Sharing Passwords Through Slack Is Risky
Make sure your employees know how to identify a secure channel for password sharing.
Securely sharing a password is no easy task.
Organizations that enforce strict password policies will often have IT professionals generate random passwords for their employees. This is a good move for password security, but it presents a difficult problem.
Once you have a strong, highly random password containing more than eight uppercase and lowercase letters along with digits and special characters, what’s the best way to communicate that password to the person who will use it?
You can’t just write it down.
Many IT professionals will communicate passwords through work messaging channels they trust. Slack is a common choice as many employees already use it to communicate with one another.
But Slack, WhatsApp, and most other communications platforms are not secure enough to send passwords. IT administrators need to find effective ways to keep passwords secure while improving their employees’ user experience (UX).
Why Can’t You Just Ban Password Sharing?
Most IT leaders’ first response to the password sharing problem is to forbid employees from sharing passwords. While this solves the problem in theory, the reality is that it just makes employees more likely to share passwords through insecure, unofficial channels.
In short, your employees are going to share their passwords with one another regardless. Your organization will be better off if you accept that fact and start regulating it.
In fact, one out of every three IT leaders polled in a recent Dashlane white paper report caught employees sharing passwords with one another through insecure channels.
Additionally, in 2007, IT employees regularly used an average of 25 accounts per person. By 2020, the average user will have to access more than 200 different accounts. Under ideal security conditions, that means 200 different passwords made up entirely of random letter-number-character sequences.
Asking employees to memorize 200 sequences of random letters, numbers, and special characters is unfeasible. It’s just not going to happen.
In many cases, multiple employees share a single account for third-party services and platforms. This creates a “perfect storm” set of conditions that could result in deeply damaging data breaches, and affect multiple accounts across departments in your organization.
But forward-thinking IT professionals have another option. Password management software can help ensure users have strong, unique passwords in place for every account they use.
Password Management Eliminates Insecure Sharing
IT professionals and cybersecurity experts generally aren’t surprised to find out most employees aren’t using different passwords for different accounts and services. Although this is one of the fundamental aspects of good password policy, it is often ignored.
This problem swells in importance when employees are also sharing passwords with one another. Not only can a potential attacker gain access to every platform and service a single employee uses, but that attacker can often move laterally through the organization simply by trying known passwords out.
The key to keeping password security in check is using a password management solution that generates, assigns, and communicates strong passwords securely. These solutions automate the repetitive process of creating and remembering complex passwords.
Password managers offer built-in damage control for compromised login credentials. If a hacker manages to steal a password, only that single account is exposed. The cybercriminal will then not be able to make their way through the organization using the same password for hundreds of different accounts.
At the same time, the strength of each password ensures brute force attacks won’t work. Cybercriminals would have to break an employee’s master password, which is easier said than done.
What If a Master Password Gets Hacked?
Let’s imagine the worst-case scenario: a cybercriminal successfully gets ahold of one of your employee’s master passwords.
Unlike regular passwords, password managers can play a critical role in incident response. If an employee’s master password is compromised, that organization’s IT team can immediately reset every single password associated with that user’s account. They can also use the software to identify where, when, and how the employee’s master password got into the wrong hands.
Make no mistake — compromised passwords lead to damaging consequences. But having a password manager in place enormously reduces the damage that results.
Without a robust password management solution in place, losing a single account almost always means losing dozens. It is often the users who slip up and accidentally give away their passwords who are using the same password across multiple accounts and devices.
Protect your accounts using state-of-the-art password management and prevent your employees from sending passwords to one another through insecure channels.