passwords

why passwords are secret

by stampycode
    Passwords are obviously used everywhere these days, but why is it so important that nobody else knows your passwords?

    The simple reason is obvious – you don’t want other people to be able to access your stuff when you don’t want them to.

    The more complex reason, is the legal one. Businesses, Websites, Internet Service Providers, Internet Cafés, nearly everyone infact, has a document or set of documents called an ‘Acceptable Use Policy’. In this document, they specify (or at least they should specify,) that any password or key they provide you with is not to be shared with anyone else, under any circumstances.

    The reason for this is not just to protect you and your stuff – this is to protect whoever is providing you with access to it. Because if they didn’t explicitly state that sharing these credentials with someone else is against the rules, then if your account becomes linked with some kind of activity that IS against the rules and they want to come after you, they might then have no way of proving you did it – because anyone you have given your password to could have access to it.

    Let me put this another way.

    1. Alice is given a password to access example.com
    2. Alice gives her password to Bob, to upload some files.
    3. Bob uploads some illegally downloaded MP3s to example.com using Alice’s password
    4. example.com finds the illegal music collection, and wants to prosecute Alice
    5. Alice then tells example.com that she didn’t put the files there
    6. Bob never agreed to the usage agreement on example.com, because he just logged in using Alice’s password
    7. example.com is then stuck because the usage agreement hasn’t been broken – they forgot to put in a clause about sharing passwords

    Here’s another example.

    1. Charlie owns example.com
    2. Derek works for example.com
    3. Charlie creates an email account for Derek, and hands him his password
    4. Derek is not allowed to change his password, because Charlie wants to keep a copy of it, for “security reasons”
    5. Derek sends an email to Edwin using his example.com email account
    6. Edwin takes offence at Derek’s email, and decides to sue example.com
    7. Charlie tries to fire Derek for sending the offensive email to Edwin
    8. Charlie cannot prove that the email was sent by Derek – as both Charlie and Derek have access to Derek’s password
    9. Charlie therefore has no reasonable grounds to fire or take other action against Derek due to the email.
    10. If Charlie fires Derek anyway, Derek may try to sue Charlie for unfair dismissal.

    If you work for a company who keeps a copy of your password written down somewhere, or stores your password unencrypted in a database, or stores it in any way that could enable anyone to read it – then it’s a reasonable assumption that someone else could have your password, without you having given it to them.

    Passwords Are Secrets – Nobody should ever know any of your passwords. They are secret and should not be shared. No exceptions.

    Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.

    SANS.org AUP

    User ID’s and passwords are not to be shared. Those who use another person’s user credentials and those who share such credentials with others will be in breach of this policy.
    Initial default passwords issued to any user must be changed immediately following notification of account set up.

    University of Bath AUP

    Each user is issued with a valid username and password that must be kept confidential and must not be shared with anyone else.

    University of Salford AUP

    You are responsible for properly using any user IDs, personal identification numbers (PINs) and passwords needed for the service, if any, and must take all necessary steps to make sure that you keep these confidential and secure, use them properly and do not make these available to unauthorised people.

    BT Terms and Conditions

    To protect your Google Account, keep your password confidential. You are responsible for the activity that happens on or through your Google Account.

    Google Terms of Service

    I did come across several policies that do not specifically mention passwords or access credentials – not all of them need to, as they can protected themselves with other related clauses, but adding a password clause like those above to any policy is such a simple addition that adds a lot of protection with very little effort.

    Further Reading

    1. Wikipedia: Acceptable Use Policy
    2. Gov.uk: Dismissal: your rights
    3. Get Safe Online: Sample Acceptable Usage Policy
    4. Common Sense Education: Essentials – Acceptable Use Policies