Why sharing passwords is a Very Bad Idea

I think the following policy should apply to company user accounts (not personal ones like Facebook or Google accounts, but accounts at workplaces). The bigger the workplace, the more important these are:

  1. Access should be given to named individuals only.
  2. Account names should be based on individuals’ names.
  3. Credentials should not be shared.

Here are some positive reasons why the above items make a good policy:
  1. Having and communicating a policy says that we are serious about security and responsibility.
  2. Requiring an individual to be named clearly tells that individual that they are personally responsible.
  3. Having responsible named individuals means we know who to call or email about issues.
  4. The system administrators can track who did what when – for troubleshooting or for investigating abuse.
  5. The system administrators can revoke or modify one person‘s access without affecting anyone else.
  6. People can reset their own credentials without inconveniencing others.
  7. The system administrators can see how many people are actually accessing the account.
  8. Basing account names on real names simplifies identifying users e.g. in support requests.
  9. Basing account names on real names simplifies account name selection.
  10. Basing account names on real names helps people remember their account names.
  11. In some contexts, account names based of real names will assist other users in knowing who did what.

Here are some negative things that the above policy mitigates or avoids:

  1. Shared credentials expose the proper user to the consequences of the actions of others. This should worry the proper user.
  2. Sharing credentials without permission breaches the trust relationship with the system owners. They¬† may trust you, but they don’t necessarily trust the people you trust, and you have no right to presume that.
  3. With shared credentials, the system owners cannot ensure that other people get the required information to allow them to safely operate the systems they access. This puts the systems and possibly the users at undue risk.
  4. The system administrators will not know if the other people move on or go bad, and thus cannot revoke access when it should be revoked.
  5. Shared credentials will almost certainly be stored by the other people as well – multiplying the likelihood of the credentials getting compromised. This is especially true if any of the other people share other credentials with other people – such as their phone pass-codes, their digital wallet passphrases, or their computer login passwords.
  6. If the original user makes the (very common) mistake of re-using a password, that he or she then shares with other people, they will have inadvertently given those other people access to more things than they intended. This is especially serious with single sign-on systems.
  7. If one of the other people changes the credentials, it will block the proper user’s access.
  8. But more than anything else, sharing credentials is rude! If someone shares credentials without permission, or even worse does so after they have been explicitly asked not to, then they are basically saying that it’s OK for them to decide who has access to those resources, regardless of the owners’ wishes. It’s like giving a house key to a friend then finding out they cut more keys for their friends, so nobody knows who is really using the house.?
So I think the above policy is a good one, and recommend it to anyone who has to manage corporate user accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *