6 ways to stop password sharing
Password sharing is one of the biggest internal security issues. And it impacts every organization. Here's how to stop it.
Updated May 7, 2024One of the biggest internal security issues every organization has to deal with is password sharing. If you're looking to secure a Windows Active Directory network, here's how you can mitigate the threat of shared passwords with UserLock.
Many employees see no security risk in sharing passwords and logins (we published original research on this very topic a few years ago).
There’s often a lack of understanding at organizations’ top levels, with many in senior management failing to recognize the risk of sharing login details. When we surveyed employees a few years ago, many said they shared their password because their manager or boss asked!
The risks of sharing credentials among employees (or students) are great. Sharing passwords can impact your IT team's ability to control access, prevent external cyber attacks, and thwart attempts at insider attacks.
Insider threats represent one of the greatest risks to any organization. Even veteran hackers are most likely to take the "easy way" into your network. After all, why go to the trouble of hacking a password to access sensitive information? It's much easier to pretend to be an authority figure and simply ask your employee to hand it over.
This leaves organisations open to the use of social engineering by malicious parties, potentially posing as somebody senior, gaining access to data and systems they shouldn’t have.
To address this behavior, security has to be part of the corporate culture. Bad choices should have consequences that employees are reminded of. Technology such as UserLock can also help both outrightly restrict certain bad behavior as well as helping remind users to make good choices.
Here are five steps to take to stop password sharing.
First, you need to educate your users. Cyber awareness training for employees helps reframe the risk from an IT problem to a business risk.
Make sure employees know that sharing a password with anyone is not a good idea. Yes, even if it is someone in a supposed role of authority. And don't assume they know this. Some employees come from organizations where they were encouraged, even required, to share passwords with managers.
Educate employees on how and why internal security represents as much of if not a greater threat than external.
This will mean an ongoing commitment to staff training and education, not a tick-the-box approach. Unfortunately, that approach usually doesn't lead to staff taking on the message and remembering.
To achieve this, IT needs buy-in from the entire organization. And it starts at the top. Yes, we're looking at you C-suite. Management needs to understand and care about IT security. Period. Encourage management to lead by example. And help them understand there are consequences for them, too. After a data breach, CEOs and CTOs are often called on to resign (recent examples include resignations at Optus, Equifax, Bed Bath & Beyond, and Target).
HR has an important role to play here too with pre-employment checks, training, and on-going intelligence. Our research shows that they are the least likely people within the organization to even understand the issue, yet it should be part of their role to address it.
The most likely cause of a password falling into malicious hands is by that person posing as someone authoritative. Teach your organization that not sharing a password is not a matter of trust, it is a matter of policy.
From our research we asked employees what action could their employer take to make them less likely to share passwords, and by far the top answer was "if someone using my login meant my own access was restricted," the option chosen by 29%.
Crucially, this was higher for those younger age groups for whom password sharing is more common, with 37% of 16-24 year olds and 36% of 25-34 year olds choosing this. This was also the top option for those restricted industries that were bad offenders for password sharing. Clearly, people care about their own network access, and as soon as you make that access personal to the individual they have a real incentive not to share it with others.
Education is a starting point for mitigating the risk of insider threats. But situations often occur where technology can serve as a guardrail for users, even when they do understand the risks. This is seen in the example of employees in more regulated industries understanding but still willfully subverting security policy.
Learn more about limiting concurrent logins on Windows Active Directory networks
Adding MFA for Active Directory logons as an extra layer of security to your logon process will also naturally deter password sharing. Employees may feel fine sharing a password, but they're much less likely, or even able, to share that second authentication factor.
From our research, the next top answer for what would make you less likely to share passwords was "if it was made a sackable offence," selected by 23%.
Now, maybe your organization doesn’t want to rule with such an iron fist. But if you are not openly and consistently dealing with unacceptable behavior, then other employees are getting the message that they can get away with it.
Active punishment can act as an effective deterrent, and if you ensure your workforce is aware of the dangers, it's not unreasonable to then punish malpractice.
From our research the next most popular option was the threat of restriction to departments, devices or workstations.
Another level of security which we would recommend from the perspective of reducing the surface area available for attack, it seems this is also a reason for people to stop sharing passwords. If your colleague cannot use someone else’s password and login on their own machine, then there is no reason to give them your password.
Many answered that restricted times for network access would be an incentive too, an average of 14% stating this was the case.
Learn more about applying context-aware access restrictions on Windows Active Directory networks
While those in more senior positions claim to be security conscious, they do still share passwords occasionally and it tends to be in order to delegate work. Many of our survey base (16%) said that they would be less likely to share their password if delegating work was easier without having to do so.
UserLock’s concurrent login controls, context-aware access restrictions, and MFA mean IT teams can now control where and how each employee accesses the network. This level of security is not possible with native Active Directory and ensures network access is via a login that is unique the user and not shared.