Shared Passwords

Most people will be able to tell you that when it comes to passwords the three things you should never do are, pick an obvious password, write a password down, or share that password with anyone.  There a many reasons for this but ultimately security is the primary objective, that is what passwords were created for - to prevent access to a system so that only the person who created the password would be able to access it.

The problem with passwords is that there are often times when you do need to share a password with someone else so that they can access a system, and often that system may be shared by multiple people who all use the same password.  An example of this would be a wifi network key - this is a password that serves the purpose of restricting access to a wifi network only to those who know the key - dismissing for now the multitude of ways you can bypass this or break the encryption let's just focus on the basic principle, that is, that the network is locked using a single password that everyone who uses that network will use.  On top of that if the password ever needs changed then everyone needs to know the new password.  In this scenario you are only as strong as your weakest user; that is to say the person who flaunts security the most is the weakest link in your system.

According to BBC News, Police in India failed to act on hundreds of complaints of corruption over 8 years because of a forgotten password. This is an example of what can happen when access to a system is lost.   While the issue of sharing passwords in error or being insecure is serious, the issue of not sharing passwords at all is equally as damaging.  Take for example a System Administrator working in a school.  He would have access to the primary server within the school and he would access that via a user-name and password combination.  Logic would dictate as the System Administrator he would be the only one with those access details.  So what happens for example if he takes a heart attack?   If he never shared those details with anyone then the system would become inaccessible.  These types of systems which rely heavily on security often won't have any method of resetting the password, more over what little fail safes are in place would also be secured, again the person responsible for that would likely be the System Administrator who had a heart attack.

These are valid reasons for what is known as White Hat Hacking - this is a term used for security specialists who are essentially hackers but do so legally through paid employment.  These people can be hired by the School in our example and can hack the server as there is legitimate reason to access the contents.  If we move away from a digital setting for a moment and consider a shop with a safe in which all the money is stored.  The manager and a few others would have access to that safe via the combination.  In the unlikely event that all of those people were unable to provide the combination then the contents would be lost.  In this scenario you would need to employ a security specialist who can crack a safe [brute force physical attacks on the safe would not really be an option since they are designed to withstand those attacks] ultimately opening the safe and setting a new combination. 

Another less extreme example would be a staff locker secured by a padlock, the member of staff quits and take with them the keys.  In the event that there are no spare keys either a lock smith would be needed or a pair of bolt cutters strong enough to remove the padlock.  The physical key of that padlock represents the passwords we need in order to access the systems we use.

The problem of providing a secure method of sharing passwords is one that is not easily solved.  Ultimately each system for sharing those passwords that is created will invariably weaken the system as they provide another method for accessing a system you should not - why attack a system that is heavily locked down when you can attack the location of those keys and then simply open doors at your leisure.

No comments:

Post a Comment

All comments are moderated before they are published. If you want your comment to remain private please state that clearly.