Password Managers – An Ethical Requirement?

In the article Your Pa$$word Doesn't Matter the author Alex Weinert says “ – your password, in the case of breach, just doesn’t matter – unless it’s longer than 12 characters and has never been used before – which means it was generated by a password manager”. The article goes on to note “your account is more than 99.9% less likely to be compromised if you use MFA”. This introduces a clear ethical issue for anyone not using a password manager and MFA (multi-factor authentication). Consider the following questions in relation to the five fundamental principles of ethics:

Professional Behaviour

Are the steps you take to protect the information entrusted to you an indicator of your professional behaviour?

Integrity and Due Care

Do you have an ethical requirement to take the necessary steps to ensure the integrity and Due Care of data?

Professional Competence

Do you have the professional competence to implement security over your organizations data?

Confidentiality

Is your organization maintaining the confidentiality of data?

Objectivity

Is your organization able to remain objective when assessing the risks of a data breach?
 
As you answer the questions consider if a competent and objective outsider may be needed by your organization to properly assess the risks and aid with the policy and procedural changes required.

As we apply the five fundamental principles of Ethics it will become clear to some that using password managers and MFA is an ethical requirement.

For others they do not see a password manager and MFA as an ethical requirement. Opinions on what is ethical behaviour and was is not is often diverse.  If your organization is not using password managers and MFA hopefully this will start the conversation.