Why avoid shared user accounts?What is the difference between authenticity and non-repudiation?Security...
Airplane generations - how does it work?
How do I append a character to the end of every line in an Excel cell?
Why don't key signatures indicate the tonic?
How should I handle players who ignore the session zero agreement?
Do authors have to be politically correct in article-writing?
Play Zip, Zap, Zop
Square Root Distance from Integers
What is the wife of a henpecked husband called?
Salsa20 Implementation: Sum of 2 Words with Carries Suppressed
"on its way" vs. "in its way"
A curious equality of integrals involving the prime counting function?
general past possibility with COULD
Which communication protocol is used in AdLib sound card?
Do "fields" always combine by addition?
Boss asked me to sign a resignation paper without a date on it along with my new contract
Building an exterior wall within an exterior wall for insulation
How do you funnel food off a cutting board?
Why was Lupin comfortable with saying Voldemort's name?
How do you catch Smeargle in Pokemon Go?
A starship is travelling at 0.9c and collides with a small rock. Will it leave a clean hole through, or will more happen?
Why would space fleets be aligned?
Early credit roll before the end of the film
Why do neural networks need so many training examples to perform?
Clues on how to solve these types of problems within 2-3 minutes for competitive exams
Why avoid shared user accounts?
What is the difference between authenticity and non-repudiation?Security precautions for shared iPads in a customer facing corporate environmentHow to secure shared user on build server?Privileged access management vs named accountsIs it good practice if all programs have their own user ID?Why delete user accounts, when no longer needed - businessSolution to hide a shared password to usersUnix - Is it safe by default to give a new user ssh access and be certain they can not alter the system?Is there a security advantage or risk in removing disabled user accounts?Dealing with shared credentials when an employee leavesHow to catch people creating many accounts on the same website using very unique credentials?
I know its best practice not to allow shared user accounts, but where is this best practice defined? Is it an ISO standard or something? What is the reasons to always create per person accounts?
access-control user-management
edited yesterday
Anders
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
I know its best practice not to allow shared user accounts, but where is this best practice defined? Is it an ISO standard or something? What is the reasons to always create per person accounts?
access-control user-management
edited yesterday
Anders
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
25
Auditing is the main argument.
– ThoriumBR
yesterday
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago
add a comment |
I know its best practice not to allow shared user accounts, but where is this best practice defined? Is it an ISO standard or something? What is the reasons to always create per person accounts?
access-control user-management
edited yesterday
Anders
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I know its best practice not to allow shared user accounts, but where is this best practice defined? Is it an ISO standard or something? What is the reasons to always create per person accounts?
access-control user-management
access-control user-management
edited yesterday
Anders
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Anders
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited yesterday
Anders
49.3k22143161
edited yesterday
Anders
49.3k22143161
edited yesterday
Anders
49.3k22143161
49.3k22143161
asked yesterday
Steve VentonSteve Venton
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked yesterday
Steve VentonSteve Venton
24223
asked yesterday
Steve VentonSteve Venton
24223
24223
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Steve Venton is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
25
Auditing is the main argument.
– ThoriumBR
yesterday
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago
add a comment |
25
Auditing is the main argument.
– ThoriumBR
yesterday
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago
25
25
Auditing is the main argument.
– ThoriumBR
yesterday
Auditing is the main argument.
– ThoriumBR
yesterday
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago
add a comment |
7 Answers
7
active
oldest
votes
Alice and Eve work for Bob. Alice is a very good worker who does exactly what Bob asks her to do. Eve is a criminal mastermind hell-bent on destroying Bob's company.
Alice and Eve both share the same account.
Eve logs into the account and uses it to sabotage an important business process. The audit log captures this action.
How does Bob know who sabotaged his company? He has to get rid of the bad actor, but can't fire both of them, because his company depends on the work that they do. He could fire just one, but he has no way of knowing which one is his friend and which one is his enemy.
If Alice and Eve had separate accounts, Bob could be sure that Eve was the one who did the sabotage. Eve might even avoid doing the sabotage, if she knows her account will be audited and she will be caught.
EDIT: Adding from comments:
If Eve quits, you now need to reset the password on every account she had access to, rather than just disabling her personal accounts. This is much harder to manage, and you will miss accounts.
Additionally, it removes your ability to have granular control over access. If Alice should be writing checks, and Eve should be signing them, you essentially have no technological way to enforce that if they share the same account.
Also, it makes it harder for a given individual to notice malicious changes to their environment. Alice knows what files are on Alice's desktop. Any new files will likely raise a red flag for her. Alice doesn't know what files are on Alice and Eve's shared desktop. It is likely new files will be met with a shrug and an assumption that another user put it there, not a malicious actor.
answered yesterday
AdonalsiumAdonalsium
2,811719
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
|
show 6 more comments
You should use separated account in all contexts (security on the top).
