
The Trouble with Politicians Sharing Passwords - robin_reala
https://www.troyhunt.com/the-trouble-with-politicians-sharing-passwords/
======
bambax
It's a question of education / culture.

I run an SMB and as such, have a personal access to manage the company's
account on the French govt taxes website.

My accounting firm does this for me. The govt website has this perfectly
covered, with delegation and dedicated roles for accountants, other company
officials, etc.

Yet when we first set this up the first thing my accountant told me was: just
give me your credentials so I can log in as you. I said no, I don't think so.
Instead, tell me your account # so that I can authorize it on my account. And
he said "I don't even have an account. I do this with all my other clients".

In the end he set up his own account and we did it the right way, but it took
time, and it was absolutely not obvious to him that sharing personal "admin"
login information was a very bad idea.

I don't think there's a technological solution to this problem, unless maybe
if delegation can be made to happen automatically (how???) and if there are
biometric sensors that make sharing login information impossible (but that
would annoy people more, not help them).

~~~
tcd
> I don't think there's a technological solution to this problem

Lol of course there is.

1: IP alerts - new IP? email alert.

2: 2FA - should be standard, requiring a physical device to login

3: Deterrents; seems slightly fishy? You need to login to the account by
proving you are the owner.

With AI it's not so difficult to detect if it's a genuine login (browser
fingerprinting, UA strings, version numbers, OS versions etc).

~~~
bambax
Those would only help limit login sharing; they're not solutions to the
problem of making account delegation easier to do (and to understand).

~~~
TallGuyShort
I think from most people's perspective all those things do is make login
sharing harder. I'm working with a non-profit to set up a website and social
media accounts, and I've explained the concept of everyone having their own
login to a shared account 3 times, and I think maybe 1 person gets it. (And
maybe I suck at explaining it, but I have plenty of teaching experience and
usually get compliments on explaining technical stuff in a non-jargony way).

If these same people had the obstacle of having to add another person's phone
to 2FA as well as share the password, they still wouldn't look very long at
alternatives to the way they log in. There's a fundamental assumption that
there's a way to log in, and other people just have to do that. Very hard to
help them realize that everyone should authenticate as individuals, and you
can authorize individuals to access the group's resources.

------
jacknews
Good points raised and I largely agree, but just look at the article, several
pages explaining passwords and security, along with screen shots (which I
think must be equivalent to having maths equations in your document in terms
of their power to make eyes glaze over), and a call to "reach out to your IT
department".

Do MP's even have an IT department? I thought they were responsible for their
own offices, and on quite a tight budget.

"Have these people never heard of delegation permission?"

You know what, probably not. Nor have I, and I'm a dev, though I don't use
exchange, and of course I do understand the concept.

"But we do need to call out credential sharing in this fashion for what it is
and it's precisely what I highlighted in that original tweet - lack of
education."

The actual problem here is that security is just too hard for users, the
implementations are too complex or onerous, and even perhaps undesirable to
them if the intent is just to "track them, make them accountable (in reality,
blame them when things go wrong)", etc.

------
jkire
Honestly, these replies feel completely unhelfpul. This is exactly how MPs
offices have _always_ worked, staff open and respond to letters with little
oversight. Now they do the same with email.

Yes, in 2017 we can do a lot better and use delegated access, but adoption of
those features doesn't happen overnight. Delegation of access was probably not
even a thing when Dorries was first elected?

So the question really is: who is responsible for ensuring that MPs are up to
speed with new security measures? Why aren't they dealing with this?

I think we should be lobbying MPs to ensure that they have the support they
need to keep up to speed with best security practice, not vilifying them for
trying to muddle through the best they can. It sounds like a recipe for
disaster to try and get them all to do it themselves.

\---

On a tangential note:

> It's alarming to read that Nadine believes criticism of her approach is due
> to her gender because if ever there was a construct that's entirely gender-
> unbiased, it's access controls! Giving other people your credentials in a
> situation such as hers is a bad idea regardless of gender, race, sexuality
> and any other personal attribute someone may feel discriminated by.

Completely misses the point. Of course security is gender-unbiased, but that
doesn't mean she isn't getting a harder time of it simply because she is
female. Such bias happens a lot.

To be honest, I think the actual truth is that the papers enjoy reporting on
whatever Nadine Dorries says. So yeah, I don't doubt that another MP would
have received less flak for saying the same thing, simply because it wouldn't
have been reported as widely.

(That doesn't mean we shouldn't talk about security issues, but don't discount
the abuse women get just because you happen to disagree with them on a
particular point.)

