While it’s a big security no-no, login sharing on WordPress happens more often than one might think. As the term suggests, login sharing is the practice of users sharing their login information with other users. In a recent survey, a whopping 49% of users admitted to sharing their business login details, with younger users (16-24 years) more carefree about sharing their login details than those in the older cohort (55+years).
While you might think that this is not happening on your WordPress website, many administrators tend to underestimate the scale of password sharing. Without controls in place, it can be pretty challenging to understand if anyone on your team shares their logins. People rarely admit to sharing passwords, yet login sharing is happening and can lead to many problems and WordPress security issues.
Why do users share their logins?
While there may be legitimate reasons why users may need to share login details, best practices tell us that each user should have their own account. Users share login information for several reasons. Accessing social media accounts or public-facing email addresses, where many people may need to post and do action requests, is a very common reason. Other reasons include:
Expediency: You have work to get done now. Submitting a request asking the helpdesk to create another user account would cause a delay.
Cost: As we use more cloud-based subscription services, there could be additional associated costs to adding more users. This makes login sharing particularly tempting if the need is only temporary.
Management: from the management, business and operations point of view, the fewer accounts to manage, the easier the job is.
The security problems caused by login sharing
For many, sharing their login is just another thing they do at work. Even though users share their logins without any bad intent, the practice of sharing login credentials has several associated security risks.
Giving your WordPress logins to a trusted friend or colleague may seem innocuous at first glance. However, you should ask yourself whether they will be as careful with your details as they are of their own? Also, if you are using the same password over multiple accounts; you are not only putting the shared account under threat but potentially all other accounts.
Accordingly, giving up your credentials risk your credentials leaking inside and outside the business.
Encourages use of weak passwords
Over 80% of successful hacking attempts exploit weak passwords, using brute force attacks or stolen credentials. If there is a culture of sharing passwords, these passwords will inevitably be weak and easy to remember.
Misuse of service
When it comes to WordPress security, the principle of least privilege is one of the best tools administrators can employ to maintain a high level of protection. This means that each individual’s account will have specific privileges to perform the tasks required for the job. As such, not all accounts are created equal, as not all roles in a business are equal. Some accounts will have more privileges and access to more information than others.
Through login sharing, everyone with knowledge of the credentials will have access to all the privileges of that account, regardless of the access level they should have. This can potentially allow them access to functions and data that they may not ordinarily have access to. This can lead to data leakage and the breaking of regulations such as GDPR, PCI DSS, and others.
Individual accounts assign responsibility to actions, who did what, and when.
It follows the same principle why each checkout operator has an individual cash drawer, which is removed when their shift ends. If these cash drawers were shared and there was a shortfall, how would you determine who is responsible? In this situation, everyone who has access to this cash draw will fall under suspicion, regardless of whether it happened on their watch or not.
The same applies to WordPress websites. How would you determine who approved an order, a refund, or erroneously modified a product listing or price? Should a mistake be discovered, who is going to be held accountable? How would you prove your innocence?
What can you do to stop login sharing?
Educate, Encourage, Enforce.
If you have not done so already, ensure that you have a policy on password management that discourages login sharing. You should also ensure that the team is aware, of your regulatory obligations and how they can all play a part in meeting these requirements.
Educate staff on the potential dangers of sharing their sensitive login details, not only for the business but for themselves. Suppose there is data theft and law enforcement gets involved. In that case, they will undoubtedly look at who accessed what by checking logs for user accounts.
A primary driver that leads users to share their account login details is that it is easy to do and can be done right now, so the job can get done. There is no reliance on a third party such as the helpdesk or with any subsequent delays.
Streamline the account management process while making it accessible and efficient. You might also want to ensure that the helpdesk team is aware of security and regulatory best practices and is empowered to champion them throughout the organization.
There are several technology solutions available to you to enforce your password policies and to discourage login sharing. For example:
Enforce and use strong passwords
A significant downside of sharing passwords is that they will invariably be weak, so they are easy to remember and maybe written down on sticky notes, making them available to anyone that sees them. By enforcing users to use strong passwords, you discourage them from sharing the credentials.
Plugins such as WPassword make the entire process super-easy. IT gives you complete control over the implementation, helping you achieve the right balance between security and usability.
Use password managers
Just enforcing strong passwords is not enough. You need to help your users to manage their passwords. Implement and encourage the use of password managers, so your users can
store their difficult passwords in a safe place, without having to remember each one of them.
Use Two-factor authentication
Two-factor authentication (2FA) adds another layer of security at a very low administrative cost. Through 2FA, users need to undertake a second authentication via a secondary factor, with OTP (One Time Password) being one of the more commonly used methods.
By implementing 2FA and OTP, users trying to log in to their account need to have access to their smartphone or email, aside from knowing the username and password. With OTPs expiring every 30 seconds, sharing passwords becomes very difficult – ultimately making it easier to simply request a new account.
Implementing 2FA for your WordPress website is easier than you might think. Plugins such as WP 2FA offer friendly wizards and wide compatibility options to make the entire process a breeze.
Monitor user activity
Keep an eye on who is accessing what on your website with an activity log plugin. A comprehensive real-time activity log will give you complete visibility of all actions performed across your WordPress websites. Activity logs are fundamental to good security practice and will go a long way to meeting your compliance obligations.
What if you still need to share your login details?
If you do need to share credentials for any reason, then:
- Ensure that this is limited to only those that really require access and that access is temporary. When the sharing session is over, reset the password.
- Use a password manager that supports a common shareable database. Most online password managers allow this; you can have your own database and a database with credentials that is shared with other people.
- Communicate the password verbally, or send portions of the credentials over different channels, such as half by Skype, half by encrypted email, or some other secure messaging channel.
Very important; at the end of the session or required access, always reset the password.
Avoid sharing your login information
In conclusion, sharing credentials is never a good thing. You should actively discourage the practice by alerting all your users to your policy. Furthermore, make use of the tools and solutions available to you that can help you enforce your policy.