Last week, British MP Nadine Dorries admitted doing something with her email password that a lot of people thought sounded a bit crazy.
Passwords are supposed to be top secret but Dorries, it seems, pays little attention to any of that and simply hands it out to her office staff so they can help manage her bulging email inbox of political correspondence.
She described this novel password system in a tweet:
All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’
— Nadine Dorries (@NadineDorries) December 2, 2017
That’s it – if staff such as interns want her password, she tells them (or perhaps they tell her, we’re not sure).
The Twittersphere was unimpressed, pointing out:
- Isn’t password sharing against official House of Commons security advice?
- Doesn’t it also potentially compromise the accountability of MPs for acts carried out on their office computers (such as downloading porn, which First Secretary of State Damian Green has recently been accused of doing)?
But what Dorries and others like her may like to know is that there are ways to share access to your resources safely, and there are even safe ways to share passwords with colleagues when shared access isn’t an option.
Sharing access has become essential in many offices where employees work behind company profiles on sites like Facebook and LinkedIn, or, as in Dorries’ case, where multiple employees need access to a single email account or calendar.
The best way to do this is with something like delegated access, available in both the Microsoft Exchange and Google for business environments, where each user has an individual account.
Sometimes, sharing passwords is the only option though. It is essential for services like Twitter that don’t provide ways for multiple accounts to access a single profile, for example. A password manager such as LastPass is the best option here.
In both cases, access can be granted without secondary users being able to see passwords, which means these can’t leak out in plaintext or be re-purposed as part of credential stuffing attacks. Access can also be revoked at any time (revoking access where everyone just knows the boss’s password means changing the password every time somebody leaves and since that inconveniences everybody who uses it, it often doesn’t happen).
Some might have qualms about doing this for email accounts (attackers might in theory compromise the secondary user’s PC and abuse its access) but it would still be better than writing down a password, shouting it out in the office where it can be overheard, or anything else that increases the number of people who have to display good password hygiene to keep a system secure.
It also avoids what Dorries might call the ‘Damian Green defence’ of plausible deniability – that MPs can’t be held responsible for what is downloaded to their computers because other people were accessing their email account from the same machine and might have been responsible.
Secure sharing makes clear that each person can access an account from their own computer, sidestepping the issue.
But perhaps simply finessing password sharing is to miss the bigger takeaway from the great Dorries password debate of 2017: that there is an urgent need to stop relying on passwords alone and move to better authentication.
On that score, a blog by the Parliamentary Digital Service analysing the cyberattack on the House’s email system last summer noted that the recent roll-out of multi-factor authentication (MFA) to new MPs had helped reduce the effects of the breach.
Said PDS director, Rob Greig, on the sudden importance of MFA:
What was going to be a planned and careful roll-out designed to tackle legacy systems going back years, became an intense period of activity to get every user account secured.
Presumably, the PDS will have read of the password-sharing shenanigans of Dorries and her fellow MPs and immediately moved all of them up the MFA priority list.