Source: The Trouble with Politicians Sharing Passwords
the premise of justifying a bad practice purely on the basis of it being common is extremely worrying. It’s normalising a behaviour that we should be actively working towards turning around.
What’s the Problem Credential Sharing is Solving?
Let’s start here because it’s important to acknowledge that there’s a reason Nadine (and others) are deliberately sharing their passwords with other people. … sourcing help from staffers … delegation … collaboration … there are indeed technology solutions available to solve this problem
One of the constant themes that came back to me via Twitter was “plausible deniability” … The assertion here is that someone in her position could potentially say “something bad happened under my account but because multiple people use it, maybe it was someone else”. The thing is, this is precisely the antithesis of identity and accountability and if this is actually a desirable state, then frankly there’s much bigger problems at hand.
there are plenty of people who unwittingly put an organisation at risk due to having rights to things they simply don’t need … We call the antidote for this the principle of least privilege … social engineering is especially concerning in an environment where the sharing of credentials is the norm. When you condition people to treating secrets as no longer being secret but rather something you share with someone else that can establish sufficient trust, you open up a Pandora’s box of possible problems because creating a veneer of authenticity in order to gain trust is precisely what phishers are so good at!
The great irony of the debates justifying credential sharing is that they were sparked by someone attempting to claim innocence with those supporting him saying “well, it could have been someone else using his credentials”! This is precisely why this is problem! Fortunately, this whole thing was sparked by something as benign as looking at porn and before anyone jumps up and down and says that’s actually a serious violation, when you consider the sorts of activities we task those in parliament with, you can see how behaviour under someone’s identity we can’t attribute back to them could be far, far more serious.