The effectiveness of any password security policy depends on users not sharing passwords. The following is a guest post from W Benson Dana on a real world situation from his working career.
This article has been originally published on Internal Control Freak, W. Benson Dana’s blog where you will find other stories related to fraud prevention, accounting and business advice.
At one point in my career, I worked at a place where management had allowed one senior manager to collect the logon and email passwords of all the employees in a particular unit. There had been complete resistance to giving up this policy. The excuse was that this unit’s mission and objectives were unique (how many times does the internal auditor hear this excuse?) and that this arrangement was absolutely necessary.
An IT Security Policy that should prohibit the sharing of passwords
I called a meeting. Here is my description of the meeting agenda:
« The aim today is to discuss the specific IT security policy that prohibits the sharing of passwords. I understand that the unit has a password security policy where the Assistant Director must have the AD (Active Directory) password of at least a subset of the unit’s employees, if not all. This is a direct violation of the IT security policy.
I am not aware of any other unit in the company with a similar policy. If it were, that unit would receive the same degree of scrutiny. I am not interested in discussing any other unit’s policies or procedures, unless anyone knows of a similar policy.
Your AD password is unique to you and is not known by anyone else unless you share it, overtly or inadvertently. The members of the help desk who are so authorized can reset your password if you forget it. When that happens, you type in a new password that is again unknown to anyone else.
Our IT systems monitor when passwords are changed, but not what the password is.
Prohibition to sharing passwords is a basic internal control
The prohibition to sharing passwords is a basic and standard internal control around the world. One of its primary purposes is to protect other employees from inappropriate suspicion in the event that an account is used for inappropriate purposes.
This is similar in concept to the requirement that each cashier use their own cash drawer instead of a shared cash register drawer. If 2 people share a cash drawer, and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.
If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal or unethical purposes. One of the 2 will be falsely accused of the violation. If the matter is not resolved, they both will remain under the cloud of suspicion. That is a bad result.
Every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust. The Maine Attorney General’s office recently terminated the employment of an employee, licensed to practice law in Maine, who is accused in connection to a pornography violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach. I am not interested in discussing anything related to trusting employees.
Are passwords inadvertently shared? Probably. Does that make it right or smart? No.
In the case when an employee has a planned leave, email can simply be forwarded to another person. In the event an employee is sick, they can usually manage to log on, activate the forwarding feature, and log off. In an emergency situation, the help desk can perform this action. I’m interested in knowing how many such emergency situations have occurred in the past 6 to 12 months. I am not inclined to plumb the depths of history with respect to this one aspect of the discussion. »
Following this meeting, I was successful in getting the unit to stop sharing passwords.
The effectiveness of any password security policy depends on users not sharing passwords.
Popular circumstances where users believe their actions are justified include
- Delegating work to others
- Vacation coverage
Password sharing creates accountability and non-repudiation issues as User A, connected to the network with the credentials of User B, can access User B’s data and applications; send emails in their name, etc…
Is Education alone good enough to enforce a password security policy?
Educating users about the dangers and consequences of password sharing is a step in the right direction. One of the primary purposes of a password security policy is to protect all employees from inappropriate suspicion in the event that an account is used for inappropriate purposes; to avoid situations where employees are interviewed by police or internal audit as a suspect in a crime.
However, despite the education users continue to share credentials as there is no consequence on their own access to the network.
UserLock, a tool to stop the threat of shared passwords.
So what’s the strongest way to help bolster IT security and an inadequate password management policy?
Limiting or preventing concurrent logins decreases the ability of users to share their credentials, as it impacts their own ability to access the network.
Preventing concurrent logins to a Windows network is amongst the security features of UserLock. On a UserLock-protected network, a user cannot share their password without taking a major risk of being unable to logon themselves. What better motivation to adhere to password security policy and help companies and organizations protect their critical assets!
It also makes it impossible for a rogue user to seamlessly use valid credentials at the same time as their legitimate owner. It avoids serious accountability and non-repudiation issues.
Implementing strict password and account management policies and practices is one of 19 CERTs best practices that organizations should implement across the enterprise to prevent and detect insider threats. This article looks how UserLock can help an organization implement some of these practices.
UserLock is a unique software solution that gives CSOs and Network Administrators the means to secure access to their Windows network.