“Don’t share your passwords with anyone!” We say it repeatedly in Learning Tree’s System and Network Security Introduction, and I’m sure I’ve said it on this blog more than once. It’s bad practice; it leads to potential insecurity, and it means systems aren’t able to properly account for use. Sharing passwords is also illegal in some parts of the US!
That’s right. The US Ninth Circuit Court of Appeals held in July of last year that using someone else’s password with permission violates the Computer Fraud and Abuse Act (CFAA). If you don’t want to read the decision, you can read the comments by the Electronic Frontier Foundation. The issue – as this non-lawyer understands it – is what constitutes “authorization” to use a computer system or account. The Court held that it had to be the permission of the system owner, not one of the authorized users.
If the understanding of the EFF (and mine) is correct, sharing passwords without a system owner’s permission is illegal according to the Court’s ruling. I think it is wrong, but I don’t think it should be a crime. (Of course, using someone else’s password without permission is a different matter entirely).
First, it’s important not to share your password with anyone, and not to use someone else’s. Legality aside, consider what happens to tracking access. How can a company evaluate system use if multiple users share a password? That throws a wrench into system management. Then there’s the cyber security aspect: computer authorization systems depend on accurate authentication. If Mary uses Amir’s password, the system cannot differentiate between the two. Don’t share passwords.
Second, it is important to get the message about sharing authentication information out to all of the organization’s users. That means including it in the semi-annual infosec awareness briefing employees attend. It also needs to be in the company cyber security policy if it isn’t.
Finally, if you think as I do, let Congress know. The EFF has excellent arguments about this. I strongly agree with the need for cyber security legislation. And I agree that unauthorized computer access is a serious issue. But I don’t agree that allowing someone else from your company to use your account on a company computer should be a federal crime.
This is a sensitive topic. Many infosec professionals I know have strong opinions about this. If you do, tweet me at @. It’s time for a meaningful dialog on the topic.
To your safe computing,