Adonalsium example show you because it's required.
There are some rare situations where it is "not possible" or "not usefull" ...
Examples:
"not possible" (legacy protocols/applications)
"no relevant" (anonymous actions)
If it is no possible, but you need to identify, you have to mitigate the risk adding more source informations as possible (e.g. connection info, connection time, etc ...)
You can check ISO 27001 Risk Assessment Methodology, ISO 31000 Risk management as starting point to answer to your question "Why avoid shared user accounts?"
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Real story, happened at a friends workplace (jurisdiction: Germany):
A coworker of his rudely insulted clients via her company e-mail. She was fired for this. She did go to court. There, her lawyer made the court aware of the fact that the employees shared their passwords (for instance, for answering a client´s mail in the absence of a certain colleague).
The Judge ruled that there was no good proof that that the person in question was really the one who sent the insulting e-mails. The person had to be rehired and compensated for the lost wage.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
add a comment |
The typical answer is accountability, traceability, etc; In other words to be able to know who exactly did what.
A shared account has n potential people doing something but all that you have points to one account doing that thing.
This problem is usually lifted by making sure someone is legally responsible for the activities of this account. This may or may not be feasible, and you may not have someone taking responsibility for the actions of others.
This problem often occurs when you outsource some monitoring activities - the account which does the monitoring tasks should be contractually in charge of that company, which is responsible for its actions.
If you cannot assign a responsible person, it is then up to management to make a decision based on the risk: not having a service vs. not knowing who does what with that account.
answered yesterday
WoJWoJ
7,06712544
add a comment |
I only know one exception to that rule. There is one single machine that is shared by several users, and the following assertions are all true:
- one and only one of those users is in charge of this machine at any moment
- the account can only be used on the local machine - disabled via network
This may happen on 7/7 24/24 systems. In that use case, you still keep an acceptable imputability by knowing the user that was present at a specific moment, provided you could set the above second rule. But in fact, it is equivalent at having an account with no password, and only using physical security.
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
add a comment |
Best practices are nowhere "defined", that's what the term means. A best practice is simply an established way of doing things that most people think is the best way.
It goes the other way around. Once a "best practice" is dominant, usually someone on a standards board decides to put it into some ISO or other norm. It then rests there, usually without explicit reasoning, or a circular reasoning pointing out that this is best practice.
The reasons for this particular practice are likewise practical ones. If Alice and Bob share an account and something bad happens, they will both point to the other person and you have no way of figuring out who did it. With personal accounts, they'll claim it was compromised, but then you at least have a single point to investigate further.
There are also explicit requirements for accountability in many sub-fields such as compliance, and they play into this.
answered yesterday
TomTom
5,323831
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
add a comment |
Another issue not yet mentioned is that if someone receives notification that their account is being accessed or has been accessed at a time when they're aren't/weren't accessing it and wouldn't expect anyone else to do so, they're much more likely to sound an alarm than they would be if they thought that the account might have been accessed by someone whom they'd authorized.
Given that the number of cases where it may be necessary for someone to authorize someone else to perform some particular action on their behalf, it would be extremely helpful if services could at include a means by which accounts could authorize and revoke secondary credentials with limited rights. That would allow the system to report which credential was used to access an account, thus allowing someone to better distinguish expected from unexpected activity.
answered 20 hours ago
supercatsupercat
1,65469
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Steve Venton is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204249%2fwhy-avoid-shared-user-accounts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
7 Answers
7
active
oldest
votes
7 Answers
7
active
oldest
votes
active
oldest
votes
active
oldest
votes
Alice and Eve work for Bob. Alice is a very good worker who does exactly what Bob asks her to do. Eve is a criminal mastermind hell-bent on destroying Bob's company.
Alice and Eve both share the same account.
Eve logs into the account and uses it to sabotage an important business process. The audit log captures this action.
How does Bob know who sabotaged his company? He has to get rid of the bad actor, but can't fire both of them, because his company depends on the work that they do. He could fire just one, but he has no way of knowing which one is his friend and which one is his enemy.
If Alice and Eve had separate accounts, Bob could be sure that Eve was the one who did the sabotage. Eve might even avoid doing the sabotage, if she knows her account will be audited and she will be caught.
EDIT: Adding from comments:
If Eve quits, you now need to reset the password on every account she had access to, rather than just disabling her personal accounts. This is much harder to manage, and you will miss accounts.
Additionally, it removes your ability to have granular control over access. If Alice should be writing checks, and Eve should be signing them, you essentially have no technological way to enforce that if they share the same account.
Also, it makes it harder for a given individual to notice malicious changes to their environment. Alice knows what files are on Alice's desktop. Any new files will likely raise a red flag for her. Alice doesn't know what files are on Alice and Eve's shared desktop. It is likely new files will be met with a shrug and an assumption that another user put it there, not a malicious actor.
answered yesterday
AdonalsiumAdonalsium
2,811719
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
|
show 6 more comments
Alice and Eve work for Bob. Alice is a very good worker who does exactly what Bob asks her to do. Eve is a criminal mastermind hell-bent on destroying Bob's company.
Alice and Eve both share the same account.
Eve logs into the account and uses it to sabotage an important business process. The audit log captures this action.
How does Bob know who sabotaged his company? He has to get rid of the bad actor, but can't fire both of them, because his company depends on the work that they do. He could fire just one, but he has no way of knowing which one is his friend and which one is his enemy.
If Alice and Eve had separate accounts, Bob could be sure that Eve was the one who did the sabotage. Eve might even avoid doing the sabotage, if she knows her account will be audited and she will be caught.
EDIT: Adding from comments:
If Eve quits, you now need to reset the password on every account she had access to, rather than just disabling her personal accounts. This is much harder to manage, and you will miss accounts.
Additionally, it removes your ability to have granular control over access. If Alice should be writing checks, and Eve should be signing them, you essentially have no technological way to enforce that if they share the same account.
Also, it makes it harder for a given individual to notice malicious changes to their environment. Alice knows what files are on Alice's desktop. Any new files will likely raise a red flag for her. Alice doesn't know what files are on Alice and Eve's shared desktop. It is likely new files will be met with a shrug and an assumption that another user put it there, not a malicious actor.
answered yesterday
AdonalsiumAdonalsium
2,811719
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
|
show 6 more comments
Alice and Eve work for Bob. Alice is a very good worker who does exactly what Bob asks her to do. Eve is a criminal mastermind hell-bent on destroying Bob's company.
Alice and Eve both share the same account.
Eve logs into the account and uses it to sabotage an important business process. The audit log captures this action.
How does Bob know who sabotaged his company? He has to get rid of the bad actor, but can't fire both of them, because his company depends on the work that they do. He could fire just one, but he has no way of knowing which one is his friend and which one is his enemy.
If Alice and Eve had separate accounts, Bob could be sure that Eve was the one who did the sabotage. Eve might even avoid doing the sabotage, if she knows her account will be audited and she will be caught.
EDIT: Adding from comments:
If Eve quits, you now need to reset the password on every account she had access to, rather than just disabling her personal accounts. This is much harder to manage, and you will miss accounts.
Additionally, it removes your ability to have granular control over access. If Alice should be writing checks, and Eve should be signing them, you essentially have no technological way to enforce that if they share the same account.
Also, it makes it harder for a given individual to notice malicious changes to their environment. Alice knows what files are on Alice's desktop. Any new files will likely raise a red flag for her. Alice doesn't know what files are on Alice and Eve's shared desktop. It is likely new files will be met with a shrug and an assumption that another user put it there, not a malicious actor.
answered yesterday
AdonalsiumAdonalsium
2,811719
Alice and Eve work for Bob. Alice is a very good worker who does exactly what Bob asks her to do. Eve is a criminal mastermind hell-bent on destroying Bob's company.
Alice and Eve both share the same account.
Eve logs into the account and uses it to sabotage an important business process. The audit log captures this action.
How does Bob know who sabotaged his company? He has to get rid of the bad actor, but can't fire both of them, because his company depends on the work that they do. He could fire just one, but he has no way of knowing which one is his friend and which one is his enemy.
If Alice and Eve had separate accounts, Bob could be sure that Eve was the one who did the sabotage. Eve might even avoid doing the sabotage, if she knows her account will be audited and she will be caught.
EDIT: Adding from comments:
If Eve quits, you now need to reset the password on every account she had access to, rather than just disabling her personal accounts. This is much harder to manage, and you will miss accounts.
Additionally, it removes your ability to have granular control over access. If Alice should be writing checks, and Eve should be signing them, you essentially have no technological way to enforce that if they share the same account.