~~~
saulrh

        This is exactly how MPs offices have always worked, staff
        open and respond to letters with little oversight. Now they
        do the same with email.
    

This isn't just the email password, nor is it just the password to the
"letters from the public" email. The original offense was "downloading porn on
a work computer", indicating that this is the core network account, AD or
LDAP. And _that_ means that it's granting access to _everything_ , every email
and every file. These interns don't need access to every email she sends to
another MP. These interns don't need access to the drafts of upcoming
legislation. These interns don't need to know what kind of cat pictures she
likes. What do you want to bet that the whole "Using personal email for
official communications" fiasco over here started when someone said "I need an
email that the interns can't read and they won't give me two user accounts"?

~~~
mschuster91
> What do you want to bet that the whole "Using personal email for official
> communications" fiasco over here started when someone said "I need an email
> that the interns can't read and they won't give me two user accounts"?

Possible, but I also guess the reason was along the likes of "I want to be
able to send and receive 100MB powerpoint slide decks, but central IT has a
5MB cap"... this one is something I regularly hit with clients back in ye olde
freelance time. Record low was a client with 1MB attachment cap and 100MB of
quota.

~~~
TeMPOraL
IT is directly responsible for a lot of those things. In some places, it seems
like IT departments try to make their own lives easier by ensuring the
infrastructure is so ridiculously constrained that nobody wants to use it (no
users = no things broken by users that need fixing!). Users instead will make
due in creative ways, which make organizations vulnerable (and people
unhappy).

~~~
jpindar
Of course they'll say it's for security reasons... and indeed, the most secure
network is one that no one uses.

------
robin_reala
The ICO tweeted:
[https://twitter.com/ICOnews/status/937654177571983362](https://twitter.com/ICOnews/status/937654177571983362)

“We’re aware of reports that MPs share logins and passwords and are making
enquiries of the relevant parliamentary authorities. We would remind MPs and
others of their obligations under the Data Protection Act to keep personal
data secure.”

------
athenot
This is also an issue in the medical field. e-prescribe lets doctors order
medications directly from the EHR, including—in some states—controlled
substances. The software ensures it's the doctor by requiring the password to
be entered. The doctor gets tired of typing the same password 50 times a
day—compounded by a login sequence that is not most user-friendly—and the
result is that the staff enters the order on behalf of the doctor.

(I should note this is being improved, with more and more doctors getting
comfortable with documenting things themselves and therefore being logged when
they need to order something.)

This is just to say that usability / UX is a very important component to
security, or insecure workarounds flourish. As software makers, we need to
make it _easiest_ for the user to do the right thing from a security
perspective, not just merely _possible_.

~~~
somedumbguy22
Troy talks about the importance of UX in his post about FaceID, if anyone is
interested. [0]

[0][https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-
pra...](https://www.troyhunt.com/face-id-touch-id-pins-no-id-and-pragmatic-
security/)

------
jpalomaki
In some cases this sharing of passwords has turned out to be rather
convenient. Like when you get accused because logs show that you did something
wrong, you have this "Oh, I don't recall doing that - must have been one of
the 15 people who regularly access the systems with my credentials" defense.
We had at least one case where police officer played this card after being
accused of checking records he had no legitimate reason to check.

Especially when facing criminal charges (or public scrutiny), this kind of
tricks can actually work. Especially if you manage to show that this was
widespread in organization and management has not taken steps to stop this bad
practice.

~~~
ben_w
> Especially when facing criminal charges (or public scrutiny), this kind of
> tricks can actually work.

Alternative: the trick might be using someone else’s credentials because you
know they, not you, will take the blame.

Without knowledge of the real behaviour of espionage and interfering with
foreign governments/other political parties in your own nation/police officers
who never take bribes, I would presume there are people who get themselves
hired by their opponents specifically to undermine them in this way.

Can you imagine how few people would believe a politician protesting their
innocence if it was discovered that someone has used that politician’s email
account to chat with a 9-year old? Especially if the person sending the emails
claimed to be that politician (bonus points if the politician shares their
phone as well as their password, they might have selfies nobody else has
seen)? When the 9-year old could never be found (because they never really
existed, but again _imagine_ how that will go down as an excuse)?

------
syllogism
Does Twitter support credential delegation? How about Facebook? Reddit?
Instagram? Medium? Other random CMSes the MP might push content to, for op
eds, newsletters, etc?

All these systems start with the assumption that the "author" is a single
account. Delegation is an edge-case they may or may not support, and they
might all support it differently.

Using a single PC, you don't have to use any of the special-case logic. You're
back on the happy path: you do everything the same way you always do, and it
all just works. There's also a lock on the resource: if someone else is at the
PC, you can't be making conflicting responses to the same correspondence.

