password protection

Password Protection: Passwords Back In The Spotlight

Shared passwords or password sharing has historically been an issue for data security.  First, what is the difference between ‘shared passwords’ and ‘password sharing’?  Shared passwords are usually associated with a computer or computers that are utilized by multiple people at an organization.  For example, a certain group of people may access a computer for one job function and/or one application.  Whereas password sharing is just like it sounds – when a person gives their password to someone else.

The biggest problem with either of these scenarios is finding out who is responsible in the event of a data breach.  There are many reasons an organization would want to identify the person responsible.  It could help narrow down the issue and speed up recovery.  That person may have had malicious intent and needs to removed from the organization.  If it was not intentional, that person may need some additional training, specifically Security Awareness Training.

The sensitivity to password sharing has evolved over the years.  It can vary greatly depending on the organization.  Some companies are very lax about it, while other companies have a zero tolerance policy.  Data security professionals recommend that a password should never be shared with anyone.  Most financial institutions specifically state that their employees will never ask a customer for their password.  The majority of companies have policies that state that there IT department will never ask an employee for their password and that passwords should never be shared.

Some believe sharing your password is a criminal offense based on the Computer Fraud and Abuse Act (CFAA).  It does not specifically state as much, but the legal world is obviously very complicated.  Is sharing your Netflix password illegal?  It probably is, but will they risk losing a paying customer because of others that will probably never pay?  Cable companies and other streaming content providers are also having the same issue.  Your cable company probably allows you to stream content on multiple devices and while away from home.  Is it illegal for someone that is not part of the household to have access to that content?

It is definitely an interesting and complicated issue and will most likely be one for the foreseeable future.