IS Decisions logo

IS Decisions Blog

Password security policy: Manage the threat of shared passwords in the enterprise

Preventing concurrent logins bolsters password security policy. It stops users sharing passwords as it impacts their own ability to access the network.

Updated July 10, 2023
Password Security Policy: Managing the threat of shared passwords in the enterprise

How effective any password security policy is depends on users not sharing passwords. But users often believe their actions are justified, especially when delegating work to others or preparing vacation backup. Here we look at the danger of shared passwords and how to stop the threat with UserLock’s multi-factor authentication and contextual access controls.

Your IT security policy should prohibit password sharing

At one point in the career of fraud prevention officer W. Benson Dana, he worked at a place where management had allowed one senior manager to collect the logon and email passwords of all the employees in a particular unit. There had been complete resistance to giving up this policy. The excuse was that this unit’s mission and objectives were unique (how many times does the internal auditor hear this excuse?) and that this arrangement was absolutely necessary.

This of course is a direct violation of the IT security policy.

A user’s Active Directory (AD) password is unique to them and is not known by anyone else unless they share it, overtly or inadvertently. The members of the help desk who are so authorized can reset their password if they forget it. When that happens, they type in a new password that is again unknown to anyone else. IT systems monitor when passwords are changed, but not what the password is.

Prohibiting password sharing is a basic internal control

Putting a stop to password sharing is a basic and standard internal control around the world. One of its primary purposes is to protect other employees from inappropriate suspicion in the event that an account is used for inappropriate purposes.

This is similar in concept to the requirement that each cashier uses their own cash drawer instead of a shared cash register drawer. If two people share a cash drawer, and one steals, they both come under suspicion. The employer owes its employees a duty to see that their employees cannot be falsely accused of inappropriate conduct.

If a password is shared, the person who knows another’s password now becomes automatically suspect whenever that user’s account is used for inappropriate, illegal, or unethical purposes. One of the two will be falsely accused of the violation. If the matter is not resolved, they both will remain under the cloud of suspicion. That's obviously a bad result.

Every employee in history who has been convicted of theft, embezzlement, or other crime was hired as a trusted employee. This policy has nothing to do with trust. An Attorney General’s office recently terminated the employment of an employee, licensed to practice law, who was accused in connection to a pornography violation. Until this was brought to light, this lawyer was considered a trusted employee above reproach.

Are passwords inadvertently shared? Probably. Does that make it right or smart? No.

Password sharing creates accountability and non-repudiation issues as User A, connected to the network with the credentials of User B, can access User B’s data and applications; send emails in their name, etc.

In the case when an employee has a planned leave, emails can simply be forwarded to another person. In the event an employee is sick, they can usually manage to log on, activate the forwarding feature, and log off. In an emergency, the help desk can perform this action.

Education alone is not enough to enforce your Windows network password security policy

Educating users about the dangers and consequences of password sharing is a step in the right direction. However, despite education and numerous user security awareness programs, employees continue to share as there is no consequence on their own access to the network.

So what’s the strongest way to help bolster IT security and an inadequate password management policy?

Stop password sharing with multi-factor authentication

UserLock bolsters password security and mitigates risk by making shared logins virtually impossible to use.

With multi-factor authentication (MFA) passwords might be shared, but another barrier a second authentication factor ensures only the genuine owner can access the network.

When MFA is in place, access is only possible when the user validates two authentication factors. For example, they enter their password followed by a second authentication request. This could be a code received via an application such as Google Authenticator or a press on a hardware device such as a YubiKey.

Multi-factor authentication, like any security approach, becomes even more powerful in conjunction with others. With UserLock, the context of the user’s authentication attempt can also be used to authorize, deny or limit user access. It helps further verify all users’ claimed identity.

Access can be prevented outside of certain hours. A user can only be allowed to connect from a specific machine. And the number of simultaneous logins can be restricted decreasing the ability of users to share their passwords, as it impacts their own ability to access the network. It also makes it impossible for a rogue user to seamlessly use valid credentials at the same time as their legitimate owner.

Try UserLock for free

3400+ organizations like yours choose UserLock to secure access for Active Directory identities and meet compliance requirements.

Download a free trial