~~~
zaarn
>Does Twitter support credential delegation? How about Facebook? Reddit?
Instagram? Medium? Other random CMSes the MP might push content to, for op
eds, newsletters, etc?

Yes, you can find this special delegation by looking up the specific OAuth
API. OAuth access usually limits what the other can do, some providers give
you access to logs and you can limit and review scopes on each access token.

~~~
Spivak
This isn't delegation of access to other people, this is delegation of
identity to applications. Someone with your API token is still you -- just
with restricted permissions.

Until one can go into their Twitter account and create completely separate
sub-accounts below their own with different emails and passwords people are
going to share credentials.

~~~
zaarn
You can delegate to applications which other people are using, I don't see why
that should be a problem. Plus an API token is more trackable than just
sharing your password.

It would be an improvement over current.

------
mcherm
He mentions but does not address one of the main problems: sharing passwords
is actually ADVANTAGEOUS to the politicians because it provides plausible
deniability. Troy says "this is exactly the problem" (which is true), but
provides no proposed recourse.

Looking at other industries, the problem goes away when people are held
responsible for activities performed under their credentials even if they DID
share them to other users. But it is _particularly_ difficult in politics to
hold people accountable for their actions.

~~~
cmiles74
I don't think that Troy Hunt can reasonably be expected to address the issue
of "plausible deniability". He points out that is an issue, I believe it's on
the organization (in this case parliament) to find a solution.

Personally, I'm all for the position that if you shared your password with
someone then you are wholly and completely responsible for their actions. That
is, the porn downloaded with your account is your porn, regardless of who
actually was using your login to view porn.

------
zokier
I think this tweet captures my sentiment about the situation pretty well:

> I don't blame her, I blame the I.T dept for not managing this risk
> adequately. It isn't up to her to have to defend this. She has a valid
> business need and I.t needs to meet this need and be secure also. I. T is
> the group that should be explaining themselves, not her

If it were an isolated individual incident then going against the user might
be reasonable but in this case sharing passwords seems to be common usage
pattern, and imho their IT dept should have certain degree of awareness about
what their users are doing and working to proactively correct bad practices.
And no, its not enough just to push new versions of software that has some
helpful new features; you need also to get your users to use them, which won't
happen by itself.

In particular the response of the IT dept (I guess?) seems bit tone deaf:

> We’re aware of reports that MPs share logins and passwords and are making
> enquiries of the relevant parliamentary authorities. We would remind MPs and
> others of their obligations under the Data Protection Act to keep personal
> data secure.

It contains a implication of punishment ("making enquiries to authorities"),
and does in no way acknowledge the needs why the users are sharing passwords.
A better response would have been something like

"We’re aware of reports that MPs share logins and passwords and are working to
improve to systems so that it can be avoided in future. If you have been
sharing logins, please contact us so that we can work together to make sure
your needs are covered. In the meanwhile, here are some useful tools that can
help you [link to delegation and collaboration docs]"

~~~
mattferderer
In the defense of IT everywhere, I once was a "sole" IT department at a
reasonable size non-profit. I tried hard to force security but if the top of
the org chart refuses, there isn't much you can do but just keep trying. A lot
of the office even knew the CEO's password which he used for everything.

Google Apps had a nice feature at the time that lets you see the strength of
your users' passwords. If you sorted it from weakest to strongest, you
literally had our org chart. Talking to other people who work with security,
this doesn't seem to be all that uncommon.

------
heisenbit
There is real value in plausible deniability if you a politician. Could be
almost considered best practice by some.

~~~
sgift
At least as long as the defense isn't reversed: It's your account. You are
responsible for what happens in your name.*

IT security practices would get better very fast if that was the case.

* If you think your account was hacked then report it and it can be checked.

------
peterwwillis
Of course it's bad security practice. Nobody cares about the security
implications. It's a necessary functionality and productivity hack.

Managing access to resources is almost always a joke. Most systems do not give
you ACLs to manage access to an account. When they do, the functionality is
locked down to admins. When that isn't the case, the user interface is
invisible or totally unintuitive.

Basically, if the option is A) spend six months and half a million dollars to
upgrade everything and train people, or B) only allow one person to check a
single account, or C) share passwords, the choice is simple.

