Government Password Sharing Shows How Not To Do Security
Everyone knows that password sharing is bad practice, right? Apparently not, if Tory MP Nadine Dorries is anything to go by.
As the controversy surrounding MP Damian Green’s allegedly naughty browser history rages on, one colleague came to his defence this week – failing in spectacular fashion and opening a massive can of worms around password sharing.
Taking to Twitter, Nadine Dorries, MP for Mid Bedfordshire, launched a spirited but ultimately misguided rebuttle to the accusations facing Green. The thousands of pornography thumbnails said to have been found on a parliamentary computer used by Green could have been downloaded by anyone, she declared.
Fair enough. Her point – that the files don’t prove who was using the computer at any particular time – is perfectly true. Indeed, even the retired police office making the claims against Damian Green has admitted, "you can't put fingers on a keyboard”.
Had that been the entirety of Dorries’ argument, it would have caused barely a blip in the ever-moving Twitterverse. Instead, she revealed an incredible level of naivety, which has left her facing her own public condemnation and many unflattering headlines.
Just Tweet It
So what did Dorries say that was so ill-judged? Here’s first tweet, in full:
“My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!”
Aside from poor punctuation and grammar, this tweet revealed another of Dorries’ weaknesses: her terrible sense of cyber security. Everyone knows that sharing passwords is a bad idea, but for a public representative, it could be regarded as downright wreckless – yet she openly admitted to the practice, even going on to say “"All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, 'what is the password?'"
Yet, despite the protestations of other Twitter users, and the apparent danger of inadvertently sharing passwords with anyone within earshot, Dorries remained unrepentant. Defiance or denial? We'll leave you to make your decision about that, but either way, her case raises some interesting questions about how sensitive information is shared in the workplace.
Password Sharing Is A Shared Problem
As naïve as it was to tell the world about her lax security measures, especially in light of the ever-looming GDPR deadline, it would be unfair to suggest that Nadine Dorries’ password sharing is an isolated case – and calls for her to step down are unwarranted. Indeed, reports suggest Dorries is just one of many MPs who share their login details with junior staff, who need access to answer the hundreds of incoming emails that MPs receive daily. It wouldn’t be practical to ask every one of these MPs to quit.
And, let’s be honest, many people engage in exactly the kind of behaviour that Dorries is being lambasted for – whether they work in the public sector or for private businesses. The fact is it’s a widespread problem and one that needs to be treated as such. Dorries' case, if anything, just highlights the issue.
The Importance Of Education
Although the events of the last couple of days might prompt Nadine Dorries and her peers to take cyber security more seriously in future, public witch hunts like this are not necessary to exact change. Instead, education should be our focus. In this case, Dorries doesn’t seem to realise why it’s important to keep her passwords to herself or that it’s perfectly possible to allow others to access your files and services without gifting them such privileged information. At TMB, for example, we use fingerprint readers to unlock our computers. By adding other authorised fingerprints, we could enable our colleagues to access our computers without openly sharing our passwords.
But although we could do this, we usually don't, because access to other people’s computers should not be necessary most of the time. With a well-thought-out IT security policy, anyone who needs access to an account can have it granted fairly easily. This is made even more simple with password management programs, which enable users to quickly share logins, without ever sharing what they are. Authorised users will see password fields filled in automatically, but the actual characters entered will be obscured. It's a simple but extremely effective solution.
Considering just how easy it is to give other people carefully controlled access to computer systems and services, there should be no need for anyone to share their passwords with anyone else.
If we’re being honest, a certain amount of password sharing is practically inevitable. Nothing, for example, is going stop people sharing their banking PINs with their spouses or pinning their WiFi passcodes on the kitchen wall – but in businesses and other organisations, we have to demand better. Not only would best practice help them fulfil their responsibility to safeguard personal data, it would also help with tracking and documenting usage. They could see exactly who was using a computer, when they were using it and what they were doing.
For Damian Green, that would mean being able to prove, beyond all reasonable doubt, that someone else had downloaded all the adult material on his computer. He would be instantly redeemed, and colleagues like Nadine Dorries wouldn't get themselves in a twist by trying to defend him.
Unless, of course, it really was him, in which case, he’d probably rather appreciate the lack of clarity...