Also, it makes it harder for a given individual to notice malicious changes to their environment. Alice knows what files are on Alice's desktop. Any new files will likely raise a red flag for her. Alice doesn't know what files are on Alice and Eve's shared desktop. It is likely new files will be met with a shrug and an assumption that another user put it there, not a malicious actor.
answered yesterday
AdonalsiumAdonalsium
2,811719
edited yesterday
answered yesterday
AdonalsiumAdonalsium
2,811719
answered yesterday
AdonalsiumAdonalsium
2,811719
answered yesterday
AdonalsiumAdonalsium
2,811719
2,811719
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
|
show 6 more comments
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
30
30
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
+1 Except that Eve, being a criminal mastermind, would have hacked in to Bob's account so he would have had to fire himself :-)
– TripeHound
yesterday
52
52
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
A more common situation: Eve quits or gets fired. Now you have to change the credentials for everything Eve was using (assuming you know that), you can't just disable Eve's account(s).
– JimmyJames
yesterday
10
10
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
Shared accounts also makes it much harder to detect when a bad actor has gained access to an account they should have access to.
– JimmyJames
yesterday
13
13
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
Even if Eve isn't out to sabotage the company, Alice and Eve's sharing an account also means that Bob can't give Alice additional permissions without also giving them to Eve. If Alice is promoted and now has access to data X, Eve gets it, too.
– minnmass
yesterday
2
2
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
@jpmc26 This is true, but this is not specific to shared vs non-shared accounts.
– Adonalsium
yesterday
|
show 6 more comments
You should use separated account in all contexts (security on the top).
Adonalsium example show you because it's required.
There are some rare situations where it is "not possible" or "not usefull" ...
Examples:
"not possible" (legacy protocols/applications)
"no relevant" (anonymous actions)
If it is no possible, but you need to identify, you have to mitigate the risk adding more source informations as possible (e.g. connection info, connection time, etc ...)
You can check ISO 27001 Risk Assessment Methodology, ISO 31000 Risk management as starting point to answer to your question "Why avoid shared user accounts?"
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
You should use separated account in all contexts (security on the top).
Adonalsium example show you because it's required.
There are some rare situations where it is "not possible" or "not usefull" ...
Examples:
"not possible" (legacy protocols/applications)
"no relevant" (anonymous actions)
If it is no possible, but you need to identify, you have to mitigate the risk adding more source informations as possible (e.g. connection info, connection time, etc ...)
You can check ISO 27001 Risk Assessment Methodology, ISO 31000 Risk management as starting point to answer to your question "Why avoid shared user accounts?"
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
You should use separated account in all contexts (security on the top).
Adonalsium example show you because it's required.
There are some rare situations where it is "not possible" or "not usefull" ...
Examples:
"not possible" (legacy protocols/applications)
"no relevant" (anonymous actions)
If it is no possible, but you need to identify, you have to mitigate the risk adding more source informations as possible (e.g. connection info, connection time, etc ...)
You can check ISO 27001 Risk Assessment Methodology, ISO 31000 Risk management as starting point to answer to your question "Why avoid shared user accounts?"
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
You should use separated account in all contexts (security on the top).
Adonalsium example show you because it's required.
There are some rare situations where it is "not possible" or "not usefull" ...
Examples:
"not possible" (legacy protocols/applications)
"no relevant" (anonymous actions)
If it is no possible, but you need to identify, you have to mitigate the risk adding more source informations as possible (e.g. connection info, connection time, etc ...)
You can check ISO 27001 Risk Assessment Methodology, ISO 31000 Risk management as starting point to answer to your question "Why avoid shared user accounts?"
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
WaltZieWaltZie
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
WaltZieWaltZie
1392
answered yesterday
WaltZieWaltZie
1392
1392
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
WaltZie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
Real story, happened at a friends workplace (jurisdiction: Germany):
A coworker of his rudely insulted clients via her company e-mail. She was fired for this. She did go to court. There, her lawyer made the court aware of the fact that the employees shared their passwords (for instance, for answering a client´s mail in the absence of a certain colleague).
The Judge ruled that there was no good proof that that the person in question was really the one who sent the insulting e-mails. The person had to be rehired and compensated for the lost wage.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
add a comment |
Real story, happened at a friends workplace (jurisdiction: Germany):
A coworker of his rudely insulted clients via her company e-mail. She was fired for this. She did go to court. There, her lawyer made the court aware of the fact that the employees shared their passwords (for instance, for answering a client´s mail in the absence of a certain colleague).
The Judge ruled that there was no good proof that that the person in question was really the one who sent the insulting e-mails. The person had to be rehired and compensated for the lost wage.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
add a comment |
Real story, happened at a friends workplace (jurisdiction: Germany):
A coworker of his rudely insulted clients via her company e-mail. She was fired for this. She did go to court. There, her lawyer made the court aware of the fact that the employees shared their passwords (for instance, for answering a client´s mail in the absence of a certain colleague).
