Most people today are aware of the risks involved in sharing any confidential information online. High-profile companies like Quora and British Airways have gone through disastrous data breaches in the last couple of years. And at least 79% of Americans are concerned about the safety of their digital data. And yet, despite all that, account and password sharing remains a rampant problem for companies.
According to the 2019 Global Password Security Report, employees share passwords upwards of 10 – 14 times, on average. The number is a little lower for large companies, at around four shares, but that is still four times too many. That same report also revealed that employees tend to take their bad habits to work too, by reusing old passwords at least 13 times.
Another survey suggests that around 52% of employees don’t see the risks involved with sharing passwords. It explains why employees are the biggest threat to any company’s security systems. Here’s a breakdown of why password sharing is a bad idea, and what companies can do about it (also consider getting cyber insurance in place for when an attack is successful).
The dangers of sharing accounts and login credentials
Employees don’t (usually) share credentials with malicious intentions. Password sharing makes it easier to delegate tasks between different people.
Those who need to have access to company accounts, like social media profiles, tend to share those between themselves. When someone’s out of the office, it’s easier to give a co-worker their password than trying to deal with it themselves. These are all valid reasons to share passwords.
But looking at the security implications of these actions, it’s seldom a good idea. Information security professionals work hard to secure digital assets. And account sharing can undo all that. It’s much harder to keep track of accounts when they’re being shared.
So when something happens, it’s much harder to figure out what happened and who’s at fault. Worse yet, when an employee leaves the company, they could still have access to those accounts.
Policies should intervene
It is up to management and CISOs to ensure that security protocols are set out and met. These should always acknowledge password and account sharing practices. Here are a few ways to address this problem:
- Put systems in place to ensure password safety.
- Educate employees on safe password habits.
- Don’t encourage employees to share passwords in ways that compromise company security.
- Accommodate employees’ need for sharing passwords and provide safe ways to do so.
Don’ts: The ways employees usually share passwords
Employees usually share passwords and accounts in the most convenient ways possible. They use messengers, emails, or direct messages on social media. Some people even prefer saving their passwords in a text document or writing them down. This way, it’s easy to share them around as needed or to remember for the future. But all these examples are horrible ways to go about it. Fortunately, there are better options.
Do’s: Ways to safely share accounts & passwords
Sometimes companies need employees to share passwords and accounts. It can be for collaborative and task management reasons. And it won’t change either, owing to how embedded digital tools have become in daily business functions. To that end, here are two much more secure ways employees can go about sharing their accounts and login credentials.
Sharing sessions through multi-user tools
Tools exist that let employees share their sessions — and thus all of the accounts they’ve logged into — with others. These tools usually come in the form of browser extensions and require that only the person who shares their session to log in. They share the sessions as cookie files, which stay encrypted by the tool. So even if some party intercepts it, they won’t be able to see anything relevant.
This method works for anyone who works remotely as well. Such tools often emulate the original computer or device. As a result, social media sites and other accounts won’t throw up red flags if someone is logging in from another location. But keep in mind that any personal accounts logged into that device will be visible as well.
Using password managers to share passwords
Password managers are great. They secure passwords, generate stronger passwords, and neutralise password reuse. But some password managers also enable secure password sharing with other users.
You can share a password like a document stored in a cloud. Type in the receiver’s email address, and they will see those credentials in their password manager account. No need to send the password through other means, and it stays encrypted at all times.
Moreover, password managers generally employ zero-knowledge encryption. It means that even the company behind software cannot see the passwords people save on their accounts. A password manager also makes account management much less complicated. The owner of passwords can revoke access when an employee no longer works in the company.
What’s the problem then? A recent SurveyMonkey poll showed that only 12% of American workers say they use a password manager. So, many are not aware of password managers and their functions or are ignorant to use them.
Password sharing is the solution
Password sharing is a widespread occurrence. It is the easiest, quickest fix to digital collaboration barriers. Companies need to address this practice and provide safer options for employees to access shared accounts. People need to be able to share information without undermining the safety of any company resources.