In recent months the online streaming giant Netflix has been trying to tackle the problem of password sharing, as the cost of living crisis, coupled with the fact that the world is no longer locked down by a pandemic, means subscriber numbers have fallen. However, the issue of password sharing is not new, especially in the world of software licencing.
The practice of software licence sharing within an organisation isn’t necessarily something to be frowned upon, if it is permitted by the vendor, many of whom use license management systems to prevent inadvertent usage and piracy. As businesses around the world have been exposed to higher costs, whether that is materials (driven by supply chain issues), human resources (specific skill sets attracting a premium) or change to corporate taxation, many have sought ways to reduce expenditure and limit licences can be one such saving. Yet, there should be careful consideration and a degree of reservation regarding whether employees should be actively encouraged to share a password.
The danger of password sharing
If you create a culture in which passwords to vital resources are freely passed around the office and beyond (given the rise in people working from home), you are potentially increasing risk. Of course, the vast majority of people are diligent, but it is only right and proper to provide clear guidance as to what is acceptable, after all, few may see what harm it can cause, and who doesn’t cut the occasional corner to get the job done?
As soon as password sharing becomes standard operating procedure it is unlikely to stop at that one piece of software. In fact, we know through our Password Breach Database, that Active Directory passwords used by employees are being used as login credentials for other online services. Suddenly, systems storing confidential data, intellectual property and other assets have a greater exposure to being compromised, should the bad guys get access to the username and password.
Password security is priceless
Passwords are already a weak point for organisations. Having a password policy that advises people to change their credentials often, create so-called ‘strong’ passwords and not share login details with others is essentially useless if it is not adhered to, policed, or to make matters worse watered down for the sake of saving a few licences. If you do need to trim costs, work with the vendor. Perhaps they can then provide a floating licence that enables users to have their own secure logins, but access is restricted if the number of active sessions reaches the licence limit.
The password problem isn’t going away. Only this month the Authlogics Password Breach Database reached the troubling milestone of 5 billion clear text credential records. There is a clear path for organisations to follow from passwords all the way through to PKI, and points in between, depending on what level of security is appropriate. The first step must be to manage password security.