Why password sharing is not a good idea
Before looking at why password sharing happens, it’s worth taking a moment to consider why it’s such a bad idea.
Your password is your virtual office key. Together with your login name, it gives you access to those parts of your office IT system that you’re entitled to access.
It is usually the case, at a minimum, that management, finance and operational staff have different access rights. Sometimes, operational staff may also be divided by project or department. There is only one way of controlling these access rights and that is by issuing passwords with the assumption that they’ll be kept secret — i.e. uniquely tied to the users to whom they are issued.
Users can change their own passwords and basic good security practice is that no one, including the IT department, should know your password and no one should ever ask you for it. Without this basic good practice, we lose that crucial link between named individuals and their system access rights. In an office in which password secrecy is not sacrosanct there is no reliable audit trail of who did what on the system and everybody has a watertight shield of deniability – someone else must have used my password.
Why it’s a terrible idea
Without password secrecy as a rock-solid, unbreachable policy, any idea of network security is meaningless.
But there is a more subtle psychological issue at stake here too.
Let’s say someone asked you to share your social media or bank login credentials. Would you do it? Probably not. That’s because there’s something important to you at stake – i.e. your reputation or your bank balance.
Now, even if you run a truly hierarchy-free company with absolutely no differences in access rights, if you allow or encourage your users to be casual about sharing their system passwords you’re making the statement that there’s nothing on your IT system worth protecting.
So if you then try to convince your staff that you care about business security they’re simply not going to believe you. Bear in mind that employees are your first, and sometimes only, line of defence against the various cyber fraudsters out there looking to relieve your company of money.
To put it another way: If your staff think you don’t care about security, they won’t either.
Why we do it anyway
OK, there’s nothing controversial there, we all know we shouldn’t share our passwords. So why is it such common practice? Here are a few reasons we come across and some ideas about how to tackle them:
Senior people
Senior people: amongst the worst offenders and the biggest risk to the company.
Directors, owners and senior managers often have responsibilities that still need to be discharged when they’re not in the office. For this reason, they commonly share their passwords with their assistants and fellow senior managers.
If it is common knowledge that the MD’s assistant or office manager knows his or her password, then you can forget about convincing others that they shouldn’t share theirs.
The answer here is to analyse what these special responsibilities are and ensure that senior people have the necessary equipment to discharge them using mobile devices. Here’s a great example of security awareness and seniority not fitting well together.
Holidays and sickness
Holiday and sickness cover: if somebody, e.g. a salesperson, is away on holiday or off sick somebody else needs to be able to log on to their computer to check their emails or other files.
It is beyond the scope of a short article to explain the configuration steps, but it is straightforward for your IT to configure permissions in such a way that these eventualities can be covered without throwing security out the window.
The all-seeing eye
The all-seeing eye or just in case: based on negative experiences with other companies, office managers are sometimes convinced that the only way to make sure they are in control is to maintain a list of all user passwords. This is a terrible idea both because users don’t tend to keep the office manager updated when they change their passwords and because, for obvious reasons, security is weakened by keeping an accessible (even if not easily) list of commonly used passwords on your network (or in your desk drawer).
As above, IT can easily configure your system to cover your access to data when people leave, or other unforeseen events occur.
One simple question
There are plenty of other reasons, all equally unnecessary. If you are in the position of trying to end password sharing in your company a good way to tackle it is as follows:
- Ask the question, “what precise problem are we solving by sharing this password?”
- The only answer that’s not allowed is that there’s no precise problem and your’re sharing it “just in case”
- Once you have identified the problem, before agreeing to share the password, ask IT if there is any other way of solving the problem.
There always is. And if they don’t have a solution you can always ask me. In fact, I would welcome the challenge of a password sharing scenario to which I couldn’t come up with a secure solution.
Other passwords
For the purpose of this article, I have only been looking at the passwords used to access office systems. There can still be a need to share passwords for online systems where, for example, you need to give credit card details for each user on the system and you only need one, e.g. for a domain registration. In a case like this it remains a terrible idea to keep a list of usernames and passwords. Instead, use a multi-user password manager such as LastPass.
Starting point
If you are looking for a place to start in tackling information security and anybody in your office shares their password as a matter of common practice, I hope this article has given you your starting point.
And, remember, if you find a scenario that hasn’t been addressed here or can’t be solved by your IT people, I would welcome the challenge.
You can always get in touch with us here.
Useful links
Microsoft Blog – Your Pa$$word doesn’t matter
Focusing on password rules, rather than things that can really help – like multi-factor authentication (MFA), or great threat detection – is just a distraction.