We’re celebrating “Password Month” throughout April 2019 here on the Pivot Point Security blog. This is the final article in a series covering our Top Ten Tips for stronger password security. It offers two tips on a topic that’s a bit “taboo”—sharing passwords.
Tip #2: If you must share a password, do it securely
The idea that we should “never” share passwords has gone the way of the floppy disk. Although there are risks associated with sharing passwords, it’s virtually impossible to avoid these days. Almost every company probably has at least one user account that multiple people need to access for valid business reasons. For example, you might have a mobile phone provider account that someone in Accounts Payable and someone in IT both need to check. Or maybe you want to share access to your collaboration software with an outside consultant.
Your organization may have a recommended process for sharing login information. If not, all the leading password managers have built-in methods for secure sharing.
Some of the biggest password sharing challenges our clients face involve the many instances where you need to share both an encrypted document and its password to someone external to your organization. The best approach is to use different communication channels; e.g., email the encrypted document and text the person the password to decrypt it.
What you don’t want to do is send the document via an email and then the password in a second email a minute later. If that channel (or the email account itself) is compromised, the attacker has both the treasure chest and the key to unlock it.
Tip #1: Share accounts, not passwords
You might think we’re mincing words here. But there’s often a subtle difference between the password and the account itself.
Most of us can “feel” the difference. It comes down to the reason and circumstances for the request, and the level of risk associated with sharing access to the data.
Say your marketing manager bursts into your office asking, “Hey, how can I share our training video with the new consultant using Vimeo?” If you had the Vimeo credentials you’d probably give them to her without hesitation because: A) She has a valid reason for needing access; B) She didn’t specifically request the password itself; C) The account is low-risk; and D) It’s not “your” account; it’s used by multiple people at your company.
But what if someone asked specifically for the password to one of “your” personal, high-risk accounts like your email, work network login or 401K account? What if the reason they asked was rather fuzzy? And what if they asked via email, Skype or otherwise not in person?
Wouldn’t you inherently get a little creeped out? That kind of password “sharing” request could be a phishing attack. If you’re not 100% comfortable, don’t hesitate to decline the request.
We hope you’ve enjoyed our Top Ten Tips for password security—and we hope you put them into practice right away if you haven’t already.
Recapping Our Top 10 Password Tips:
- Share accounts, not passwords
- If you must share a password, do it securely
- Store passwords securely
- Use two-factor authentication when risk warrants it
- Ensure password resets are as secure as possible
- Change all default passwords immediately
- Your email password needs to be a “strong unicorn”
- Don’t reuse passwords
- Make passwords as strong as they need to be
- Avoid easily guessable passwords
If Pivot Point Security can help your business in any way with information security questions or concerns, please contact us to speak with an expert right away.