Contact Us

Password sharing
and credentials
sharing: A look
into cyber security

Author: David Grady

When it comes to password sharing and credentials sharing, which do you think is more likely to get compromised by an external attacker? One account with a strong password that is shared by five people, or five separate accounts, each with a strong password that is known only to that individual? For the purposes of this illustration, let’s remove insider misuse from the equation.

For most people, the instinctive reaction is to shout the evils of password sharing and credentials sharing. But the answer is not as straightforward as one might think. 

Password sharing and credentials sharing explained

Let’s take a closer look at a hypothetical scenario involving password sharing and credentials sharing and break it down.

In the above example, let’s assume the same behavior for all internal users (likelihood to click on links, web surfing habits, etc.) is equal. Let’s also assume that all other controls are the same for all devices. Given those assumptions, the probability of a single account being compromised — that is, one of the five unique credentials versus one shared credential — would be close to or equal. 

Let’s assume the potential for compromise can occur in one of three ways: 1) the device being logged into, 2) the user devices used to remote authenticate in, and 3) the users themselves.

For the most common threat actions that attack users, such as phishing, the likelihood of compromise again would be close.

In each scenario, there are five possible human targets, and the methods used would not leverage the fact that the password is shared versus unique. “Hey, this is Mitch from IT. I’m a great guy. We support the same local sports team. By the way, what’s your password?”

One could argue that a user may be more hesitant about password sharing and credentials sharing if the account is a known shared account because divulging that information would affect others’ access.

On the other hand, a user may be fooled more easily into password sharing and credentials sharing if he or she is convinced the person needs to be added to the group and therefore needs the password.

Threat actions that target user devices

For threat actions that target users’ devices, such as keyloggers, again the fact that the password is the same would not factor into the probability. The keylogger pulling information from user input does not know or care if the same account is used by another user.

So if the devices are equally at-risk for malware infection, then they are close, if not equally at risk, for a keylogger or other malware capturing that credential.

Threat actions that target the server device

Threat actions that target the server device, like password cracking or brute force, may have different probabilities of success. This is because there are five hashes that possibly could be in rainbow tables, or possibly be in the list of passwords thrown at it.

In this scenario, the probability of a compromise is slightly higher because there are now five targets to crack, not one target repeated five times. But that is not a recommended security control.

Moreover, in the brute force scenario, the probability would be improved only if the external threat actor already knew the username.

Bottom line, the common threat actions used by external actors to steal user credentials are not influenced, helped, or hindered by whether that username/password is unique. So the probability that one of the five unique credentials is compromised versus one of five identical credentials is close to equal.

And without any research on the potential variables above (e.g., “Are people more likely to engage in password sharing and credentials sharing with an external pretexter” or “How much more likely is a password cracking attack going to be successful against one hash versus five hashes”), then it should be treated as that. 

Threat actions that target users

Let’s go back to our initial question, which asks about the probability that all five unique credentials are compromised versus a single shared credential. All things being equal, it is much likelier that a single credential will be compromised than all five. You would need to social engineer all five users, install a keylogger on all five user devices, and crack or brute force all five stored passwords. But that is not the security question that needs to be asked.

If any of the five are compromised, then the attribute loss to the device in question is the same (assuming the levels of access for all five users are equal). 

Password sharing and credentials sharing solution

The answer to password sharing and credentials sharing lies is establishing unique credentials. Why push for five unique credentials? For the obvious reasons that were taken out of the equation (insider misuse), inability to identify exactly which user is doing what.

Another reason for establishing unique credentials is to improve detective controls to help identify a potential compromised account. The behavior of five different people using a single account may be harder to baseline than five individual users and their individual account usages, especially when users work in multiple time zones or a shift work environment.

It may not be out of the norm to see the shared user ‘box_admin’ log in at 1600 Pacific Time because one of the five shared users is based in Seattle, but if Ashburn-based user ‘david.grady’ logs in that could be flagged as unusual if David does not typically log in after normal business hours.

So, when it comes to establishing password sharing and credentials sharing among team members, it’s important to consider the likelihood of a compromise by an external threat actor. Read more about the latest threat actions bad actors use to steal credentials in the Verizon 2021 Data Breach Investigations Report.

David Grady is an ISACA-Certified Information Security Manager (CISM) and Chief Cybersecurity Evangelist at Verizon Business Group.