True story - An end user confided in me about a password sharing predicament that got him in hot water with his IT and Human Resources departments. The employee’s corporate-issued computing device needed some IT maintenance. So, IT requested the end user share his password so IT could resolve the issue. However, the employee objected to the password sharing request and asked for IT to just reset his password. That way, the employee could perform a password change without ever exposing his password.
The IT department refused the employee’s password reset request and escalated the issue to HR. The Human Resources department interpreted the employee’s withholding of their password as an act of insubordination. Consequently, HR threatened the employee with disciplinary action if he did not comply with the request to share his password with IT.
So, what happened?
Ultimately, the employee relented and shared his password with the IT department. After IT performed maintenance on it, the device was returned to the employee and he subsequently changed his password.
This entire exchange raises a few questions that we should all take a hard look at and learn from:
- Why did IT need the employee’s corporate-issued domain password?
- Why couldn’t/didn’t IT simply accommodate the employee’s request and reset his domain password in the course of accomplishing their tasks?
- Why did HR think it was perfectly acceptable for the employee to share his password?
There are no “good” answers for any of these questions. In fact, there are only wrong answers. This chain of actions represents a lack of training across IT and HR. And, if HR and IT are not trained on these basic cybersecurity principles, you, can make a safe bet that cyber hygiene and awareness are a company-wide failing issue.
Employees should never need, or be coerced, to share their corporate passwords with anyone. IT and HR departments should know, understand, and respect the security reasons and implications better than anyone.
Let me be unequivocally clear, at no time within any organization should departments request or demand—especially not under threat of workplace punishment or retaliation—you expose your password. IT should have enough control over any resource to reset passwords themselves.
Credential-based attacks are amongst the most common, and easiest, for threat actors to execute, enabling them to hijack accounts and resources. The risks of password sharing are far too substantial—and well-documented via numerous breaches—to ever condone. The risk looms especially large if the end user does not change their shared password after the asset is returned to their possession. And yes, this happens too.
In the case of this true story, a password change was also not required after the IT maintenance. Moreover, the default passwords IT assigns across this organization are a mixed combination of company name, username, and year. A perfect target for a brute force or spray attack. For the organization in question, password changes are left to the discretion of the end users—they are not enforced by IT.
When privileged credentials are involved (which, by the way, are implicated in 80% of breaches today, according to Forrester Research), this becomes a liability for any guessing type of privileged attack throughout the entire organization, for both insider and external threats. As a matter of privileged attack vector risk mitigation, every system should have a unique password, for every account, meet basic complexity requirements, and not be shared with any other individuals.
Here are 2 basic lessons from this tale from the trenches that apply to everyone:
- Never share your passwords!
- No one should ever ask for your password or force you to provide it!
If you are an IT or HR professional, please read and abide by these 5 password security best practices:
- Force users to change their initial password after assignment or during first login. Make sure the initial login passwords are set to expire if they are not changed in a reasonable amount of time.
- IT should have sufficient controls to reset any password, while also ensuring that a threat actor does not compromised this process.
- IT maintenance tasks should not be dependent on the current state of an end user’s credentials--ever!
If you need a secure, scalable, enterprise solution for protecting your organization’s growing number and diversity of privileged credentials (human, application, machine, etc.), BeyondTrust can help with our Password Safe solution. Our solution ensures privileged users, systems, and assets always have strong and unique credentials for system maintenance on any device and that end users are never placed in a situation to violate security best practices. Our Remote Support product also secures remote access for IT service desk personnel, while enforcing least privilege across all their access and troubleshooting operations, with full session management.
To learn more, contact BeyondTrust today.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.