Today, we look at 2 dangers of shared accounts. Many compliance requirements, for example PCI DSS, require users to have unique accounts and prohibits the use of shared accounts. However, rather than blindly complying with the requirement, let’s take a look at why this is important.
First, shared accounts have shared passwords. In other words, whoever has access to this shared account has access to the password. This presents numerous password management challenges to overcome. First, in 90% of the cases, this means that the password is written down somewhere. That can be done securely, like in a password manager, but most of the time that is a sticky note or an Excel spreadsheet on a shared drive. This increases the likelihood that an attacker will get their hands on this password. Additionally, because this password is shared, whenever someone who knows the password leaves the company, it must be changed. If the password is shared with an outside contractor for some reason, again, it must be changed. I am not saying this cannot be done securely, but it is an obstacle that must be overcome.
The second thing I want to highlight when discussing the dangers of shared accounts is nonrepudiation. When you are using a shared account, you cannot prove which user took a particular action. Let’s say, for example, that someone using a shared IT administrator account logged into the VPN at 3 AM and did something malicious or fraudulent. Because 8 people have access to that password, you cannot prove which of those 8 users performed that action. Sure, you could look at the source IP address from where the action originated, but let’s say the attacker took a few simple actions to anonymize their traffic (Tor, using an open/shared WiFi network, etc.). This prevents you from taking action against the individual who performed the malicious activity. Further, nonrepudiation can act as a deterrent as well. When users know their actions can be tied back to them, they are more likely to comply with internal company guidelines and security best practices than they would if they thought their actions were anonymous.
In summary, there are numerous dangers of shared accounts, which is why they are forbidden by many compliance requirements. First, there are password management issues, both with how this password is shared to different users and the change process if someone leaves the team. Second, shared accounts prevent nonrepudiation. Hopefully that helps you understand some of the dangers of shared accounts, but if you have any questions, we would be happy to discuss further.