On paper, the rules of digital hygiene are well known: a strong password that can be changed when necessary, stored in a digital safe and obviously not on a sticky note. But if Apple, Google and Microsoft have just announced their intention to do away with the password, replacing it with smartphone authentication, it’s because very often it doesn’t work. With consequences that can go very far, as evidenced by the criminal case that has just been considered by the 12th Correctional Chamber of the Parisian Court of Justice this Monday, May 9th.
Initially, this is a relatively banal conflict between management and one of its employees. This medium-sized Île-de-France social work association is suing its former financial accountant. He is suspected of hacking the CEO’s mailbox in June 2021. For the applicants, this is espionage motivated by “envy of the bonus story,” points out Aurélien Vulveric, the association’s lawyer. The case, which, he adds, was also brought against prud’hommes on another aspect.
baroque password management
But this simple matter was made particularly confusing by the elaborate password management. This also caused a misunderstanding of the justices of the peace, who made a very balanced decision. Thus, the defendant was acquitted of the charges of hacking into the messaging system and violating the secrecy of correspondence, only to be sentenced to a suspended fine of 1,000 euros for attempted access, which is the only offense in the proceedings.
What are these errors? First size. According to the general director of the association, the IT service provider offered during the migration to Office 365 carried out two years ago to send the IDs and passwords of the directors of the structure to the management accounting department by e-mail. He then has to print the email to store it in a physical safe located in his office.
“We really do not see any interest,” the lay judge was surprised, waving a sheet, clearly a paper print of the message. “In order not to be delayed: it is clear that the computer scientist had to send me his lists,” the general director agrees. “It’s also shocking that management has employee passwords,” President Rouault then responds. If you are afraid of losing data by losing your password, it is better to store it in a digital safe. You can provide for sending by e-mail, but then the message must be encrypted.
One way or another, sending passwords was at least a source of serious misunderstanding. For the former accountant, this submission was indeed a permission to access. “The general manager knew I had them,” he recalls at the helm. This explains why, while on sick leave, it was so easy for him to connect to his boss’s email. He just wanted to know where the merger project was, he says at the helm. At the audition, he admitted to “an unhealthy curiosity”. “He had no malice,” insists his lawyer, Jean-Baptiste Laplace. “But were you authorized to access this messaging service?” asks one of the magistrates. “It was not forbidden,” he counters.
This mishandling of passwords was exacerbated by messaging problems. The association, for example, had to access the mailbox of a director on sick leave in order to check an important grant file requested in the Île-de-France region. To make up for a possible absence, it’s easier to create generic email addresses like “management” or “subsidy” for example, to avoid accessing an employee’s email. “I have connected to other messaging services at the request of the CEO for service continuity,” notes the respondent.
The association finally figured out the nature of their passwords. As was read in court, some were too simple, such as a “rake” followed by a short list of numbers. First of all, it would be necessary to change the password regularly. “We are not really geeks: I didn’t even know that we could change that,” sums up the CEO. From now on, association employees must mix uppercase and lowercase letters and special characters in their passwords. And change them every six months.