Last week, British MP Nadine Dorries admitted doing something with her email password that a lot of people thought sounded a bit crazy.
Passwords are supposed to be top secret but Dorries, it seems, pays little attention to any of that and simply hands it out to her office staff so they can help manage her bulging email inbox of political correspondence.
She described this novel password system in a tweet:
All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
— Nadine Dorries (@NadineDorries) December 2, 2017
That’s it – if staff such as interns want her password, she tells them (or perhaps they tell her, we’re not sure).
The Twittersphere was unimpressed, pointing out:
- Isn’t password sharing against official House of Commons security advice?
- Doesn’t it also potentially compromise the accountability of MPs for acts carried out on their office computers (such as downloading porn, which First Secretary of State Damian Green has recently been accused of doing)?
But what Dorries and others like her may like to know is that there are ways to share access to your resources safely, and there are even safe ways to share passwords with colleagues when shared access isn’t an option.
Sharing access has become essential in many offices where employees work behind company profiles on sites like Facebook and LinkedIn, or, as in Dorries’ case, where multiple employees need access to a single email account or calendar.
The best way to do this is with something like delegated access, available in both the Microsoft Exchange and Google for business environments, where each user has an individual account.
Sometimes, sharing passwords is the only option though. It is essential for services like Twitter that don’t provide ways for multiple accounts to access a single profile, for example. A password manager such as LastPass is the best option here.
In both cases, access can be granted without secondary users being able to see passwords, which means these can’t leak out in plaintext or be re-purposed as part of credential stuffing attacks. Access can also be revoked at any time (revoking access where everyone just knows the boss’s password means changing the password every time somebody leaves and since that inconveniences everybody who uses it, it often doesn’t happen).
Some might have qualms about doing this for email accounts (attackers might in theory compromise the secondary user’s PC and abuse its access) but it would still be better than writing down a password, shouting it out in the office where it can be overheard, or anything else that increases the number of people who have to display good password hygiene to keep a system secure.
It also avoids what Dorries might call the ‘Damian Green defence’ of plausible deniability – that MPs can’t be held responsible for what is downloaded to their computers because other people were accessing their email account from the same machine and might have been responsible.
Secure sharing makes clear that each person can access an account from their own computer, sidestepping the issue.
But perhaps simply finessing password sharing is to miss the bigger takeaway from the great Dorries password debate of 2017: that there is an urgent need to stop relying on passwords alone and move to better authentication.
On that score, a blog by the Parliamentary Digital Service analysing the cyberattack on the House’s email system last summer noted that the recent roll-out of multi-factor authentication (MFA) to new MPs had helped reduce the effects of the breach.
Said PDS director, Rob Greig, on the sudden importance of MFA:
What was going to be a planned and careful roll-out designed to tackle legacy systems going back years, became an intense period of activity to get every user account secured.
Presumably, the PDS will have read of the password-sharing shenanigans of Dorries and her fellow MPs and immediately moved all of them up the MFA priority list.
delayedthoughtengineering
Yikes! I can think of several ways this could have been handled better.
1. Shared password vault with password software that can auto-type the password. A password vault can take advantage of MFA.
2. An e-mail rule to forward and delete e-mails based on criteria, allowing certain staffers to specialize in certain types of e-mail responses.
3. Set up a group e-mail address for inquiries. (Optional use: e-mail rule to push e-mails from a single-user e-mail address (in this case, the MP’s) to the group)
4. E-mail Delegate settings.
Tony Gore
Don’t forget these MPs are the same people who propose legislation such as having backdoors into encryption.
What they also do not seem to understand is that security is only as good as the weakest link.
We only have the reports in the press of what happened with Damian Green’s PC and the issue of porn. As a system admin some years ago, I had to investigate a similar case which could have resulted in the dismissal of a new partner in a firm. Eventually I was able to show that I had set the new PC up about a month before the person started and in the meantime, it had been used by girls in the office to access some dubious shopping web sites, and had got a Trojan in which had opened it up to act as a redistribution hub for porn. That finally explained where a lot of the office bandwidth was going. (Before anyone says – small business which would not invest in anything beyond the minimum of my time, or tools etc for decent level security. After this incident, they did take a bit more seriously).
I always try to persuade people to have their own separate logins on a PC, on the basis that I can then positively exclude them from some PC problems.