Why Is Cloud Security So Hard? (Hint: It’s Not)
Securing a new environment without knowing the rules of the road can be hard. Take the time to learn the rules and avoid speedbumps.
You might know that sharing passwords is a bad idea, but do you know why? In this article, I will walk you through the various problems.
We all know that having shared passwords is bad and we are not supposed to have them, but if we ask a random person why, will they be able to say why? In this brief article, I will walk you through why sharing passwords is not a good idea and the various problems it can cause.
This article is geared for non-security professionals as a reference to help illustrate to others the reasons why shared logins are not a good idea.
The #1 reason sharing a password is not good is the lack of attribution. Attribution is the ability to trace an action to an individual or resource. In technical terms, this is called non-repudiation. If your password is shared and someone else uses it, then we cannot tell definitively who used that login.
Additionally, the more people who have access to something, the harder it is to keep it secret. Imagine if your co-worker doesn’t practice good security hygiene and stores the shared password in plaintext on their laptop or, even worse: on a sticky note under their keyboard. The attack surface, or the different entries that a hacker can use to access your data, just got bigger. More on threats here.
When a security incident occurs related to an account with a shared password, it will be very difficult, if not impossible, to determine the root cause of the incident. This, of course, makes it difficult for your security team.
When users are used to sharing and giving out their passwords, it creates a bad habit of sharing sensitive information. So, if an attacker pretends to be IT Support in a phishing attack and asks for your password, there already is a culture of sharing logins. A culture of sharing login information will likely increase the chances of success for the attacker.
Let’s face it: changing passwords is hard and inconvenient. Changing a password shared by 5 or 10 people is really hard and inconvenient! So what happens is that the password never changes. As a result, when an employee or contractor comes and goes, the password doesn’t change. If the resource is externally accessible, now this person can also access the same resource.
Imagine that an incident occurs regarding the abuse of this shared login/resource. Not only could affect the 5, 10, or 50 people that have the shared login, but it could also affect other employees or contractors, going back to when the password was last changed! This increases the attack surface for the resource. If the resource was an IAM user or other service account, it could be disastrous for the company.
In security, we always want to reduce the attack surface of our assets to keep security more manageable. So, what are some solutions?
Here is a brief list:
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service).