Guest Author - Julie L Baumler
Computer accounts, whether for a computer, application or website, serve several different purposes. They provide a way to determine who is using a computer or service. They are used to determine whether and what that person or system is authorized to do (like be there in the first place.) They provide a way to keep information belonging to different users separate. Sharing passwords (or other less common authentication methods such as cryptographic keys or tokens) invalidates these. Of course, sometimes you don't care about any of those things, you just need something in the account in order to get your work done. This is usually when and how password sharing occurs.
A common situation is that a group of employees share a single account to do some task. This could be anything from the root password shared among administrators to a login to an informational website. Often, sharing passwords starts as an expedient (or a necessity due to poor design) and becomes a habit. People share passwords because they need access to resources to get their job done. Often the resources multiple people need are all assigned to one account, and those people share it. Unfortunately, once people are sharing one account, often it turns into multiple shared accounts, because if it is OK to share one because that's what needs to be done to get the work done, then why not share the password for another account in order to get other work done?
A major problem with shared passwords is the difficulty that occurs when the password needs to be changed. First, every time someone who has the password leaves the company or is given other duties the password needs to be changed. Second, every time the password is changed, everyone has to be notified. Often, no one person knows all the people who use a shared account, because the information is shared whenever someone needs access to those resources. This means that you don't actually know when you should be changing the password or who to tell.
It is extremely common for people to use the same password for multiple accounts. Although none of us would do this, what happens if a coworker uses a password from a shared account for one of their personal accounts? I'm not comfortable knowing peoples' passwords. And suppose the person did something wrong using that account (or ran up a big bill) and then claimed it wasn't them (a process known as repudiation in the information security world), stating that all their coworkers knew their password because it was the same as the shared account? You'd have to know their username, but in many cases that is publicly available or easy to guess (for instance, email address is often used as a user name on web sites.) I don't know if they could successfully repudiate their actions or blame a coworker using that argument, but it's a scary thought.
As you can see, while sharing passwords often seems efficient, it can cause much bigger problems down the line and should be avoided whenever possible.
The I Know Your Password cap pictured above is available at Amazon.com