How to prevent employee password sharing
With the right policy, controls, and monitoring, you can minimize — if not completely stop — password sharing, and reduce the risk of a security breach.
You likely read this article title and thought to yourself “No way, my users don’t share passwords!” It’s reasonable to think that. After all, you do know your users best. However, let’s suspend your disbelief for a moment and consider: what are the consequences for your organization if they do?
One of the greatest risks to an organization today is the threat of data breach. Cyber criminals and insiders alike are keenly aware of the value of corporate data. According to Verizon's Data Breach Investigation Report, an internal actor is responsible for roughly 1 in 5 breaches. But both internal and external actor scenarios become more risky when password sharing is added to the mix.
In external attacks, threat actors seek out credentials to leverage as a means to expand their presence in your network. Should users share passwords, the threat actor has access to that many more sets of credentials on a given endpoint, increasing their chances of success. In insider threat scenarios, the malicious insider only has whatever access their own credentials provide them. But should they be the recipient of shared credentials, they potentially increase the scope of data they have access to as the basis of committing data theft, fraud, etc.
How common is employee password sharing, really?
In a word, very. Our 2017 study of workers in the U.S. and the U.K. found 49% of employees (from key departments like legal, HR, IT, Finance, and more) admit to sharing credentials with fellow employees. More recently surveys, SurveyMonkey's 2021 research indicates 1 in 3 U.S. employees share passwords with coworkers.
Both studies point to a significant number of employees sharing passwords with co-workers. Now before you click away thinking, “not where I work,” consider: have you ever really asked users if they are sharing passwords? Have you?
And even if you did, they know very well it is frowned upon — if not downright against company policy — so they’re not exactly going to tell you “Oh yes! I share my password with Sally all the time!” Believe the data – your users are sharing passwords.
How to keep employees from sharing passwords?
There are a few steps to take to stop password sharing.
Step 1: Implement and communicate company policy
The rise of Shadow IT in previous years has taught us users left to their own devices will work around IT to get their job done. This can include password sharing. So, establish a company policy prohibiting password sharing, but don't stop there. Communicate it to users. Remember, it’s not bad until you tell them it is.
Step 2: Enforce policies with controls
Assuming you’re working in a Microsoft environment, Active Directory does have some level of control around from which workstations and at what times of day a given user can log onto the network. While these are limited in scope at best (in reality, AD somewhat fails at providing true access controls), you should put something in place to limit when and where Sally’s password can be used by another user.
A more advanced set of controls, such as limiting concurrent logons and forcing logoffs outside of allowed times, are only found by using third-party solutions.
Step 3: Monitor logons
Steps 1 and 2 are really about putting in place an environment that is not friendly to users sharing passwords. But to be sure these policies and controls are working, you need to know who is logging on where and when. Nothing beats visibility into whether Sally has logged onto two machines simultaneously, or is logging on from home on a Sunday morning at 3 a.m.
Unfortunately, Microsoft does little to centrally monitor logon activity. It’s logged on a per-system basis and requires, at a minimum, centralizing event logs mixed with some kind of analysis and alerting.
What you’re trying to get here is not just information — such as when each user logs on — but actionable intelligence where you are informed of abnormalities that potentially are either violations of company policy or clear red flags of inappropriate behavior.
Since solutions focusing on centralizing event logs don’t normally have analytics (to look at multiple events to see when Sally’s logons look out of the norm), you should be looking for a third-party solution that specifically monitors logon activity.
Be proactive to prevent employee password sharing
By now, we hope you've moved over the, “OK, so password sharing’s a real thing” camp and realize you need to do something about it. By taking steps to put policy, controls, and monitoring in place, you can minimize — if not completely stop — password sharing. This will reduce your organization’s risk of both internal and external threats, as well as create a more secure environment overall.