4.5.6.1 Password choice and handling
The organisation has a number of different systems which employees need to access during their day-to-day tasks; with many of those requiring different user ID’s and passwords. The security policy included a number of clauses on passwords: “Keep all authentication credentials secure and must not write down or share passwords or token on their accounts – Users will be held accountable for any actions attributed to any account/uid they are responsible for”, also stating that “not knowingly access or seek to access data using authentication credentials that they are not authorized to have, e.g. by using another user's user identifier and password”, but also including ambiguous clauses on password sharing: “users must not access any information or system using another employee's or system's password unless explicitly authorised to do so.” When probed to discuss authentication to organisational systems, employees reported that the number of different passwords for various organisational systems made password management (choosing them and remembering them) a challenging task. To cope with this, they developed a number of strategies:
1. 11 (37%) employees reported that they write down their passwords either (a) on paper (7 employees, 23% - P8: “I just find there’s too many to remember otherwise and we’ve got a different username and password most of the time for each of the logins, so […] it’s written down on a bit of paper. It’s locked in my desk when I’ve not got hold of it, probably along the laptop, which is probably not too clever thinking about it”) or (b) in electronic form (in a word document – 1 employee, or on their PDAs – 2 employees - P26: “I’ve got a Microsoft Word document, which is 5 pages long now that contains passwords for everything. […] But mostly work cause I don’t do a lot of stuff on the internet personally. And the amount of password-protected things…leads you to the necessity to write them down, which introduces a risk.”)
2. 7 (23%) employees reported that they use the same password for more than one system. Some do so only for rarely used ones, where remembering all required passwords is not possible;
others do it for all they have to use. This was reported as a way to avoid having to write their passwords down (P25: “I come from the school of the same password for as many things as possible rather than having them either physically written down or put into some sort of document somewhere.”)
3. One other though, reported that writing passwords down is allowed by policy! (I: “Does it also say in the policy you’re not allowed to write them down?” P27: “No, it says you can write them down.”)
4.5.6.2 Password changing
The organisation requires employees to change their passwords over regular time periods, which accentuates the problem of multiple password management: it imposes a large compliance overhead on employees, turning password management to a problem that requires significant time and effort investment. In some cases, it also leads to employees being locked out of systems, thus negatively impacting their ability to proceed with their primary tasks, but also creating frustration. As a response to this, employees developed different coping mechanisms:
1. 5 employees (17%) who used the same password for more than one system said they change all passwords together when one expires. I: “And do you change them all at the same time even though they probably don’t all have to be changed at the same time?” P1: “Yeah, change them all at the same time”.
2. 15 employees (50%) developed their own, simple password-change strategies. 9 of them for example (30%) reported that they change only one digit of the password when required (e.g.
change “Password.01” to “Password.02”). Others mentioned they keep the password the same and add the existing month at the end (e.g. P15 realised that a system prevented the use of the current month as a password, so they started using Summer01 for June, Summer02 for July etc.) 4.5.6.3 Password sharing
As discussed earlier in this section, Company A’s security policy explicitly prohibited sharing passwords, but also included contradictory clauses like: “…unless explicitly authorised to do so”. A group of 7 (23%) employees mentioned they do not share their passwords, as they cannot be sure who to trust and they are not willing to take the risk of getting in trouble from potential credential misuse (P15: “…from a point of view of if you're asked to give your password then really it doesn't matter who it is, whether it’s senior management, the philosophy within the company is you shouldn't be asked and if you are asked you should have the right to say no without any recrimination. Um, there is a policy in place and it’s there to protect you and to protect others.” or P29: “Sometimes it comes up as a bit of any solution and I've always refused to do that actually. More for personal reasons I would say. Not because I think there's particularly a big corporate risk, for my own risk it’s a significant risk to take.”)
Despite policy prohibiting password sharing, 15 employees (50%) reported that in a number of cases they needed to access systems for which they did not have an account set up (either because they were new to the organisation or because they had no need to use that specific system in the past). In those cases, the necessity for quick access meant they had to share passwords with their colleagues, as access right setups
“take ages” (P8) and “colleagues have been unable to work for weeks” (P20). This group acknowledged password sharing as a risky behaviour and, despite feeling uncomfortable, they still did it (e.g. P6: “…
sometimes people don’t have access to information or systems that they need to do their job and therefore they’re shared within teams. And I flagged that before that it shouldn’t happen but it does, because it can take so long to get something through that they might need to do their job. So it would be, “Use somebody else’s account.” […] so that you can learn the process and do the process yourself” or P12:
“Well, I’ve never had to but, like I said, we had a person off long-term sick and we needed to access some information that without it a £6 million contract wouldn’t have been awarded so we knew the risks and we, we had to do it”). Employees in this group also mentioned that only those who should be allowed access to a resource should be given a password (P18: Within the small pricing team, it’s giving that two or three people who would need access to those to share the password”); none of them mentioned they were “…explicitly authorised to do so”, as the company policy demanded though. In addition, “generic accounts exist on rarely used systems” (P14) that reduce potential for accountability of actions. In general password sharing appeared to be the only way to access systems when urgent access was required and no organisational provisions existed to provide that access through official channels.
4.5.6.4 General comments on password behaviour
Overall, employee password behaviours were varying and divergent from organisational policy. They set all their passwords to the same and easy to remember ones to improve memorability, changed those at the same time, wrote those on paper, stored those in documents and shared those with their colleagues when they needed quick system access. The reported practices create a number of problems and risks for the organisation:
Single password security: Using a single password for all systems reduces the security provided by multiple passwords, as a compromised password can be reused to access all systems the password owner is authorised to do. The risks may be even higher if employees reuse the same password for personal purposes: potential compromises of personal accounts (combined with the fact that some may use personal email for work purposes – see section 4.5.9) can increase security risks for the organisation.
Simultaneous password change: This is an effective strategy to improve employee ability to recall their passwords for various systems, but consumes significantly more employee time than a single password change, increasing the employee effort required to manage the organisation’s security mechanisms.
Writing passwords down: This reduces the additional security different passwords provide to a single point of failure. To gain access to a number of different organisational systems, a potential attacker only needs to gain access (either physical or electronic) to the document where the passwords are stored, which is only protected by what employees perceive to be the most appropriate way to do so.
Own password devising mechanisms - simple change: e.g. “Summer01” example presented above. Banning words like “Summer” from passwords allowed could eliminate this practice, but any implementation based on banned words should not underestimate employee ability to come up with something that can pass the formal security rules, while still being severely insecure.
Password sharing: Password sharing increases risks for system misuse, also leading to reduced accountability in case employee behaviours need to be followed up, especially if such sharing was authorised by managers. The risks of this practice can be amplified when passwords are shared across many systems.
In general, having many passwords that require frequent changes turns password management to a problem that requires a significant time and effort investment from employees. The emerging risks can be significant for an organisation and are also increased by slow setup of system access that encourages password sharing, for employees to be able to proceed with primary task activities.