This week the privacy regulator has cautioned MP’s over sharing their passwords with their staff after a number of tweets revealed they were engaged in the practice. Whilst this is the easiest way to provide access to your account when people need to access your data, the regulator is absolutely on the money when it comes to their warning – you should never give anyone your user credentials.
Your account is no longer secure
By granting anyone else your user credentials, you are seriously compromising the security of your account, because from the moment they have access, you don’t know what they are going to do with your access details.
They may write them down and store in an insecure location, they may store it on an insecure or compromised device (Or a device that is later compromised). Or you may have emailed it to them, which is an inherently insecure messaging system.
Most likely the person you have trusted with your account details didn’t mean to compromise your account, but they likely haven’t thought through the wider implications of the account getting compromised and thus will not take necessary steps to secure the information.
More privileges than they need
The reason you may want to give someone access to your account is so they can access some sort of data, but we must remember that in using our account, they will have access to everything else in our account, such as email, logins to other systems (if you store your passwords in a password manager either without a master password or with the same password), and they can act on your behalf.
It will be logged as you
Any actions that the person you have granted access to performs will be recorded as you, so if the person you gave access to decides to, for example, access inappropriate content, the system administrator or in some cases the police will come looking for you.
Going back to your account security, it could be that the person you gave access to didn’t keep the details secure and someone else got hold of them, but the outcome will be the same, not an easy conversation.
They could access other accounts
Passwords are hard to remember, and most people cannot remember more that 2 or 3, and this leads to the biggest problem with passwords – using the same one across multiple systems. By sharing your passwords with other people, this could easy lead to multiple systems being compromised through your accounts.
If they leave you will have to change your password
What happens when the person you trusted decides they want to move on from your organisation? You are going to have to revoke their access, which means changing your password and remembering a new one.
Create an account on the system the user is required to access and grant them only the privileges they need to perform the task you require them to perform. This may not always be easy, especially if it is something like email where you may have to get a system administrator involved to get it setup.
But the consequences of your account being compromised could be far reaching, resulting in data leaks, financial loss, reputation damage, and although unlikely, even prison.
So next time you need to grant access to something to a member of your staff, take the time to properly setup an account for that user, and grant them only the access they need. Then any actions they perform will be logged as them, and you can securely revoke access at any time.