Sharing online accounts in the workplace is widespread, despite the security risks involved. It’s tempting to think these behaviors are due to ignorance of cybersecurity best practices or disregard for policies. But there’s much more to the story, according to a recent study from Carnegie Mellon University’s CyLab Security and Privacy Institute. While the findings are unlikely to please infosec professionals, they offer insights into real-world account-sharing practices, methods, motivations and challenges.
The study, published in November 2019, is titled Normal and Easy: Account Sharing Practices in the Workplace. One of its authors is Jason Hong, a professor in CMU’s Human-Computer Interaction Institute. (Hong was a co-founder of Wombat Security Technologies, now Proofpoint Security Awareness Training.)
On average, people share 11 accounts with their coworkers, according to the study. Unfortunately, this common practice raises several problems. One issue is that sharing is “not something most digital accounts are designed to do.” According to the study, online accounts generally assume a single user per account, and sharing “violates many technical assumptions about account security.”
Share and Share Alike
Sharing online accounts is often discouraged or explicitly forbidden by organizations. But in some cases, people may need to share an account to collaborate. Official social media and email accounts are among those most commonly shared, according to the study. If several people need to post to a Facebook page or respond to a public-facing email account, password sharing becomes inevitable.
“Contrary to security news that describes account sharing as careless and non-compliant with security policies, we observed account sharing was treated as a preferred option rather than a workaround,” according to the study. “There were very legitimate collaboration drivers behind account sharing, and people sharing accounts were trying to create smooth and efficient workflows.”
It’s Not Just About Sticky Notes
In addition to the classic “password written on a sticky note,” the study describes a wide variety of password-sharing methods. These were grouped into four broad categories:
Direct sharing – Sharing a password either verbally, on paper or via email, SMS, Slack, etc.
Common location – Updating a password in a shared spreadsheet or file, or writing it on a sticky note or board
A shared system – Updating a password based on a formula, or using a password manager to share it
- Access sharing – Helping someone else log in, or sharing a password reset link
From a security awareness training perspective, it’s interesting to consider these different types of password behavior and whether they can be fully addressed by an organization’s password policy. We can train users on how to keep their credentials secret, but they may encounter scenarios at work where these best practices don’t seem to apply.
What About the Security Risks?
The study looks at several challenges that arise from account sharing, including problems with controlling and limiting access. How do you change or revoke access when a user leaves an organization or a team?
Survey respondents reported problems with “account information being shared with people who should not have access through shared spreadsheets,” and “former employees retaining access to shared accounts because passwords were not changed even after someone left the organization.” These situations leave organizations vulnerable to insider threats, including attacks by disgruntled former employees.
Managing (Shared) Passwords
One of the more interesting findings is that people who share accounts aren’t necessarily ignorant or careless. According to the researchers, study participants “were aware of the potential security issues, and they employed their own methods to protect those accounts.” For example, some who shared passwords via email tried to maintain security by using encrypted email and sending usernames and passwords separately.
Users are less aware when it comes to password managers, however. The study found that “many participants lacked a good understanding of password managers and were not aware of the security benefits.” One participant noted that “a password manager is just one more account to worry about.” Clearing up these misconceptions is key to getting users to adopt password managers and more secure practices.
Without a viable alternative, people will continue to share accounts, if only to get their work done. The study offers design suggestions that would make sharing online accounts more secure and user-friendly, but it’s probably unrealistic to expect a given platform to meet a wide variety of collaboration needs and preferences. While the researchers acknowledge obstacles to getting people to use password managers, providing these tools and effective training about how to use them would go a long way toward improving users’ password security behaviors.