Qamba Knowledge Base
Shared accounts/passwords in your business
What are they?
Most often these are accounts used for temporary employees or for staff using a shared account to facilitate a role such as “reception” or “accounts”. However even if staff have a dedicated account for themselves, if others know and use it, this too could be considered a shared account and subject to the risk and issues below.
Why are they a problem?
Audit Trail
If multiple staff use an account, there’s no way to associate actions done with that account to an individual, so there is limited responsibility along with no real way to know for certain who performed an action on a shared account. Staff can send harassing emails, access illegal content, or delete or damage files and there is no way to prove it was done by them if multiple people use that account.
Lower Security
Generally these kinds of accounts are accompanied by poor password hygiene, with passwords on post it notes for shared computers, or well known passwords so “everyone can remember it”. While this can seem convenient, it provide notable business risk and is not worth the headache when there is an incident in the future. Weak or compromised passwords are one of the most common ways attackers get access into businesses IT systems.
Having to Coordinate password changes
In the event a password needs to be changed, this needs to be communicate with everyone who uses that account, it may not always be clear who all those people are. Also if one user changes the password and fails to notify others, others will lose access or might also change the password wasting time until someone notices what is happening. The time lost and frustration felt by both staff and IT support can really add up.
Account Administration Issues
Changes to account details, passwords or finding out who has authority to make changes to access the account can easily become a confusing mess. Unlike a normal account there is no longer a one to one connection between account and the person who uses it, with the account clearly identifying the user via their email address or username. If there is an issue, such as a security incident, getting hold of the true account holder/s can become problematic and waste time.
Licencing Compliance
Depending on how your software is licensed, sharing accounts that have per user licensing may be considered a breach of your license agreement. This means a software or service provider could reasonably cut access or request compensation for licenses that should have been paid for. Almost all companies receive usage information and telemetry data about how their software is used.
MFA does not work
Enabling MFA, which is become more common can be very problematic for undocumented shared accounts and will result in anyone without the MFA code setup on their phone losing access. MFA provides a huge improvement in security and not having this option for shared accounts is not ideal.
What is the solution?
Delegate Access
It is much simpler and easier to manage accounts and security if everyone logs in with their own account but is then given delegated permissions on their account to access shared resources (such as files or a shared email account). This means only one password to remember and managing and tracking access is dramatically easier. This is how most businesses with any kind of security requirements manage shared resources without compromising security.
Assign shared logins to specific physical computer
If you must have a shared account, creating an association between that account and a specific computer along with no one knowing the password can provide a suitable solution if giving everyone their own account is not feasible for whatever reason. Access control and security can be managed with physical security (such as a locked door or a secured area), with access handled by a camera system so if you ever need to know who was using that account, you know it can only be used on a specific PC and you have a way of checking who was using it.
References
https://www.sans.org/reading-room/whitepapers/basics/administration-shared-accounts-1271