Why Are Shared Passwords Bad?
We all know that sharing our passwords is a bad idea and we are not supposed to do it, but if we ask a random person why, will they be able to iterate why? In this brief article I will walk you through why sharing passwords is not good and the various problems it causes.
This article is geared for non-security professionals as a reference to help illustrate to others the reasons why shared logins are not a good idea.
Lack of Attribution
The #1 reason sharing a password is not good is the lack of attribution. Attribution is the ability to trace an action to an individual or resource. In technical terms this is called non-repudiation. If your password is shared and someone else uses it, then we cannot tell definitively who used that login exactly.
Additionally, the more people have access to something, the harder it is to keep it secret. Imagine now your co-worker doesn’t practice good security hygiene and stores the shared password in plaintext on their laptop or even worse on a sticky note under their keyboard. The “attack surface” just got bigger.
When a security incident occurs related to an account with a shared password it will be very difficult, if not impossible, to determine root cause of the incident. This of course makes it difficult for your security team.
Bad Habits Increasing Attack Success
When users are used to sharing and giving out their passwords, it creates a bad habit of sharing sensitive information. So if an attacker pretends to be IT Support in a phishing attack and asks for your password, there already is a culture of sharing logins. A culture of sharing login information will likely increase the chances of success for the attacker.
Old Employees Have The Password
Let’s face it, changing a password is hard and inconvenient. Changing a password shared by 5 or 10 people is really hard and inconvenient! So what happens is that the password never changes. As a result, when an employee or contractor comes and goes, the password doesn’t change. If the resource is externally accessible, now this person can also access the same resource.
Imagine now an incident occurs regarding the abuse of this shared login/resource? Not only could it be the 5, 10, or 50 people that have the shared login, but it could also be passed employees or contractors, going back to when the password was last changed! This increases the attack surface for the resource. If the resource was an IAM user or other service account, it could be disastrous for the company.
In security we always want to reduce the attack surface of our assets, which helps us keep security more manageable. So what are some solutions? Below is a brief list:
- For all user accounts, they should be tied to an actual individual and told not to share.
- For shared email accounts, utilize the shared inbox feature supported by Exchange, O365, and GSuite (used to be shared inbox, but now called collaborative inbox).
- For executives and their assistance, utilize the delegate feature to allow access without sharing credentials. Here are instructions for O365 and GSuite.
- For service accounts, you can either:
- Utilize a vault like Hashicorp Vault or AWS Secrets Manager to store AND rotate credentials. (Best Option)
- Utilize a password manager like 1Password or Dashlane and create a vault with only 2-3 users, max!
- One should at least be a manager.
- Rotate passwords when someone leaves the company, especially when it’s a termination for “cause”.
- Turn on the audit log so you know when a password was accessed.
- Require 2FA to use the password manager.