125

My company's system administrator is asking for our passwords for an ISO audit and my VP IT operations support says it's mandatory for ISMS (ISO27001).

Can someone confirm if this is true?

Ilmari Karonen
  • 4,406
  • 20
  • 28
v_sukt
  • 1,312
  • 2
  • 7
  • 12

10 Answers10

180

Absolutely not!

ISO 27001 requires management of passwords and requires having password policies. Someone in your company is interpreting this as needing to inspect all passwords in the clear to ensure that they meet the password policy.

But this is a terrible way of doing this audit. Technology should be in place to force people to comply with password policies when they make passwords, not to inspect them by hand once they are made.

There is a wide-ranging series of failures if they want to audit passwords by looking at them ...

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • 6
    Is it rational to initialise all existing passwords after a policy change to ensure that the users use the new policy/have strong passwords? – licklake Mar 09 '17 at 14:05
  • 17
    @licklake yes, it is reasonable – schroeder Mar 09 '17 at 15:09
  • 65
    I would just add that if you anyone can obtain these passwords in clear text, you've failed the audit. – RubberDuck Mar 10 '17 at 22:29
  • 8
    @licklake - when we've changed password policies in the past, we set all passwords to expire 5 days in the future to give people a week to reset them. – Johnny Mar 10 '17 at 23:13
  • I guess that a sneaky auditor could lay a trap by asking to inspect password(s). If a member of InfoSec complies, it would be a big non-conformity. It could also showcase lack of security awareness from business users, due to a lack of awareness sessions for example – niilzon Apr 06 '17 at 11:41
72

This is not true. Besides the fact that a sysadmin should be able to change your password when needed, it is probably in breach of the very controls they claim to be enforcing.

It is their job to ensure that controls are in place around passwords, but it is the users responsibility to keep their passwords confidential.

Any shared admin passwords should be managed centrally by your sysadmin.

An example of a compliant password policy

TheJulyPlot
  • 7,729
  • 6
  • 30
  • 44
  • 11
    "this is not true" the top two answers say this... but isn't this just "he said, she said" without links to actual documentation backing the claim? Not that I think any rational person would say "security demands we must see the passwords"... but just saying "random internet dude #8765309 said I don't have to show the passwords and 100 other random people agreed" will be laughed out of the boardroom. – WernerCD Mar 11 '17 at 02:23
  • 1
    Which is why I included a link with a compliment policy that clearly and explicitly details each party's responsibilities. – TheJulyPlot Mar 11 '17 at 05:46
  • 9
    @WernerCD Near as I can tell, you have to *buy* the full text of the standard: https://www.iso.org/standard/54534.html. =/ So linking would seem to not be an option. Citing relevant passages may be possible, but you'd have to buy it to verify them... – jpmc26 Mar 11 '17 at 11:00
46

What ISO27001 says about passwords

From (https://advisera.com/27001academy/blog/2015/07/27/how-to-handle-access-control-according-to-iso-27001/) there is a summary about user passwords:

User responsibilities (subsection A.9.3)

This is a very short subsection (with one control only) that requires you to define how the users will keep their authentication information secret (e.g., protect their passwords). This is usually done through some document like the Acceptable Use Policy, which defines rules like these: do not write the passwords down, do not disclose them to anyone, do not use the same password in different systems, etc.

In essence if a user reveals his or her password the company fails the audit.

Importance of passwords

Your password is more important than your signature used to be in the old days. Because in the old days your signature could be forged but now days your password is invisible (in theory at least).

Your password authenticates your User ID. Your User ID gives you certain but restricted powers within areas of your company. Accounting controls require separation of duties. For example a user who approves purchase orders cannot approve receipt of goods. A user who approves receipt of goods cannot approve vendor invoices.

If a criminal (or ISO27001 auditor or IT person) had access to all three passwords they could setup a fake vendor account, setup a fake purchase order, setup fake receipt of goods and pay funds to the fake vendor account.

