Why Are Shared Passwords Bad?
We all know that having shared passwords is bad and we are not supposed to have them, but if we ask a random person why, will they be able to say why? In this brief article, I will walk you through why sharing passwords is not a good idea and the various problems it can cause.
This article is geared for non-security professionals as a reference to help illustrate to others the reasons why shared logins are not a good idea.
Table of Contents
Lack of Attribution
The #1 reason sharing a password is not good is the lack of attribution. Attribution is the ability to trace an action to an individual or resource. In technical terms, this is called non-repudiation. If your password is shared and someone else uses it, then we cannot tell definitively who used that login.
Additionally, the more people who have access to something, the harder it is to keep it secret. Imagine if your co-worker doesn’t practice good security hygiene and stores the shared password in plaintext on their laptop or, even worse: on a sticky note under their keyboard. The attack surface, or the different entries that a hacker can use to access your data, just got bigger. More on threats here.
When a security incident occurs related to an account with a shared password, it will be very difficult, if not impossible, to determine the root cause of the incident. This, of course, makes it difficult for your security team.
Bad Habits Increasing Attack Success
When users are used to sharing and giving out their passwords, it creates a bad habit of sharing sensitive information. So, if an attacker pretends to be IT Support in a phishing attack and asks for your password, there already is a culture of sharing logins. A culture of sharing login information will likely increase the chances of success for the attacker.
Old Employees Have The Password
Let’s face it: changing passwords is hard and inconvenient. Changing a password shared by 5 or 10 people is really hard and inconvenient! So what happens is that the password never changes. As a result, when an employee or contractor comes and goes, the password doesn’t change. If the resource is externally accessible, now this person can also access the same resource.
Imagine that an incident occurs regarding the abuse of this shared login/resource. Not only could affect the 5, 10, or 50 people that have the shared login, but it could also affect other employees or contractors, going back to when the password was last changed! This increases the attack surface for the resource. If the resource was an IAM user or other service account, it could be disastrous for the company.
Conclusion
In security, we always want to reduce the attack surface of our assets to keep security more manageable. So, what are some solutions?
Here is a brief list:
Recommendations
- All user accounts should be tied to an actual individual and not shared.
- Shared email accounts should utilize the shared inbox feature supported by Exchange, O365, and GSuite (used to be shared inbox, but now called collaborative inbox).
- Executives and their assistance should utilize the delegate feature to allow access without sharing credentials. Here are instructions for O365 and GSuite.
- For service accounts, you can either:
- Utilize a vault like Hashicorp Vault or AWS Secrets Manager to store AND rotate credentials (best option).
- Utilize a password manager like 1Password or Dashlane and create a vault with only 2-3 users, max!
- One should at least be a manager.
- Rotate passwords when someone leaves the company, especially when it’s a termination for “cause.”
- Turn on the audit log, so you know when a password was accessed.
- Require 2FA to use the password manager.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
