Recently, a colleague employed by a software company asked me a question. A client of theirs has requested that they amend their software to allow them to set all their users with a single identical password that the users can’t change. He asked me, “isn’t this a bad idea, and is it even legal?”
Let’s quickly address the second part first. Without knowing a lot more about the software and the client, answering questions like “is it legal?” is impossible. Compliance is a very complex subject. There are many standards that they may or may not have to comply with from PCI-DSS to GDPR to a library’s worth of ISO accreditations. Depending on what the system does, the industry it’s in and a whole raft of other factors it could be anything from “of course it’s legal” to business-closing fines and someone going to jail. This is a question which needs to be directed to his own Compliance representative.
So, passwords. What are they for then?
Password verification is a means of providing what is known as AAA security. That doesn’t mean they’re our version of eBay’s “A+++++ WUD SECURE AGAIN” measure of Greatness, but rather we have here Authentication, Authorisation, and Accounting. What does this mean? I’m glad you asked.
Authentication confirms your identity against a trusted authority. It’s your name and photograph on your DVLA-issued driving licence. It verifies who you are, nothing more.
Authorisation states what access your authenticated user has access to. These are the car, motorcycle etc categories stamped on your driving licence. E.g., if you’re a member of Payroll then you likely have access to salary data.
Accounting (sometimes called Auditing) logs what we’re doing.
Are we considering ideas yet as to why sharing passwords might be a really bad idea?
If everyone knows your password, then we lose trust in Authentication and you might as well have a driving licence written on the Jack of Clubs by your mate Dave.
Once we lose Authentication then we inherently lose Authorisation, because if Brian in Sales wants to see what his arch-rival Jennifer is earning then he can simply log in as Geoff in Payroll.
Once we lose Authorisation then we lose the ability to prevent Brian from accidentally – or maliciously – messing up Jennifer’s wages payment for this month.
And once we lose Accounting we no longer have any visibility of who did what, so when Brian cancels Jennfier’s BACS payment we look at the system and can see that it was Geoff who did it but he cannot reliably (or morally) be held accountable because the entire company knows his password by order of De Management.
There is almost always no reason for anyone else to know your personal password and if anyone asks for it then you should refuse. If you don’t then there is little point in having a password at all.
Home insurance typically won’t pay out on a claim where there is no sign of forced entry, their default assumption is that you were negligent in looking after your keys. We should consider passwords similarly; if something bad occurs under your credentials, either you did it or you supplied or lost your password to whomever did.
Passwords are important, look after them.
Tune in later for Part 2 of this article, where I intend to explain why everything I’ve just told you is wrong. 😊