WinEunuuchs2Unix
  • 637
  • 4
  • 5
17

This is against ISMS. I am ISO27001 audit certified and it is definitely is not there. You have two groups of passwords:

  1. Personal: none of their concerns
  2. Enterprise: ISMS forces administrators to implement password policies, force you to change your password to meet their policies AND the auditor has to check the policy and how it is implemented/forced
Iraj Hedayati
  • 271
  • 1
  • 2
  • 4
    Could you cite the relevant passages? – jpmc26 Mar 11 '17 at 11:04
  • @jpmc Considering that you have to buy the text, it might well be against copyright law. (I'm not a lawyer, so I dunno) – Nic Mar 12 '17 at 19:07
  • 6
    @QPaysTaxes I'd imagine you could make a "fair use" case based on "educational purposes." At the very least, though, it should be possible to point out which sections contain the relevant text. – jpmc26 Mar 12 '17 at 22:06
  • 1
    @jpmc26 Like I said, I'm not a lawyer. At the same time, though, it seems way iffier to me, and I'd personally rather not get sued in the first place and have to defend myself, even if I was sure I could win the case. – Nic Mar 12 '17 at 22:08
  • 1
    About ISO27001, you need to check if the organization is following their password policy. But what is the best practice in password policy is a different thing. There are resources about the ISMS best practices. One of them for sure that everybody agrees: "do not reveal your password". On the other hand, an auditor never asks for password unless he/she is auditing if employees will follow this policy. – Iraj Hedayati Mar 12 '17 at 23:58
  • Ok, the auditor can check the policy by creating new user and inserting to him password? Why he must see my password? Also password is about responsibility (from my point of view) and if I reveal my password to my sysadmin, he will be able to login to the system as me! – Bogdan Bogdanov Mar 14 '17 at 10:50
13

This might be the audit of "do not share your password with anybody"-policy, but there is never ever a reason to hand out your password. To ensure password policy is enforced they might just force new passwords within the rules of policy.

S.L. Barth
  • 5,504
  • 8
  • 39
  • 47
SchreiberLex
  • 251
  • 1
  • 5
8

You may find this question on ServerFault of some use: https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants?s=1|2.3233

I would agree with other comments here that suggest that if this is what they 'require', it is better they reset all passwords to something they chose, and pass that information on to their auditor (in the real world, they should not be giving any passwords to the auditor).

Checking Wikipedia (https://en.wikipedia.org/wiki/ISO/IEC_27001:2005), I can see a section on password management, which begins by saying:

The password management deals with allocation, regulation and change of password rules of the organization

I suspect the emphasis should be on 'rules', not on 'passwords'.

iwaseatenbyagrue
  • 3,631
  • 1
  • 13
  • 24
3

Controversial answer time...

  • Number of times I've been 27001 audited: 3 I think, I don't really keep count myself.
  • Number of times 27001 (or 9000 for that matter) has require impressing and reviewing the security of password storage (on a personal and institutional level): too many to count.
  • Number of times 27001 or 9000 has required me to provide someone directly with a password: 0.
  • Number of times 27001 or 9000 has required me to store a password somewhere other people can get at it: dozens of times.

The important thing ... Our auditing does require us to document passwords that other people should legitimately have, it does require us to document who should be able to login to certain high security systems, and it does require us to have a way to provide passwords to people. The key detail being that it doesn't require us to do so directly or in the clear.

Say you have an internal password management system that encrypts at rest, encrypts in transit, audit logs access and enforces restricted access ... this is a 27001 acceptable method of password handling. 27001 audit says you need to share a password with someone, it goes through that.

So, sort of passwords that you should be sharing? As few as possible.

