My company policy states I must put all passwords in a password safe shared with management. Is this secure?

Question

As the title says, my company has a policy that all passwords to e.g. our workstations and server logins must be stored in an online safe. I won't say which one but there are some out there you can look at promising the end of password pain. These passwords are then shared with the company's management - I don't know how that bit works, but they can read the passwords too.

Is this really that secure? I was given two reasons why it is by my boss:

1. If I forget my password, I can just ask him for my password.
2. If I turn evil, they can lock me out.

I don't agree with these. For the first one, surely there must be a better way for most of the things we use like Google Apps - e.g. the admin has a reset button. For the second one I can just change my password anyway and not update the password safe.

So am I right that this is not secure? Or is this the only way?

Answer 1

None of the reasons you've given are valid reasons for escrowing your password. There's only a couple valid reasons for escrowing any sort of "authenticator" information. A couple others have touched on these, but I'll try to clarify a bit.

1. Encryption Keys: It makes absolute sense for the organization to have access to escrow copies of your encryption keys. After all, the data you're encrypting (provided you're only using your company's encryption for work purposes, of course) is their data in the end anyway. So, they need to retain access to that data in the event you lose your key or you are separated from the company. However, the encryption key should not be the same key you use for digital signatures. Also, they should not have actual access to your authenticator - the passcode you use for the key. Instead, they should have their own escrow key that works with their authenticator to decrypt your data.

2. Failsafe Accounts: It also makes sense that the organization should have backup copies of credentials necessary to access an Administrator-level account in the event the System Administrator's own account is locked out, or they depart the company. However, the credentials should not be for the System Administrator's own account. They should be for a local system account whose sole purpose is for emergency use. To that end, the account should also never be used for non-emergencies and its usage should be closely monitored and alerted. Traditionally, credentials for accounts like these are sealed in tamper-evident envelopes and stored in a secure, physical vault. It's conceivable that there may be digital equivalents, but I personally wouldn't trust those without a thorough review.

There's two big reasons why it's a bad idea for management to have your password. The first reason is potentially very bad for you, as it could end up causing otherwise unnecessary work for you if things go wrong. However, the second actually turns this around and makes it potentially worse for the company than it is for you if things go really wrong.

1. Potential For Abuse: The obvious one - managers now effectively have unrestricted access to the systems, regardless of whether they should, with the same privileges you have. Most simply this means that the managers may leverage this to do things on the system that they otherwise should not be doing. This also leaves the potential for them to bypass your position whenever they want to rush a particular change along without following standard procedure.

2. Loss of Non-Repudiation: Once someone else has your credentials - and, especially in a case like this where it can be proven they do - they can impersonate you on any systems where those credentials are valid. This makes it difficult to definitively prove that any actions taken by your account were actually taken by you. If a manager does decide to use your account, and ends up royally screwing up the system, it won't be very easy to use you as a scapegoat even though your account is in the logs. Worse for the company is, if you do something to royally screw up the system while your managers have your password, they'll have a harder time proving that it was actually you that did it.

---

TL;DR: There's no good reason I can think of for management to have any of your passwords. As for the reasons they've given:

1. "If you forget your password..." another System Administrator can reset it for you. Or, management can "break the glass" on the emergency account (see "Failsafe Accounts" above) and do it themselves.
2. "If you turn evil..." again you can be locked out by another System Administrator, or the emergency account.

Answer 2

The first reason (give you your password back in case your forgot it) is quite weak: if you forgot your password, then it is not a good password, and it would make more sense to let you reset it by choosing a new password. The second reason is totally bogus: if they cannot "lock you out" without knowing your password, then they should fire their sysadmin ASAP. He doesn't know how to right-click.

Most probably, your managers want to have the feeling of being in control and to actually manage at very close range. Possibly, they might just want to prevent the employees from using swear words as passwords because it could offend some deity somewhere. Either way, this does not highlight the competence of whoever came up with that security policy in a very positive way.

Edit: though, the policy would make some kind of sense for passwords which are used for encryption, e.g. when you protect a Zip archive with a password. That kind of password cannot be reset, and losing the password (you forget it, or you become "unavailable" due to having been struck by a bus) implies losing the data. In that case, escrowing the password makes sense. But for an authentication password, no, that's a stupid policy.

Answer 3

No, it is not a good idea. Thomas explained why it doesn't achieve its own goals, but it is worse than that.

Consider what happens when a rogue employee misbehaves causing damage to the company.

