Selling a Password – Not a Victimless Crime

If one of your employees were approached and asked to sell their keys to your office, I suspect the vast majority would flat-out refuse. But what if they were asked for their password in exchange for cash?

They might think to themselves: “It is only a password, what harm could come from it. After all, I am always forgetting it and needing to reset the darn thing.”

Of course, those of us working in the security industry know that the difference between a key and a password is simply that one exists physically and one doesn’t – although you could argue this for passwords, given that most are written on pieces of paper. What is more, for many businesses today a data breach is likely to be far costlier than an ‘old school’ break-in.

What a lock & key and password also have in common is that they are a deterrent to the opportunist. If someone is determined to get in they will find a way, whether it is by brute force, through an open back-door or window. They will look for the weak point and in the digital world that point is the fragility of passwords and those who are in possession of them.

Worryingly, a new survey commissioned by SailPoint and reported on TechRadar, suggests that 16% of employees would be willing to sell a password to an unknown third party and more than half of those would want £700 or less. Not a bad investment when you consider the return from gaining access to company systems and valuable data.

The trouble with this type of transaction is that it is so simple and quick, the seller never meets the buyer and it can feel like a victimless crime. That is until they feel the impact – whether their involvement is found out, or their company is compromised to the point at which they lose their job and the company folds (a real risk for smaller organisations that are breached).

Thankfully, the results from the SailPoint survey show that selling passwords is something only the small minority would consider, but it also is important to remember that this is only one route used to ‘attack’ organisations using password-based systems.

For years’ security experts have stressed the need for better password management education. However, the message has not got through. People still see passwords as a pain in the neck and not as something valuable that they are the trusted custodian of.  Perhaps if they knew the real value the 16% of respondent would demand a far higher price! The time has come for organisations of all shapes and sizes to re-evaluate their use of passwords to remove temptation from those who could be swayed and to make lives easier for those who use and administer them. A move away from passwords altogether would certainly achieve this and much more.