  • Does it personally identify you to someone? You definitely shouldn't be sharing it, no one should be logging in to it.
  • Can you have multiple logins to the system? Make them and don't share them.
  • Can someone senior login to the system as a different user and reset the password? You probably shouldn't be sharing it, and you should probably be using individual logins anyway.
  • Can't create multiple accounts or can create them but they can't share some important requirement? Ok, fine, store those passwords, but you really shouldn't be using that login system.

Basically, good policies mandate just enough password storage such that the only person locked out of anything if an employee gets hit by a bus is that employee. So, the audit can ask someone to make sure the root passwords for the company servers are stored somewhere as a failsafe policy... it can't ask you to store your personal AD or helpdesk credentials.

In short, passwords should only be shared with someone if the is a justified need for that person to also login to that account, and if that need can't be satisfied via a method that doesn't require you to provide said password. If both points aren't satisfied, raise a compliance issue with the company's security committee.

Hopefully that provides a slightly more realistic and non-binary view of the subject. There is a reason to provide passwords, it's rather important to know why someone thinks you should provide them before saying yes or no to the request.

To be fair, my job involves handling and/or setting primary administrator passwords for corporate resources occasionally. Most people audited by 27001 doesn't have that job responsibility.

Kaithar
  • 270
  • 1
  • 5
  • 1
    The situation you describe is a very, very different one from the OP's situation. 27k allows for *shared passwords* (the concept, as a procedural and controlled process) but no admin will suddenly need to ask an individual for their password as a part of an audit. – schroeder Mar 12 '17 at 21:24
  • 1
    @schroeder you're probably right, but I wanted to highlight that there are legitimate reasons that someone would be asked to document passwords during an audit. It hinges on what "our passwords" refers to... From the original question we can assume that OP isn't referring to shared passwords but we can't be certain of that. More importantly, I wanted to be clear on why they might think 27k needs that and what is actually needs. In this case the distinction is important. – Kaithar Mar 12 '17 at 21:39
2

Of course it is not, as other answers pointed out. Your first efforts should go into changing the requester's mind.

If you are, despite your efforts, somehow forced to provide your password - get that request in writing.

You can then reply, also in writing, that you will provide the requester this information in a sealed enveloppe and that from that moment on you are not responsible for any actions performed via this account, whose password just became public knowledge at the request of management.

It is likely that you have in the past accepted (directly or indirectly) that you are in charge of the account, which is accessed by a password you are the only one to know. You have also probably accepted that you would not share this account.

WoJ
  • 8,968
  • 3
  • 33
  • 51
-2

They can and should make a program where you input your current password and it checks if it meets the ISO requirements. The program could also check against the database to check if the password is really yours.

Anything else is madness and effectively makes your password worthless if accessible by too many people, though the administrators can probably access your accounts one way or another anyway. Who knows what you use your password for.

Peter Mortensen
  • 885
  • 5
  • 10
HopefullyHelpful
  • 1,254
  • 1
  • 12
  • 17
  • 6
    I don't think they should write their own program for this. There already is software that verifies if a password fits certain criteria; hopefully built into the OS already. Let them use that instead. – S.L. Barth Mar 09 '17 at 14:20
  • 3
    It would be simpler and more robust to put those checks in place for new passwords and expire the old ones. – Schwern Mar 13 '17 at 04:37
-3

All OS software nowadays includes methods of enforcing more stringent password rules, including those used for government security. Inspecting the passwords themselves is anathema to good security.

RGRHON
  • 7
  • 5
    That doesn't answer the question as _it's not good security_ has nothing to do with _does ISO 27001 require us to reveal our passwords_. – DarkDust Mar 10 '17 at 21:20
  • It does , though, give a simple means of inspection without revealing the passwords to anyone - just have people change their passwords in a way that an OS with a strict password policy WILL ACCEPT THEM. This will prove the password is compliant. – rackandboneman Mar 13 '17 at 11:07
  • I don't think that it is good security - if someone reads (when I am providing it to the sys admin) my password and logs as me in the system - this is "good" security? – Bogdan Bogdanov Mar 14 '17 at 10:51