On paper, the rules of digital hygiene are well known: a strong password, changed if necessary, stored in a digital safe and obviously not kept on a post-it. But if Apple, Google and Microsoft have just announced their intention to put an end to the password by replacing it with authentication via your smartphone, it’s because very often it doesn’t work. With consequences that can go very far, evidenced by a criminal case which has just been judged by the 12th correctional chamber of the Paris judicial court, this Monday, May 9.
Initially, it is a relatively banal conflict between a management and one of its employees. This medium-sized Ile-de-France association working in the social sector is suing its former financial accountant. He is suspected of having hacked the CEO’s mailbox in June 2021. For the complainants, it is espionage motivated by “jealousy, for a story of bonuses”, indicates Aurélien Wulveryck, the association’s lawyer. A case which, he adds, was also pleaded on another aspect to the industrial tribunal.
baroque password management
But this simple affair has been singularly confused by the baroque management of passwords. This also aroused the incomprehension of the magistrates, who made a very measured decision. The defendant was thus cleared of the charges of hacking the messaging system and breaching the secrecy of correspondence only to be sentenced to a suspended fine of 1,000 euros for an access attempt, the only offense in the scope of the proceedings.
What are these errors? The first is size. According to the general manager of the association, the IT service provider suggested, during a migration carried out two years ago to the office 365 suite, to send by email the identifiers and passwords of the directors of the structure to the manager accounting. It is then up to him to print the email to store it in the physical safe located in his office.
“We don’t really see the point”, was surprised an assessor magistrate, brandishing a sheet, visibly the paper impression of the message. “It was so as not to drag it out: it is clear that the computer specialist should have sent me his lists”, agrees the general manager. “It is also shocking that the management has the passwords of the employees”, then reacts President Rouaud. If you are afraid of losing data by misplacing your password, it is better to store it in a digital safe. Sending by e-mail can be envisaged but it would then be necessary to encrypt the message.
Major misunderstanding
Anyway, the sending of the passwords was at least the source of a major misunderstanding. For the former accounting manager, this sending was indeed an access authorization. “The general manager knew I had them,” he recalls at the helm. Which explains why, when he was on sick leave, he connected with such ease to his superior’s email. He just wanted to know where a merger project was, he says at the helm. In audition, he had admitted an “unhealthy curiosity”. “He had no malicious intent,” insists his lawyer Jean-Baptiste Laplace. “But were you authorized to access this messaging service?” Asks one of the magistrates. “It was not forbidden,” he retorts.
This mismanagement of passwords was accentuated by problems with the organization of messaging. The association, for example, had to access the mailbox of a director, on sick leave, to follow up on an important grant file requested from the Île-de-France region. To compensate for possible absences, it is easier to create generic e-mail addresses, such as “management”, or for example “subsidy”, to avoid having to access an employee’s e-mail. “I had connected to other messaging services at the request of the general manager for the continuity of service”, observes the respondent.
The association finally fished on the nature of its passwords. As read in court, some were too simple, such as “rake” followed by a short list of numbers. Above all, it would have been necessary to change its password regularly. “We are not really geeks: I did not even know that we could change it”, summarizes the general manager. From now on, the association’s employees must mix upper and lower case letters and special characters in their passwords. And change them every six months.