Barry Scott, CTO at Centrify EMEA:
“The news that MP’s are sharing passwords with others in their departments is shockingly bad and very disappointing. Sharing passwords should NEVER happen, with the possible (but very rare) exception being sharing with the IT Department at work, and then the password should be changed when IT no longer need it. Compromised credentials are the leading attack vector for data breaches – the 2017 Verizon Data Breach Investigations Report states that 81% of breaches involve weak, default or stolen passwords.
Passwords should be complex, unguessable (computers are incredibly good at guessing passwords, so swapping an “S” for a “$” won’t fool them for long) and reinforced with some form of multi-factor authentication, where your phone (for example) is used as an extra source of authentication to prove it’s you trying to login, and not someone who has stolen your password. Sharing passwords for allowing access to data (such as your e-mail) is no excuse – modern applications should not require people to share passwords to access the same data.
There’s no doubt that sharing passwords increases the risk of a breach taking place. If the breached user is also an operating system administrator of their machine, a hacker (or ransomware) then has a very good foothold on the network, from where they can start to move from system to system (known as “lateral movement”) until they find the valuable data they are really looking for. With the advent next year of the GDPR, where companies must follow “best practice” and “the state of the art” for cyber security, sharing passwords may well leave them liable to heavy fines.
Being senior in an organisation doesn’t provide immunity from having to follow cyber security best practices – in fact precisely the opposite as senior people have access to the most important information !
All companies and organisations should be developing good cyber security habits to protect themselves from data breaches, and part of that should be through a regular training program. Similar to teaching people not to click on suspicious links in mails, they must also be educated not to share their passwords.”