Sharing, not caring: Users pass around credentials

One of the most basic security mistakes out there is sharing account credentials and passwords. A new study finds many users are guilty of it – and plenty don’t even realize it’s a security risk.

An IS Decisions report, dramatically titled “From Brutus to Snowden: Anatomy of an Insider Threat,” polled users in the United States and UK on their habits around sharing credentials.

What it found wasn’t too encouraging:

  • 51% said they never share passwords or log-in details
  • 23% said they shared with one or more co-worker
  • 10% shared with a manager
  • 10% indicated they shared them “when required,” and
  • 7% said they shared them with IT.

So while only 23% of users wanted to admit to sharing passwords, plenty of others saw situations where they felt like they had to share account log-ins.

Who’s giving info away?

The survey also indicates several characteristics of a password-sharer:

  • Age. Younger users are much more likely to give out credentials. The highest percentage of credential sharers was 16-24 year old employees. More than 65% of them shared log-in details, as opposed to 29.5% of the 55-and-older crowd.
  • Industry. Users in highly regulated fields such as telecom, human resources and legal shared at a higher rate (perhaps because they have more password-protected accounts).
  • Role. The further removed users were from the company, the more likely they were to share. So while managers were very unlikely to spill credentials, vendors (73%) and partners (46%) shared at higher-than-average rates.

Tighten up control

You’ll definitely want to train users on and remind them of your password policies (check out our sample password policy template here).

Other steps to take:

  • Set clear rules for outsiders. Make sure vendors and partners sign off that they won’t share passwords and credentials with others inside or outside of the organization.
  • Explain the risk. More than 36% of employees said they would be able to access data from a previous employer after leaving. Remind users that it’s important to keep account info close to the vest to prevent snooping later on.
  • Restrict concurrent access. Make sure accounts can only be used to access services on one machine at one time, and
  • Revoke credentials quickly. As soon as someone leaves your organization, delete their account info.