Back to Basics (4) – Password Sharing
Password sharing is one of the quickest ways to break down the Authentication, Authorisation and Accountability (AAA)*** in any organisation – quickly defeating your cyber security preparations.
Sharing your password is not caring…
Our team often comes across instances of password sharing, usually for one of the following reasons:
- The user is on holiday and access is wanted under their identity to access specific software on their machine.
- Management wants to retain access to any computer at any time – for probably some unspecified reason.
Both of these reasons look perfectly valid at first glance – but let me explain a couple of reasons why they are bad cyber security decisions.
Password as Identity
In this mini-series, I have been trying to emphasise that the humble password needs care and attention as it is a key part of your cyber security (I know passwordlessness is coming but it is not here yet – so the password is still important.
The password is important as when you use it to log in, it identifies you to the system and any monitoring and logging systems associated with that device/network/app, etc. If you share your password with someone else and they log in using your credentials, the system will think (know) it is you. Any subsequent investigation, for either a good or bad incident, will prove that, according to the logs, you did it – negating the accountability of your systems.
Password = PIN
For users of Windows Pro machines, remember that the PIN you are using in place of your password to confirm your identity and gain access is the equivalent of your password. So the same rules apply to it as to your password.
Your Password is Your Password
Coming back to the original reasons why management may share passwords – there are better ways to achieve those outcomes, without sharing a user password, so retaining the AAA of your cyber security plan.
Do you want to know what those ways are? Then now is when you need to contact us!
Next
The final part of my password mini-series – yes, I still have one more thing to say about passwords.
Clive Catton MSc (Cyber Security) – by-line and other articles
Further Reading
Credentials – Why are they so important in cybersecurity?
*** Here is a mini-series explaining AAA
Authentication – Who Do You Let In?
Authorisation – It Shows You Care.
Accountability – It Shows You are Watching.
Photo by Pixabay