Password Sharing

As you may have seen in the news and the latest versions of DfE requirements, there has been a much larger focus on Cyber Security than ever before.

It's a lot to take in, and it can be overwhelming at times, so I thought I would create a reminder and guide following on from our Passwords Cyber Security Training released around Easter this year.

​​​​​​​This is the second in a 3-part series regarding password security, this article is discussing the do's and don'ts of password sharing.

Whenever you do anything online, whether it's a simple image search for a funny meme, sending an email, banking or anything in between, you're exposing your personal data (to various extents) to the internet. Every time you do this, it carries a certain level of risk.

When we talk about risk in the Cyber Security world at an everyday level we're usually thinking of the ways someone could compromise an important account, for example, if you send your Facebook password to a friend over Facebook messenger your initial thought might be:

"There's no risk here, I just need help setting something up and this is the easiest way - Facebook already have my password so my only risk here is my friend - I trust them, so it's fine." 

Although initially this statement may seem true, delving into this a little deeper and just think about the power that your Facebook password gives someone, the following factors should be considered (ranked from highest risk to lowest):

• I use Facebook authentication elsewhere - what other sites and services have I just given my friend access to?
• What if my friends account gets hacked? They have my username and password too now!
• Am I careful when out in public? My password is now in plain text - someone could easily capture it over my shoulder.
• What if my friend forgets to log out, and uses Facebook single sign on to purchase that £500 bespoke canvas they've been thinking of buying from Etsy?
• Can my chat be intercepted? Is it encrypted? (Facebook messenger is encrypted! This means my data shouldn't be intercepted and exposed this way)
• What if my friend forgets to log out, and uses my account to post something they should have posted on their own feed?

I'm sure there are plenty more, however this gives you an idea, and we can use these and anything else you may think of to build a picture of your overall risk and exposure when sharing passwords, whether it's online, in person, or over the phone.

Now we understand some of the potential risks, we can use these to help reduce our exposure.

These are some of the things you can consider when attempting to share a password:

There are many ways in which sharing a password could result in it being intercepted by an unintended (potentially malicious) third party. The method below is one of the most common when specifically talking about sharing passwords and interception (this does happen!)

An email sent to IT Support from your email address that said, "my password to login is "Monkey7Fido" Thanks." was sent unencrypted.

This is what anyone "listening" on the internet can see, it's mostly just code that the email protocol uses to decide what to do with the email, however at the bottom of the email in plain text, clear as day you can see a password that was sent within this code:

You need to ask yourself, "will the person I'm sharing this password with keep it secure?"

• Will they write down and leave it in clear view?
• Will they share it with anyone else?
• Will they send it via email?

Here we're thinking about if I provide my password to someone else, they will have access to all the same data I do. This could be whether I intended for them to see it or not. When sharing a password and choosing the method to do so, this needs to be taken into account.

If you read these next points twice, once thinking from the perspective that you gave your password to someone willingly, then again if the password was intercepted and an attacker was able to steal it from you.

When sharing your password with someone else, remember:

• They will have access to (for example) your email, any sensitive data you can see (this could be safeguarding, financial, or HR data).
  • Think, do they have authorization to see this? If not, this could constitute a data breach.
• What other accounts use the same username and password combination?
  • They could gain access to this as well.

If you do need to share your password or request a password to be shared with you (for example, after IT Support have reset it) ensure you ask that it's shared with you in person, over the phone, or via another separate (and secure) method. 

If you'd prefer, rather than sharing your password, you could request that IT Support reset it to something different and share that password with you. You can then reset your password when we no longer need it (note that you can't reuse previous passwords, but you can set something similar).