Cyber-Security Concept of the Month – Password Sharing

Cyber-Security Concept of the Month – Password Sharing

Sharing user accounts can be a common practice in some organizations. This is when one or more people use the same login username and password for a system, application or website. From an administrative point of view, it seems more convenient since you don’t have to set up separate accounts for individual users, but this practice is a serious security risk.

Account management policies have three key concepts:

  • Identification – Users identify themselves with a unique identifier, such as a username.
  • Authentication – Users prove who they are with one or more authentication methods, such as a password, pin, bio metric, smart card, key fob, multi-factor phone app, etc.
  • Authorization – Users are authorized access to resources based on their proven identity.

When a username and password are assigned and used by only one person, their activity in the system or application can be verified definitively. Once someone else starts using that username/password, then you can’t be sure which person initiated some action. For example, perhaps an important file was deleted. If John and Mary are using the same generic account, Accounting, log files would indicate Accounting deleted the file, but you could not tell if it was John or Mary who initiated the deletion. The more people who are sharing an account, the more difficult it becomes to audit who may have performed some action.

Sharing passwords can also give users access to resources they should not have access to. For example, when a physician shares his/her password with an administrative assistant, then the administrative assistant could order prescriptions or tests while posing as the physician. They could essentially do anything the physician could do. Another consideration is when there is no formal tracking of who is using the username/password, what happens when one of those users leaves the company? Is there any tracking to change the password?

Best security practice is to NEVER share accounts. It may take more administrative effort to create another account, but it helps keep your systems and applications more secure.