are not kept safely and nobody can remember the vital password after the system has crashed,
• in the choice of procedure, for example if it is completely unfit or gaps in the security are known which are not reacted to while the system is in operation.