You’re in a hurry, out of the office, or collaborating on a project with a colleague. In many cases, the idea of sharing your credentials for a computer or account doesn’t seem that big of a deal. It’s the easiest way to provide access to your account when someone needs to see your data. A recent survey by SurveyMonkey found that an astonishing 34% of respondents said they share passwords or accounts with their colleagues. If the other person has the same level of access as you, it doesn’t seem harmful to let them use your account. However, there are several reasons why sharing credentials put yourself and your organization at tremendous risk.

You may have impeccable password security habits, using a password manager to keep track of the passwords you have randomly generated for each of your accounts. The risk to your organization of your password being compromised is low. If you share your password with someone else, there is no guarantee that person can keep it safe. By sharing your password, you lose control of how it is stored. Maybe your colleague writes it down and leaves it next to their desk, or they store it on a compromised device. It’s likely the person you have trusted with your password doesn’t mean to compromise your account. Still, they may not have considered the wider implications of the account getting compromised, and as a result, not taken the necessary steps to secure it.

In addition to improper storage of passwords, it also becomes increasingly hard to establish who is doing what when you share credentials — cybersecurity teams audit important and anomalous activity on systems. Under normal circumstances, if an individual alters sensitive company data or falls foul of a phishing attack, the cyber team can identify the user through their account credentials and take steps to rectify the problem. However, if many people all share a common login, the process of attributing activity becomes unnecessarily complicated. In most cases, time is of the essence when determining the cause and scope of a cyber incident. By complicating this process, you increase the risk to the organization.

Credentials do not change with organizational structure changes

Perhaps the most critical risk of shared credentials is the loss of access control. When you’re working with a colleague, you may have the same level of access, and legitimately view the same resources as them. In this situation, sharing credentials so a colleague can do their job may seem logical. However, even if you share the same level of access now, this might not remain the case. When employees leave an organization, their accounts are locked to protect corporate information. When there are shared credentials, this can’t be guaranteed, potentially resulting in disgruntled employees maintaining access to the corporate system. Promotions and changes in job roles also have unintended consequences when you have shared credentials, with colleagues gaining access to resources outside their job role.

“Even on shared machines with no authentication, the unique typing patterns can identify the number of different users with access to the machine.”

— Mark Caldwell about the keystroke authentication

Password sharing carries a considerable risk for your organization. According to the Verizon Data Breach Investigations Report, 81% of hacking-related breaches make use of stolen or weak passwords. Shared passwords make it easier for multiple systems to become compromised through a single account. Imagine a hacker discovering a document of shared passwords in one employee’s account; this quickly grants them access to other parts of the network, turning a single security incident into a major breach.

Prevent credential sharing beyond multi-factor authentication

Multi-factor authentication means relying on more than just a password to access an account. When used for access management, it makes credential sharing much harder and often infeasible. Typically, multi-factor authentication means using a smartcard, random code generator, or other physical device as part of the login process. The Jazz Agent takes this concept one step further and provides continuous authentication by profiling a user’s typing behavior.

The Jazz Agent uses machine learning to recognize each user’s typing patterns by analyzing keystroke dynamics. Rather than relying on what a user types, the unique way an individual presses and holds a key or combination of keys on the keyboard is used to learn how they type. Once the typing patterns of a user have been established, they are associated with a set of login credentials. The Jazz Agent then analyses and verifies any future typing to detect unknown users of the account.

The Jazz Platform collates each user’s typing patterns, making them available across the organization’s whole infrastructure. Through this central repository machines that have never been used by a user before can still identify significant differences in a user’s typing pattern, allowing the detection of unauthorized credential use. In hacking-related breaches where compromised credentials are used to gain access to a large number of assets on the network, this type of infrastructure wide authentication is invaluable.

Continuous authentication with keystroke analysis

Keystroke authentication has many advantages. Unlike traditional approaches, no special sensors or additional hardware is required, and there is no extra burden on the user, as they simply naturally interact with their machine. Authentication is continuous, meaning if an authenticated device is left unattended, unauthorized use can still be detected quickly. The number of typing profiles associated with an account can be monitored, providing admins with a rich insight into accounts that are being shared. Even on shared machines with no authentication, the unique typing patterns can identify the number of different users with access to the machine. When combined with the Jazz Agent’s notification system, immediate feedback can be displayed to users, explaining the risks associated with credential sharing.

Credential sharing is a threat to your organization’s cybersecurity, and it’s one that receives little attention. Many situations exist where sharing a password with a colleague may seem logical; however, it puts an organization’s cybersecurity at risk. By using the Jazz Platform, it’s possible to reduce the chance of these situations occurring. Keyboard analytics can identify cases where credential sharing may have happened, allowing action to be taken.

Sources:

  • SurveyMonkey , “Password sharing is a huge security threat, so why do people do it?”, November 1, 2019
  • Verizon, “2019 Data Breach Investigations Report: Understanding the threats can help you manage risk effectively”, November 1, 2019