S 2.22 Escrow of passwords

Initiation responsibility: Head of IT

Implementation responsibility: User

If the access to an IT-System is protected by means of a password, arrangements must be made to allow the substitute to access the IT system when an employee is absent, for example in case of holiday or illness.

For this purpose, there are different options depending on the IT systems and/or IT applications used and on the security policies of the respective organisation. For example, the password can be stored at a suitable location. For typical multi-user systems, the administrator can also release the required user rights or set the password to a new value. For many IT systems and/or IT applications, however, groups can be set up so that the substitute entered can access the system when the employee is absent.

All mentioned solutions have different advantages, but also disadvantages, so it must be always be examined properly which solution is the most suitable in the respective situation.

The following examples are to illustrate this:

The accountant Ms. Müller carries out her work on a Windows PC that is connected as a client in a LAN. To cover all potential problem areas in case a substitute is needed, her scope of activities was addressed and discussed with her and solutions developed.

• She is responsible for handling all processes with the partner companies A-K. The data to be processed are in a database on the server PF1. In the case of substitution, her colleagues Schmidt and Eifrig can process this data using their own user IDs, as they have been granted corresponding authorisations in the database.

• Several documents created by her are stored on her PC. It was agreed that she would make all data important for operation in project directories available on the server. If this data needs to be accessed in the case of substitution, the administrator is able to grant such access. This must be documented in writing. Afterwards, Ms. Müller is informed of this by e-mail.
• Ms. Müller uses an old but stable IT application for the customer management of the companies for which she is responsible. Since it is not technically feasible for this application to introduce substitution arrangements by means of access authorisations, her substitute Mr. Schmidt is given the password for her access. Thus, he is able to enter any changes whilst she is absent.
• Several financially relevant processes must be authorised using a digital signature. For this purpose, personal cryptographic keys on chip cards that must not be forwarded have been handed over to all employees. In the case of substitution, her substitute signs such processes using his digital signature.

The escrow of passwords is always associated with a lot of organisational effort: For the escrow of passwords, the required current password must be stored by each employee at a suitable location (e.g. in a sealed envelope in a safe in the secretary's office). Every time a password is changed, it is also necessary to update the password. You must never forget to update any password. (Sometimes up to five different passwords must be entered to access an application on a computer.) It must not be possible for unauthorised persons to gain access to the stored passwords. If it is necessary to use one of the stored passwords, this password should be used according to the two-person rule, i.e. by two persons at the same time. Any access to a password must be documented.

Whenever possible, passwords should only be stored if there is no other (technical) solution available. In this respect, it must always be noted that the escrow of passwords conveys a wrong impression for handling passwords securely. Passwords must not be "stored" below keyboards or similar places and must not be passed on to colleagues, only because this is easier than asking the administrator to grant the required access authorisation.

Passwords, however, should always be stored securely if they are the only way to access the IT system or the IT application. This is often the case for administrator access or stand-alone systems, for example.

There should thus be a rule that describes which types of passwords should be stored and which general requirements need to be met in this case.

For telecommuters, it must be ensured that their passwords for the IT systems at their home workstation are also stored in the organisation so that their substitute can access the data stored on the telecommuter's computer in case of an emergency.

For all systems supported by administrators, especially for networked systems, it must be ensured by means of regular checks that the current system administrator password is stored.

Review questions:

• Is it ensured that only appointed substitutes can access the required applications and IT systems?
• Are there rules and regulation which passwords must be stored and which security precautions must be complied with in this respect?
• Are passwords only stored if there is no other appropriate approach to provide the required access capabilities?
• If passwords have been stored: Are the passwords stored in a secure location?
• If passwords have been stored: Are the stored passwords always kept up-to-date?
• If passwords have been stored: Is the access to the stored passwords documented?