~~~
phaemon
> Nobody cares about the security implications.

Assuming he's innocent for a moment, I'm going to bet Damian Green cares...

------
Spooky23
Users have no expectation of privacy. That’s IT security policy mantra
wherever it is legal. Everything a government official does is public at some
level. So that part of Hunt’s argument is bunk.

From a security point of view, An elected official isn’t some clerk. If she
decides to delegate duties to her staff, that’s her decision and
responsibility.

I’ve had this argument with people before. IT dogma like this makes life more
efficient. In the paper world, guess what? Mail was opened by staff. Time
sheets were completed by secretaries. Staff were delegated authority to sign
off on stuff up to a threshold. When I started working in IT, my director had
a protocol where his secretary could sign off on certain transactions up to a
high dollar figure without his presence. Problems weren’t very common.

An IT credential isn’t sacrosanct, and for the 90th percentile executive,
there’s no reason to not allow this type of behavior where delegation isn’t
possible.

I always thought it was funny when Apple did enterprise briefings, one of
their success stories was how a major company wrote an iOS app to allow
managers to approve routine bullshit. The quote from some SVP at the client
was something like “This app took 3 hours off my workday, and I can eat dinner
with my kids.” That’s the ultimate illustration of stupid security culture and
the micromanagement it brings along for the ride.

~~~
cmiles74
IT credentials should be treated as sacrosanct. Your credentials represent you
and are, in many cases, indelibly tied to those credentials. Providing those
credentials to others is the most coarse grained method of delegating _all_ of
your abilities under that credential.

In this case we're talking about pornography and, apparently, rather
pedestrian pornography at that. I have no doubt that this will end with people
chuckling at each other and that will be the end of it.

Should someone mail out state secrets with these credentials the tone of these
stories will be very different. This attitude of "sharing credentials makes my
job easier" will meet with far less indulgent attitudes. Heads may very well
roll and making it more difficult to pinpoint an individual will not be so
easily tolerated.

Bottom line, sharing the credentials represents very real risk. Perhaps
members of parliament do nothing of consequence with their email and that is
why this has been allowed to go on for so long.

~~~
Spooky23
That argument is bunk.

Any competent organization in government protects state secrets with a multi-
factor credential that’s protects against reuse, some sort of network
isolation, and serious criminal penalties for violation of those rules.

Outside of the enterprise, people do this all of the time with limited powers
of attorney and other mechanisms. When I had an assistant, I delegated to her
the ability to pay my AMEX. If people are commonly sharing credentials, it’s a
sign that IT or the business doesn’t have its shit together, just like most
random Visa/MasterCard issuing banks don’t with respect to delegation of
access.

------
StudentStuff
Credential sharing is common, most see it as a way to achieve an end, rather
than as a security hole that could screw them over in the future.

If your not very technical, and your intern needs to respond to your emails,
schedule your calendar, and handle other tasks I'd be surprised if most don't
just fork over their login details rather than go and ask Jerry in IT to make
an account with all these special permissions for an Intern or staffer that'll
be gone in a few months to a year.

~~~
robin_reala
Which would be inadvisable but understandable, were it not for the code of
conduct that stipulates that you do not share passwords.

It might be a common thing to do, but this matter needs at a minimum a
reiteration of the rules and better documentation of the correct alternatives,
and probably also a certain amount of punitive measures.

~~~
draugadrotten
Biometrics solves this particular sharing problem; the politican can´t easily
share their iris or fingerprint

In my experience, 2factorA with cell phones also prevents executives from
sharing passwords. They won´t leave their phone behind. However biometrics is
faster to use and easier to understand for most people. 2FA can be socially
engineered by calling the politican/exec and asking for the code they just got
"for support". That won´t fly with a fingerprint.

~~~
StudentStuff
A gummy bear works just fine to copy a fingerprint. You can only go so far
too, piss off a politician or even a lower level boss, and IT may find all
their computers in the dumpster, replaced with new PCs that said person bought
to get the job done, rather than fight IT to get their work done.

For most people, a computer is a means to an end. If it doesn't accomplish
that task, the computer belongs in the trash.

~~~
draugadrotten
> A gummy bear works just fine to copy a fingerprint.

