Once a year or so, one of the big UK tech magazines or websites[1] does a survey where they send a group of people to one of the big London train stations and ask travellers for their password[3]. The deal is that every traveller who gives up their password gets a pencil, a chocolate bar or similar.
I’ve always been sad that I’ve never managed to be at the requisite station for one of these polls. I would love to get a free pencil – or even better a chocolate bar[4] – for lying about a password. Or even, frankly, for giving them one of my actual passwords, which would be completely useless to them without some identifying information about me. Which I obviously wouldn’t give them. Or again, would pretend to give them, but lie.
The point of this exercise[5] is supposed to be to expose the fact that people are very bad about protecting their passwords. What it actually identifies is that a good percentage of the British travelling public are either very bad about protecting their passwords, or are entirely capable of making informed (or false) statements in order to get a free pencil or chocolate bar[4]. Good on the British travelling public, say I.
Now, everybody agrees that passwords are on their way out, as they have been on their way out for a good 15-20 years, so that’s nice. People misuse them, reuse them, don’t change them often enough, etc., etc.. But it turns out that it’s not the passwords that are the real problem. This week, more than one British MP admitted – seemingly without any realisation that they were doing anything wrong – that they share their passwords with their staff, or just leave their machines unlocked so that anyone on their staff can answer their email or perform other actions on their behalf.
This isn’t a password problem. It’s a misunderstanding-of-what-accounts-are-for problem.
People seem to think that, in a corporate or government setting, the point of passwords is to stop people looking at things they shouldn’t.
That’s wrong. The point of passwords is to allow different accounts for different people, so that the appropriate people can exercise the appropriate actions, and be audited as having done so. It is, basically, a matching of authority to responsibility – as I discussed in last week’s post Explained: five misused security words – with a bit of auditing thrown in.
Now, looking at things you shouldn’t is one action that a person may have responsibility for, certainly, but it’s not the main thing. But if you misuse accounts in the way that has been exposed in the UK parliament, then worse things are going to happen. If you willingly bypass accounts, you are removing the ability of those who have a responsibility to ensure correct responsibility-authority pairings to track and audit actions. You are, in fact, setting yourself up with excuses before the fact, but also making it very difficult to prove wrongdoing by other people who may misuse an account. A culture that allows such behaviour is one which doesn’t allow misuse to be tracked. This is bad enough in a company or a school – but in our seat of government? Unacceptable. You just have to hope that there are free pencils. Or chocolate bars[4].
1. I can’t remember which, and I’m not going to do them the service of referencing them, or even looking them up, for reasons that should be clear once you read the main text.[2]
2. I’m trialling a new form or footnote referencing. Please let me know whether you like it.
3. I guess their email password, but again, I can’t remember and I’m not going to look it up.
4. Or similar.
5. I say “point”…
Alice, Eve and Bob - a security blog 
The new footnote format is easier to track, I like it better 🙂
As for account sharing in Parliament, a cynic might think they are actually aware of the fact sharing destroys auditing capabilities and that’s the main reason for doing it.
LikeLike