The Risks of Password and Account Sharing

The risks of password and account sharing can not be overstated when considering various technology platforms used by businesses and the increasing number of dispersed users and data breach cases attributed to poor identity and access management. Most companies have complex digital infrastructures that include desktops, mobile devices, and too many SaaS platforms to count. And they all have one thing in common: they rely on passwords to keep unauthorized users out and company data secure.

The risks of password and account sharing in identity management.

Using stolen and compromised passwords is the number one method hackers use to find their way into protected systems. In 2020, stolen passwords played a role in 81% of data breaches. And to date, over 11 billion accounts have had their passwords compromised in some way – and those are just the ones security researchers know about.

All of this means that finding ways to keep passwords secure should be a top priority for individuals and businesses, alike. But that doesn’t stop users from taking unnecessary risks with their passwords and accounts. And one of the most common risks they take is sharing their accounts and passwords with others. Sometimes it’s for convenience and other times to save money. But it’s always dangerous.

Let’s discuss the risks of password and account sharing, and some account management best practices to follow in situations where it can’t be avoided.

The Risks of Password and Account Sharing

Potential for Account Loss

Any time the password for an account is shared among two or more people, there’s a chance that one of those people will act to take control of that account and lock everyone else out. This occasionally happens when a disgruntled employee leaves a job, or even if they inadvertently allow the password to fall into the wrong hands.

And when the password in question is one that’s being used on multiple platforms at once, the danger increases exponentially. Imagine, for a moment, that a bad actor chooses to use a known password to gain control of a related email account. Using that email address, they could then reset the passwords of any account connected to it. Before you know it, they’ve hijacked an entire online identity.

Increased Vulnerability to Hackers

Passwords are an effective security measure as long as you manage to keep them a secret to keep hackers out who will have to consider other options such as carrying out slow and inefficient dictionary attacks to try and gain access to protected systems. But when you share passwords among multiple people, you’re also creating more vulnerabilities for hackers to exploit.

This is because phishing and other social engineering approaches are the preferred methods hackers use to trick users into revealing their passwords. Therefore, the more people know a password, the more targets they have for those attempts. If anyone slips up, everyone suffers.

Reputational Damage

The whole rationale behind passwords is that they provide a way to keep unauthorized users away from sensitive data and systems. And when hackers gain access to such data and systems, they can do all kinds of harm to the business or individual accounts. All they have to do is to impersonate and trouble begins.

One such case is the mass takeover of well-known users’ Twitter accounts back in 2020. The attackers managed to swindle users out of over $100,000 of Bitcoin by tweeting a scam through the compromised accounts. But in that case, the attack was noteworthy enough that its targets didn’t take a reputational hit from it. But if the same were to happen to a single individual or small business, they might not be so fortunate.

Managing Password and Account Sharing Risks

Even though the above account sharing risks demonstrate why it’s best to avoid the practice, there are some situations where that’s impractical and sometimes impossible. And when that happens, the best you can do is take some extra steps to maintain your account security. The best ways to do that are:

  • Use an encrypted password manager – One of the best ways to secure a shared account is to insist that all users store the password in an encrypted password manager. Then it’s possible to make the password extra complex because the individual users don’t necessarily need to recall it from memory. That helps the password resist dictionary attacks and makes it harder for the involved users to divulge the password in a phishing or social engineering attack. LastPass is an example of a password manager.
  • Use two-factor authentication – When dealing with a shared account, it’s always advisable to enable two-factor authentication (2FA) when it’s available. This reduces the reliance on the password as the only line of defense against intruders. Common shared 2FA options include security questions or single-use codes (sent to a shared email account or a distribution list).
  • Use hardware security keys – Another great option for securing shared accounts is to use hardware security keys instead of simple passwords wherever possible. These simple-to-use and inexpensive devices can protect accounts against almost every conceivable threat – and make worries about passwords a thing of the past.

The Bottom Line

At the end of the day, the best way to manage the risks associated with shared passwords is to avoid sharing them in the first place. But when that’s impossible, there are some simple and effective methods to keep shared accounts secure. By using one (or more) of them, you can greatly reduce the odds of falling victim to a data breach or other password-driven cyberattack.

Identity and access management certifications