In the world of IT security, perhaps nothing is so maligned as the humble computer password.
End users hate jumping through hoops to create and remember complex passwords that contain letters, numbers and special characters. IT security professionals complain that end users ignore corporate policy and create obvious passwords like, well, "password". Millions are spent on single sign-on technologies that alleviate the need for numerous passwords to access a multitude of applications.
Yet for all the complaints about the lowly password, it's still the most prevalent security measure in use today. We just haven't found the ideal way to replace that odd string of characters with fingerprints, retina scans, dongles or anything else that might actually be more secure.
Corporate policies can force the most stringent requirements on password creation and maintenance – number of characters, type of characters, expiration dates – but those policies do little good when a worker simply gives his password to someone else. According to a new research study, this actually happens more often than IT experts think.
Software vendor IS Decisions has recently published a report entitled "From Brutus To Snowden: A Study Of Insider Threat Personas" in which the company looks at workers' habits, behavior and attitudes around topics including password sharing and network access. The company surveyed 1,000 people in the U.S. and another 1,000 in the U.K. to compile the report's data.
IS Decisions found that while information security teams spend the majority of their time defending against attacks from outside the organization, the threat from within the organization is not considered seriously enough. The report looks at hypothetical "personas" based on worker demographics to help companies understand who is most likely to share a password with someone or exhibit other behavior that can put a network at risk.
The research shows that IT professionals believe that 19% of their user base has shared a password with one or more colleagues. The estimate is a bit low, as 23% of survey respondents say they have shared their network password with at least one colleague. However, that percentage jumps to 49% of users who have shared their network password when authority figures (such as a manager or a help desk technician) are factored in.
This might suggest that social engineering can be used to get a worker to reveal his logon credentials. For instance, phishing attacks have used the ruse of the IT department asking someone to change their user ID and password "for security purposes," and the user is taken to a fake website that actually captures the credentials for malicious reasons.
Another piece of insight from the report is that younger works are much more likely than older workers to share a password with a colleague. When asked if they have shared their network password with at least one colleague, the responses came out like this:
- 35.5% of people aged 16 to 24 have shared
- 32.2% of people aged 25 to 34 have shared
- 18.2% of people aged 35 to 44 have shared
- 15.9% of people aged 45 to 54 have shared
- 10.6% of people 55+ have share
Researchers attribute this youthful willingness to share logon credentials at least in part to these younger generations having grown up with multiple accounts for social media, apps and other online services. Password sharing for those types of social accounts is seen as a sign of trust in a friendship or affection in a relationship—like sharing a Netflix account with a friend. When it comes to a work environment, younger workers may show trust in a colleague by openly sharing account credentials.
An even more disturbing revelation about password sharing is based upon a person's relationship to the organization. 46% of the people who describe themselves as a partner to the organization admit to sharing credentials, and that number jumps to 73% for people described as a vendor to the organization.
While partners and vendors often have more restrictive access privileges within many organizations, attackers can take advantage of these accounts to plant malware and escalate the privileges to higher level in order to access sensitive information. This is what is suspected to have happened in the case of the Target data breach.
The report reveals much more information about password sharing and protection and network access. I'll leave it to you to read the report and draw your own lessons from it, but I will close with this interesting bit of advice from an infographic in the report:
Passwords are like underwear.
- Change yours often.
- Don't share them with friends.
- The longer, the better.
- Be mysterious.
- Don't leave yours lying around.