Someone leaves, and credentials are passed on. A student worker uses their supervisor’s login. A staff member goes on vacation and asks a colleague to check their emails. It seems inconsequential enough, but it’s not.
Sharing login credentials (whether you are the person doing the sharing or the person receiving the access) is specifically prohibited by Drake’s Responsible Use of IT Resources policy.
Given the steadily rising threat of security breaches and the sensitive nature of campus information, we can no longer use inconvenience or past history as a reason to practice poor information security habits.
Sharing passwords has two major implications:
- It’s an internal breach of confidential information that opens the University to significant financial and legal liability, and increases the risk of an external data breach.
- When a password is shared, we have no way of knowing who is actually performing actions using the account. If the account is hacked or if unauthorized activity takes place, the account owner is responsible.
Better enforcement of this policy is one of many steps we are taking to continuously improve campus information protection. Going forward, ITS staff members will be resetting shared passwords they encounter and I encourage you to pre-emptively change any of your passwords that may be known to others.
I’m happy to discuss this issue further, or any information security related questions or concerns you may have.
— Peter Lundstedt, ITS