Republished: Why you should never share Login Details

Originally published on Benscomputer.no-ip.org Aug 2009.

 

Anyone who works in IT in any form knows the headache, despite signing to say they wont, users insist on sharing their login details with everyone! Whether it's because someone else can't remember their own username or simply because it's easier than logging out.

On occassion it happens because the user didn't lock their desktop before walking away, and someone else happens to need to use a PC 'quickly.'

We all know it, users just don't care about security. Why should they? It's 'Your' network to look after, not theirs. This article is aimed at that particular group to try and highlight exactly why they should care.

 


As a user, your username and password identify you to the system as, well you. Anything that happens under your login will be assumed to be you. In fact, if you read your IT security documentation (you know, that thing they got you to sign) it will probably state that you are liable for everything that happens under your login.

Lets leave aside the confidentiality of documents that you may have access to. If you work in that sort of job, you should be quite aware of the implications of giving someone unfettered access to such documents. Let's focus more on the direct impact that sharing that password has on you.

You allow one of your colleagues (lets call him Joe) to use your login, he starts by  writing the report that's overdue. So you go to have a coffee and a natter with someone else whilst he gets up to date. In the meantime, Joe has got bored and decided to spend 5 minutes on the net, just while he gathers his thoughts.

Now Joe goes to his search engine of choice and types in the words Desperate Housewives (He's a fan of the show!) and without thinking hit the 'I'm feeling Lucky' button. This takes him to the first link in the list, a site dedicated to the wrong type of Desperate Housewives. Now from an IT Admins point of view, Joe didn't do that, You did. The logs will show that your username accessed it, as the system has no way of knowing that Joe was using your login.

Now imaging Joe likes what he sees and decides to browse for a bit longer, it now looks as if you are deliberately accessing unsuitable content from work. Joe probably doesn't realise that Internet Connections are logged, but as he's doing the browsing on your behalf, it may be that he doesn't care.

Now if the Company is particularly strict, it's quite possible that your Job could be in danger. Is Joe the sort of person who would step up, admit responsibility and lose his own job instead? He might feel bad, but perhaps he has a family to support?

More to the point, if Joe did step up and admit responsibility, he could get fired, but you would still be in for a disciplinary for breaching IT security procedures. Not something you are too likely to lose your job over, but still not something you want on your record!

All this could have been avoided simply by logging yourself off and letting Joe log himself into his own user area.

This article has been quite tongue in cheek, the browsing of adult content is just one of the few things that could happen, and by far not the most serious. You may not overly care if the corporate network gets hacked (might even get a day off out of it) but you will probably start to care when all fingers start pointing at you.

It doesn't matter who actually did it, the system will think it is you, and by the time you hear about it, a lot of managers will have heard that it was you. You're then reliant on the actual perpetrator owning up to it, which depending on the person and the severity of what they did, they may not.

The simplest way to avoid this, don't share your username and password with anybody. You wouldn't let them have your bank details, so why let them assume your identity in any other way?