password policy

Security Sense: Password Policy Prevents Credential Sharing

When an organization – be it public or private sector – stands up a corporate password policy, it’s not “it’d be kinda nice if you did this”, it’s “here are the things you must do."

I appreciate that this will sound like a profoundly obvious thing to say, but here goes anyway: don’t share your passwords with other people. I know, obvious right? Yes, this is where I recently found myself, pointing out the profoundly obvious password policy to people who really should know better. In this case, those people were British ministers of parliament who – for the purposes of convenience – were providing their credentials to other staffers so that they could chime in and handle email on their behalf. My observations on the matter were made initially via a casual tweet and later in a more extensive blog post.

To some extent, all that is old news, but there was a recurring theme in the responses to those two messages that I’d like to take issue with them here. Time and again, I heard people say, “Well, if the technology didn’t get in the way then it wouldn’t be a problem.” This alarmed me on a number of levels and I’ll start with the most obvious.

When an organization – be it public or private sector – stands up a corporate password policy, it’s not “it’d be kinda nice if you did this”, it’s “here are the things you must do." Acceptable use policies mandate you must lock your PC when you’re away from it. You must use it for business purposes. You must keep your password to yourself. These are usually rather black and white objectives not open to much (if any) interpretation. They’re also usually drilled into you via onboarding processes, annual training and those (frankly, kind of inane) security posters that are plastered over so many organizations. Ignorance is not an excuse.

Then there’s the whole argument of “Well, IT needs to meet business requirements and not impede it.” This is very true and we often call IT an “enabling function” for that precise reason. But that doesn’t mean there’s license to say “because a policy is impeding me I’m going to just ignore it.” This is a two-way street so if a password policy such as not sharing your credentials is getting in the way of business, tell the IT folks. In a case like that of the British politicians, there are very likely constructs available to address the underlying need so in this case, the concept of delegating access to staffers so they can email on your behalf is very well-established. This is a solved problem already.

And finally, a password policy tends to be there for very good reasons. The irony of this particular debate is that the sharing of passwords was used as an excuse to explain why one particular minister may not have been responsible for the adult entertainment material on his own PC. Maybe someone else regularly uses his credentials and it was their fault? There’s a beauty in the irony of how this unfolded because that’s precisely the sort of thing unique credentials helps us track down.

I have no doubt that IT is regularly seen as presenting barriers rather than solutions and they can certainly be very good at that. But this just isn’t one of those cases where “because they made it hard on me” is ever a justifiable excuse and as many commentators have observed, that attitude may even end up getting you fired.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish