Passwords are back in the news thanks to a politician’s unwitting post on Twitter. British MP Nadine Dorries admitted that her staff and interns all have access to her email through a shared password. As inevitable as a politician’s promise at election time, there was a stampede of commentators decrying such an obvious security fail.
The password palaver (more below) raises a much bigger question about acceptable security behaviour. What Dorries, and the MPs who defended her, were trying to say is that password sharing is normal. Nothing to see here. Move along. First of all, from a psychological perspective, admitting to incorrect behaviour tells others that it’s OK to behave the same way. But it doesn’t have to be like that.
Our password practices
This feels like an ideal opportunity for a teachable moment. If IT professionals or security teams review their organisation’s password practices, it could bring to light some unnecessarily risky behaviour. Maybe it’s been a while since the last security awareness training. Here’s how to do this effectively, and also ensure everyone understands what they need to do. If done regularly, it embeds security into employees’ everyday routines instead of making it a once-yearly interruption to their work. At BH Consulting, we recommend:
- Including senior staff in security awareness training initiatives
- Keeping regular contact between the security team and the users to ensure the correct security controls are in place to support the business need
- Updating employees regularly about the latest security threats, the measures in place to protect them, and why it’s important to adhere to security policies
Changing behaviour is one of the big challenges infosecurity professionals face. The key to doing this successfully is to repeat messages regularly: road safety messages do this very effectively. Constant, high-profile campaigns remind us to wear seatbelts, to keep to the speed limit, and not to drink-drive. Over time, these repeated messages have made those behaviours socially unacceptable. We need a similar approach with security, and awareness training is a great place to start. You can also find more advice on managing passwords in our post from earlier this year.
By an uncanny coincidence, the December edition of SANS’ Ouch Newsletter was all about reminding people to be careful with their logins. Earlier this year, the French data protection authority, CNIL, issued a set of minimum security recommendations for businesses and citizens concerning passwords. The post is available in English here.
Returning to Nadine Dorries, she tweeted that she shares her access credentials with staff and even temporary interns. Her motivation was seemingly to question a police allegation that MP Damian Green had accessed inappropriate material on his computer. The BBC gave a considered report of the story. For a more security-focused take, here’s Mathew Schwartz at Euro Security Watch.
Sharing is not caring
To play devil’s advocate for a moment, let’s suppose this password-sharing workaround exists for a good reason. Otherwise, in a busy office, how can people get the information they need to ensure work gets done if the boss is out? But here’s why sharing passwords is a bad way to accomplish this. A user ID should uniquely identify one person. As a result, it’s possible to attribute any malicious or unauthorised activity on a particular machine to that same ID.
From a technical perspective, it’s possible to delegate access to others for answering email or using other applications. Most operating systems make it possible to set up access control so that designated people – like staff members or interns – have permission to view or edit certain files. This way, work carries on while complete logs are available for audit afterwards.
Dorries may have been describing a genuine business problem, but there are easy ways to solve it while adhering to security policies.