Password Security Policy: Managing the threat of shared passwords in enterprises.

password security policy

The effectiveness of any password security policy depends on users not sharing passwords. Popular circumstances where users believe their actions are justified include; delegating work to others and vacation coverage. Here we look at the danger of shared passwords and how to stop the threat through UserLock’s multi-factor authentication and contextual access controls.

An IT Security Policy should prohibit the sharing of passwords

At one point in the career of a fraud prevention officer, W. Benson Dana worked at a place where management had allowed one senior manager to collect the logon and email passwords of all the employees in a particular unit. There had been complete resistance to giving up this policy. The excuse was that this unit’s mission and objectives were unique (how many times does the internal auditor hear this excuse?) and that this arrangement was absolutely necessary.

This of course is a direct violation of the IT security policy.

A user’s Active Directory (AD) password is unique to them and is not known by anyone else unless they share it, overtly or inadvertently. The members of the help desk who are so authorized can reset their password if they forget it. When that happens, they type in a new password that is again unknown to anyone else. IT systems monitor when passwords are changed, but not what the password is.

Prohibition to sharing passwords is a basic internal control

The prohibition of sharing passwords is a basic and standard internal control around the world. One of its primary purposes is to protect other employees from inappropriate suspicion in the event that an account is used for inappropriate purposes.

This is similar in concept to the requirement that each cashier uses their own cash drawer instead of a shared cash register drawer. If 2 people share a cash drawer, and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.

If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal, or unethical purposes. One of the 2 will be falsely accused of the violation. If the matter is not resolved, they both will remain under the cloud of suspicion. That is a bad result.

Every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust. An Attorney General’s office recently terminated the employment of an employee, licensed to practice law, who was accused in connection to a pornography violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach.

Are passwords inadvertently shared? Probably. Does that make it right or smart? No.

Password sharing creates accountability and non-repudiation issues as User A, connected to the network with the credentials of User B, can access User B’s data and applications; send emails in their name, etc…

In the case when an employee has a planned leave, emails can simply be forwarded to another person. In the event an employee is sick, they can usually manage to log on, activate the forwarding feature, and log off. In an emergency situation, the help desk can perform this action.

Education alone is not enough to enforce a password security policy

Educating users about the dangers and consequences of password sharing is a step in the right direction. However, despite the education and numerous user security awareness programs, employees continue to share as there is no consequence on their own access to the network.

So what’s the strongest way to help bolster IT security and an inadequate password management policy?

Multi-Factor Authentication stops password sharing

UserLock mitigates the risk by making shared logins virtually impossible to use.

With multi-factor authentication (MFA) passwords might be shared, but another barrier – a second authentication factor – ensures only the genuine owner can access the network.

When MFA is in place, access is only possible when the user validates two authentication factors. For example, they enter their password followed by a second authentication request. This could be a code received via an application such as Google Authenticator or a press on a hardware device such as a YubiKey.


Multi-factor authentication, like any security approach, becomes even more powerful in conjunction with others. With UserLock, the context of the user’s authentication attempt can also be used to authorize, deny or limit user access. It helps further verify all users’ claimed identity.

Access can be prevented outside of certain hours. A user can only be allowed to connect from a specific machine. And the number of simultaneous logins can be restricted decreasing the ability of users to share their passwords, as it impacts their own ability to access the network. It also makes it impossible for a rogue user to seamlessly use valid credentials at the same time as their legitimate owner.

Learn more about UserLock and download a free, fully-functional trial. 

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.