No longer. You may be pleased to learn that there is new technology that is
better than that. Google "liveness detection" to learn more.

> For most people, a computer is a means to an end. If it doesn't accomplish
> that task, the computer belongs in the trash.

If I interpret your hyperbole nicely, you mean that security which is
difficult to use will upset users. Indeed this is so, therefore security needs
to be implemented in such a way that it is easy to use in a secure fashion.
apple touchID is a good real-life example of which you may be aware. Enforcing
complex text passwords which must be changed every N days is a counter-example
which does not achieve the desired effect and also upsets users. Biometrics
are, when implemented well, very easy to use and far more secure than text
passwords. Therefore they should be considered, before "throwing the computer
in the dumpster", as you said.

------
cr0sh
There's the concept of "plausible deniability", which we see on display nearly
everyday by a certain member of the US federal government.

Indeed, it happened very recently over the weekend, when his lawyer claimed it
was he who was tweeting, not his boss!

Furthermore, we've seen this regularly from his twitter account: Sometimes the
tweets will be word salad only slightly more intelligible than "covfefe",
other times they'll be much more intelligible (though not necessarily
intelligent).

Which has always led me to wonder: Who is actually tweeting?

Is it the person we ostensibly voted for? Or someone completely different?

Because to me, when a person's words high in government are supposed to be
their words, they have a inherent responsibility to them. If someone else is
using their account to blurt out ideas which could have world changing
repercussions, and that someone isn't the person the electorate chose to
represent them, then we don't have a true representative government system any
longer. At that point, we might as well not have elections any longer, because
the people we are trusting to govern aren't doing their damn job. In fact,
they are abdicating that responsibility, and one should think that such an act
would be subject to sanctions, up to and including being treated as a
treasonous act.

This goes well beyond "plausible deniability", in my opinion. In the case of
national government, it is something that can easily lead to war, due to
misunderstanding or just malfeasance on the part of bad actors. That this is
being seen as normal, that "everyone else is doing it", in any other time
would have the populace at their doorsteps with pitchforks and torches,
demanding change.

The fact that this isn't happening, despite everything we has seen, continue
to see, and will see in the future, is both maddening and disheartening.

We are in dangerous times. This may sound like hyperbole, but it isn't. I'm
not the only one who thinks or believes this. Many are attempting to scream it
from the rooftops, but are derided as being overly dramatic, or crazy, or any
number of other epithets. Others continue with the whole "let's way and see,
2018 will be the year, or 2020 - things will change".

I fear that we don't have long to stop this madness if something isn't done
soon.

------
FLUX-YOU
So if they didn't know about delegated access, what else do they not know
about?

It's great that email and Sharepoint has this feature, but what happens when
anonymous contractor #028345 is building something and doesn't know how to
write delegated access securely into their program? What happens when this
contractor solution becomes critical to MP daily work? That's going to make
them roll back to credential sharing.

And to turn the viewpoint around, what if you are an IT guy/gal who didn't
know about this? Does it mean you should be summarily fired because not being
able to offer delegated access as a solution? And because you couldn't offer
that solution, MPs ended up sharing creds as a result.

Do politicians deserve the absolute best IT people the world has to offer to
minimize the chance of not knowing something or doing something insecurely? If
so, why are all of us not immediately tearing down all political IT
infrastructure that isn't secure because ultimately this is the security of
the country you and your family live in!

------
failrate
Those tweets are absolutely terrifying. Not because the persons are practicing
bad security, but because they don't understand why it's bad. I work with
plenty of people who reuse passwords/have weak passwords, but they acknowledge
that it's just because they are too lazy to do the right thing. That's scary.
What's scarier is when people in positions where they are responsible for
creating policies that impact security, encryption, privacy are fundamentally
blind to why you'd even want security, traceability, and privacy.

------
mpolichette
I very much appreciate Troys approach to criticism. It gives the other party a
fair rebuke but also treats them as the fallible humans they are. People make
mistakes, and I feel like out society should be a little more lenient
sometimes, especially on issues which can be corrected, like this one.

Granted there are definitely times when a person really ought to have known
better ahead of time.

In any case I wish we could see more leadership of this nature.

------
jimnotgym
I liked the linked document from the NCSC. They give practical advice on
password expiry which I would love to adhere to...were I not having to follow
PCIDSS that mandates that we set expiry to 90 days and has length and
conplexity requirements. PCIDSS is a bad standard

