It’s good to share, but I do wonder if perhaps we share a bit too much nowadays.
Passwords to some of our most sensitive information are a good example of this. I was on the train a few weeks ago and a woman of about 20 years of age got on. Four stops later, I knew her doctor’s name and the details of her next appointment, the username and password to one of her accounts that she decided to share with her mother, and credit card information.
This could have been a case study on what not to do — details that we wouldn’t even share with our closest friends and family, were being openly discussed on public transport within earshot of complete strangers. And this is not uncommon.
Concerns around password sharing are just one of the issues picked up in new guidelines published by the UK government called “Password Guidance — Simplifying Your Approach.” Issued by CESG (the information security arm of GCHQ) and the Centre for the Protection of National Infrastructure (CPNI), the best practice document provides a list of measures to help organisations protect against password breaches.
Tip 2 is particularly interesting — aimed at helping users ‘cope with password overload,’ it makes it clear that password sharing should never be allowed between users, saying:
“Sharing accounts, or even occasional use by anyone other than the account holder, negates the benefit of authenticating a specific user. In particular, the ability to audit and monitor a specific user’s actions is lost.”
If we lived in an ideal world, no one would share their passwords of course and no one would use the word ‘password’ as their password, but the reality is that we do and it seems to be the younger generation who is more trusting when it comes to privacy. Because they are used to sharing information frequently on social media and via mobile devices, the worry is that they will carry these habits into the workplace.
It only takes one mistake and this can put a whole organisation at risk. The problem is that you cannot change people overnight — it takes a long time to change habits. A good example of this is years ago when working at MoD (Ministry of Defence) sites, I had to lock my computer screen whenever I walked away from it, but it took me a year to get into the habit. Now I do it automatically as it’s so ingrained.
The point is that habits are already being formed and it will take a long time to change them. Employees need to be told what to do, which often goes against what they do outside of the workplace. It’s human nature to take the path of least resistance, a case of convenience over security — it’s much easier to use the same or a similar password because there are too many to remember. Our survey last year showed that a quarter of us have more than 21 active online profiles, and around half create at least one new online account profile every week. In years to come we will have hundreds of accounts to manage.
The CESG/CPNI guidelines are an interesting read and touch on some very important points about helping users to manage passwords and prioritising administrator and remote users accounts, but ultimately it comes down to education and ensuring password policies are a fundamental part of every organisation’s staff training.