François Amigorena, CEO, IS Decisions
François Amigorena, CEO, IS Decisions

Most passwords these days require a combination of capital letters, numbers and special characters, and have a minimum number of characters. If you have changed your favourite password, chances are you won't be able to use it again for a while. Password-storing apps like Dashlane and LastPass make life easy because they address one of the biggest annoyances for businesses and consumers by providing a one-stop shop for generating and storing all login details for various websites. Forgotten your Amazon password? No problem — just log in to the password-storing app of choice and it'll tell you what your credentials are.

These kinds of apps also help address bad password security practice. When you've got so many logins to remember, you're more likely to use one password for more than one website, which is incredibly risky. If a hacker gets their hands on your one password, they'll have access to all your eggs in your one basket. But using a password manager, you can safely use a unique password for different sites and not worry about forgetting.

Password sharing: taking convenience too far?

To make life even easier, some apps have introduced a password-sharing feature to help speed up logging in and make the whole process much more convenient for teams. Simply tap on a button and you can send your password to whomever you choose.

Now, over the past year or so I've been vocal about the dangers of password sharing. Many of the recent large and famous attacks such as Anthem, Sony and eBay have come about as a direct result of compromised credentials — and password sharing can very often be the way that hackers find a way in to a company's network and access its data.

Sometimes password sharing is the only way

The interesting point is that these password-storing apps have decided to introduce a sharing feature despite the recent high-profile attacks that have made the headlines. The IT industry will undoubtedly ask “why?” but they must also start to appreciate the way employees want to work in the modern world — especially when there's no choice but to share passwords.

Most companies, for example, will have social media profiles, online tools and accounts that multiple people need to access. Setting up unique passwords for each user is often impossible, because you'll have multiple users who need to access one account. Some social media sites including Facebook and LinkedIn attempt to tackle the issue by having multi-user access or admins at the application level, where companies can easily identify access and even attribute actions to certain admins or users. Other tools might have special team access. But often, online tools or ecommerce sites require multi-user access without addressing this at the application level. Twitter is one; you can assign management access through its tool TweetDeck, but unless you're using the tool, everyone accessing the account needs the password. Many companies will therefore keep all these passwords in a spreadsheet, perhaps saved somewhere on their server, which is far from ideal, highly insecure and a hassle to keep up to date and accurate. But what choice do companies have?

Password sharing is already happening among younger generations

IS Decisions research has previously shown that password sharing is common among employees. It found that as many as 23 percent of desk-based workers in the UK and the US have shared their work-related password with one or more colleagues.

Younger people especially are more likely to share passwords than their older colleagues. Younger generations have grown up with multiple online accounts across social media, email, apps and other services, so account sharing has become second nature for them. In fact, a trend among US teenagers, for instance, is password sharing as a sign of affection. To them, sharing a password is a digital entanglement that because of the risk it involves, signifies trust and can be a milestone in a relationship, like sharing the keys to your house with a partner. This behaviour could be the very reason behind new password-sharing feature within apps.

The stats certainly seem to show that younger people are happier with password sharing than older generations. Twenty two percent of 16 to 24-year-olds and 23 percent of 25 to 34-year-olds have shared their login with more than one of their colleagues, while 35 percent and 32 percent respectively have shared with at least one. Only 11 percent of those over 55 have shared a password with a colleague, less than half the overall average. It is also notable that 71 percent of over 55s say they never share their passwords, 20 percent more than the average.

When IS Decisions asked IT workers in its Insider Threat Peer Report about why age seems to be a factor, John Giordiano, IT manager at The Scenic Route commented on the difference of attitude: “Older people tend to disregard security measures because they don't fully understand and younger people tend to disregard them because it slows them down.”

Why online tools must change the way users access

While password sharing can sometimes be a dangerous practice, the onus for improvement now is not on password-storing apps to get rid of ‘sharing' features. The makers of these apps are looking to solve a genuine problem in an imperfect world in the best way they can.

Instead online tools and services need to consider the way they provide multi-user access much more seriously to avoid the need for password sharing in the first place. Multi-user logins will not only limit likelihood of a breach, but give organisations insights into different user activity so that in the event of a breach, they will be able to identify culprits quickly to mitigate damage.

Providing unique logins is just the first step. The same tools must ensure that their users regularly change passwords, use special characters and a mixture of uppercase and a lowercase letters — which is all basic password practice anyway. A stronger policy on passwords from the online tools themselves will help alleviate any fears on the organisation's side, which has no control or say in how passwords work.

Contributed by François Amigorena, CEO, IS Decisions