Why sharing passwords is a bad idea

A padlock and key on a table

This week the privacy regulator has cautioned MP’s over sharing their passwords with their staff after a number of tweets revealed they were engaged in the practice. Whilst this is the easiest way to provide access to your account when people need to access your data, the regulator is absolutely on the money when it comes to their warning – you should never give anyone your user credentials.

Your account is no longer secure

By granting anyone else your user credentials, you are seriously compromising the security of your account, because from the moment they have access, you don’t know what they are going to do with your access details.

They may write them down and store in an insecure location, they may store it on an insecure or compromised device (Or a device that is later compromised). Or you may have emailed it to them, which is an inherently insecure messaging system.

Most likely the person you have trusted with your account details didn’t mean to compromise your account, but they likely haven’t thought through the wider implications of the account getting compromised and thus will not take necessary steps to secure the information.

More privileges than they need

The reason you may want to give someone access to your account is so they can access some sort of data, but we must remember that in using our account, they will have access to everything else in our account, such as email, logins to other systems (if you store your passwords in a password manager either without a master password or with the same password), and they can act on your behalf.

It will be logged as you

Any actions that the person you have granted access to performs will be recorded as you, so if the person you gave access to decides to, for example, access inappropriate content, the system administrator or in some cases the police will come looking for you.

Going back to your account security, it could be that the person you gave access to didn’t keep the details secure and someone else got hold of them, but the outcome will be the same, not an easy conversation.

They could access other accounts

Passwords are hard to remember, and most people cannot remember more that 2 or 3, and this leads to the biggest problem with passwords – using the same one across multiple systems. By sharing your passwords with other people, this could easy lead to multiple systems being compromised through your accounts.

If they leave you will have to change your password

What happens when the person you trusted decides they want to move on from your organisation? You are going to have to revoke their access, which means changing your password and remembering a new one.

The Solution?

Create an account on the system the user is required to access and grant them only the privileges they need to perform the task you require them to perform. This may not always be easy, especially if it is something like email where you may have to get a system administrator involved to get it setup.

But the consequences of your account being compromised could be far reaching, resulting in data leaks, financial loss, reputation damage, and although unlikely, even prison.

So next time you need to grant access to something to a member of your staff, take the time to properly setup an account for that user, and grant them only the access they need. Then any actions they perform will be logged as them, and you can securely revoke access at any time.

Back to Magazine


Related Articles

Demystifying Tech: Data Breaches

Demystifying Tech: Data Breaches

Coming off the back of one of the biggest data breaches in history, it seems not a month goes by without another report of some big hack . So what is a data breach? Who causes them and why? And what can we do to protect ourselves?

14 September 2017
South West Grid
Demystifying Tech: HTTPS

Demystifying Tech: HTTPS

As the web integrates deeper into our lives, terms like security, privacy, encryption, SSL and HTTPS are being talked about more and more. But what is HTTPS and why do we need it?

14 June 2017
Schools Internet Service, Online Safety
WannaCry – the importance of data security

WannaCry – the importance of data security

Andrew Williams, Online Safety Consultant and resident data protection expert offers a guide on ransomware and how SWGfL’s 360 Data can help protect your organisation against malicious attacks.

17 May 2017
Online Safety
SSL Connect brings safe and secure remote connections

SSL Connect brings safe and secure remote connections

SSL Connect is a web based tool, which allows your users with Managed Devices to remotely access your school network.

17 January 2017
Online Safety
The Secret to Secure Passwords

The Secret to Secure Passwords

Continuing in our series of data security articles, this week the spotlight is on password security, follow these tips to protect yourself

14 July 2016
Schools Internet Service, Online Safety