During the trial, you are subpoenaed to testify about logs showing that it was the employee who caused the damage, and are asked who else could log in as this employee. You truthfully answer that anyone with access to the safe including all of management could log in as that employee and your logging systems would be none the wiser.

Anything that blurs the distinction between actor and authenticating credentials seriously undermines the company's ability to use access logging to discourage misbehavior or recoup damages.

Managers often hand out passwords to subordinates when an IBAC system fails to explicitly handle delegation, but this is the reverse of that case, where the blurring affects the credentials of the much larger group of lower-level employees.

Answer 4

Agree with @Thomas Pornin on the "bus factor", but there is one more thing to consider: the "online safe" is likely to be not really secure at all. It makes sense to put passwords in writing into a single physical vault, and keep them there so that in case of emergency the vault may be opened with the management's express authorization.

Answer 5

Depending on the types of information that your credentials provide access to, your type of organization (Financial, Healthcare) or location, there may be regulations (e.g., GLBA for banking, HIPAA for healthcare) in place that require no one have your credentials.

For instance MA 201 CMR 17 (http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf) requires that if you have access to certain sensitive info about a resident of MA that you have a unique ID and password to access that data: "Do you assign unique identifications plus passwords (which are not vendor supplied default passwords) to each person with computer access; and are those IDs and passwords reasonably designed to maintain the security of those access controls?"

HIPAA 164.308(a)(5)(ii)(D): Each user has a unique identifier (i.e. user ID and password) when accessing their computer, EHR software, or any other system or resource.

Answer 6

The second requirement is completely bogus as stated. Knowledge of the password is not required in order to revoke an employee/administrator's privilege.

The first requirement is valid, but I would discuss two things with your boss: 1) The company should sign a legal waiver absolving you from any criminal or civil wrongdoing resulting from use of your logon. Since they have required that your logon be shared, they must acknowledge that you cannot be held responsible for your boss surfing child porn sites on your password.

2) The Discovery problem raised by @Mike Samuel. If there is any legal discovery against your company your boss could be utterly screwed. (and you might point out that there is a relationship with #1 - if you are sued or charged for any offense whatsoever related to your logon, your lawyer would be forced to issue a discovery request.)

Low tech password escrow is a relatively normal practice in my industry. We add "Tamperproof/tamper resistant/Tamper evident" to the requirements set to protect both sides.

Write the password (for a single system) on a sheet of paper. Fold it and seal it in a opaque business envelope. Seal the envelope, sign across the boundary. Now apply tape over the signature and the boundary.

Repeat this for each system.

Now insert all the envelopes into a large manilla envelope. Seal the envelope. You and your boss sign/countersign across the seal.

Store that in the safe. This means the business is protected against the bus factor.

Write policy/procedures for opening that envelope and using the password.

Periodically verify that the envelope is unopened (frex, when you do your normal password change)

Answer 7

First, it is company policy, so like it or not... (I'm the resident security genius - not my attribution - at my company and I've been railing against our password policy for years, yet nothing changes because apparently that's what you can simply enable with a checkbox in Windows...)

Is it secure? That depends on what you mean by "secure".

1. It is more secure in regards to you forgetting your password, the main effect being that you are less likely to write it down or something.
2. It is more secure in regards to the bus factor, i.e. if you are in an accident, leave without notice or otherwise become suddenly unavailable, the company doesn't lose access to your stuff and doesn't have to jump through hoops to recover it.
3. It gives your manager a feeling of control.
4. It is less secure in regards to all eggs being in one basket, and someone getting access to the password safe now has everyone's password, congratulations.
5. It is less secure in eliminating the confidence that some evil deed done with one person's account must have been done by that person, because other people do have access to his password and could impersonate him.

If that's the balance the company wants, fine. Make sure to use a password that is unrelated to any personal/private passwords you are using.

Answer 8

When we create a userID and attach it to a owner, it inherently become the property of an employee [not of course personal property ;)] who is responsible and accountable for all the actions/activities performed under that account until he is employed with the company.

Generally, the Password Policy of every company [except some like yours] suggests 'Not to Share' the access credentials with anyone.

In case you have to, you need declare it as a shared/generic user ['with admin rights' in your case] stating that you have shared the access credentials with Mr.x / Team x and though it is in safety vault but can be accessed upon need by them.

My suggestion to you is to go ahead and give them what they need and write an email to your manager, his manager and Password Safety Vault Manager [person who is responsible to keep a logbook when they access the password safety vault] stating that you are ready with the Password Envelope [sign it across the seal flap] and that they can keep it safe in the vault.

Regards