The Judge ruled that there was no good proof that that the person in question was really the one who sent the insulting e-mails. The person had to be rehired and compensated for the lost wage.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Real story, happened at a friends workplace (jurisdiction: Germany):
A coworker of his rudely insulted clients via her company e-mail. She was fired for this. She did go to court. There, her lawyer made the court aware of the fact that the employees shared their passwords (for instance, for answering a client´s mail in the absence of a certain colleague).
The Judge ruled that there was no good proof that that the person in question was really the one who sent the insulting e-mails. The person had to be rehired and compensated for the lost wage.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 23 hours ago
DanielDaniel
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 23 hours ago
DanielDaniel
1712
answered 23 hours ago
DanielDaniel
1712
1712
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Daniel is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
add a comment |
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
2
2
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
It's a classic, in many country with many variation. You will find similar example almost everywhere. It's so mainstream it doesnt qualify for funny story in most French prud'homme (a French tribunal appointed to decide labour disputes).
– xdtTransform
22 hours ago
add a comment |
The typical answer is accountability, traceability, etc; In other words to be able to know who exactly did what.
A shared account has n potential people doing something but all that you have points to one account doing that thing.
This problem is usually lifted by making sure someone is legally responsible for the activities of this account. This may or may not be feasible, and you may not have someone taking responsibility for the actions of others.
This problem often occurs when you outsource some monitoring activities - the account which does the monitoring tasks should be contractually in charge of that company, which is responsible for its actions.
If you cannot assign a responsible person, it is then up to management to make a decision based on the risk: not having a service vs. not knowing who does what with that account.
answered yesterday
WoJWoJ
7,06712544
add a comment |
The typical answer is accountability, traceability, etc; In other words to be able to know who exactly did what.
A shared account has n potential people doing something but all that you have points to one account doing that thing.
This problem is usually lifted by making sure someone is legally responsible for the activities of this account. This may or may not be feasible, and you may not have someone taking responsibility for the actions of others.
This problem often occurs when you outsource some monitoring activities - the account which does the monitoring tasks should be contractually in charge of that company, which is responsible for its actions.
If you cannot assign a responsible person, it is then up to management to make a decision based on the risk: not having a service vs. not knowing who does what with that account.
answered yesterday
WoJWoJ
7,06712544
add a comment |
The typical answer is accountability, traceability, etc; In other words to be able to know who exactly did what.
A shared account has n potential people doing something but all that you have points to one account doing that thing.
This problem is usually lifted by making sure someone is legally responsible for the activities of this account. This may or may not be feasible, and you may not have someone taking responsibility for the actions of others.
This problem often occurs when you outsource some monitoring activities - the account which does the monitoring tasks should be contractually in charge of that company, which is responsible for its actions.
If you cannot assign a responsible person, it is then up to management to make a decision based on the risk: not having a service vs. not knowing who does what with that account.
answered yesterday
WoJWoJ
7,06712544
The typical answer is accountability, traceability, etc; In other words to be able to know who exactly did what.
A shared account has n potential people doing something but all that you have points to one account doing that thing.
This problem is usually lifted by making sure someone is legally responsible for the activities of this account. This may or may not be feasible, and you may not have someone taking responsibility for the actions of others.
This problem often occurs when you outsource some monitoring activities - the account which does the monitoring tasks should be contractually in charge of that company, which is responsible for its actions.
If you cannot assign a responsible person, it is then up to management to make a decision based on the risk: not having a service vs. not knowing who does what with that account.
answered yesterday
WoJWoJ
7,06712544
answered yesterday
WoJWoJ
7,06712544
answered yesterday
WoJWoJ
7,06712544
answered yesterday
WoJWoJ
7,06712544
7,06712544
add a comment |
add a comment |
I only know one exception to that rule. There is one single machine that is shared by several users, and the following assertions are all true:
- one and only one of those users is in charge of this machine at any moment
- the account can only be used on the local machine - disabled via network
This may happen on 7/7 24/24 systems. In that use case, you still keep an acceptable imputability by knowing the user that was present at a specific moment, provided you could set the above second rule. But in fact, it is equivalent at having an account with no password, and only using physical security.
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
add a comment |
I only know one exception to that rule. There is one single machine that is shared by several users, and the following assertions are all true:
- one and only one of those users is in charge of this machine at any moment
- the account can only be used on the local machine - disabled via network
This may happen on 7/7 24/24 systems. In that use case, you still keep an acceptable imputability by knowing the user that was present at a specific moment, provided you could set the above second rule. But in fact, it is equivalent at having an account with no password, and only using physical security.
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
add a comment |
I only know one exception to that rule. There is one single machine that is shared by several users, and the following assertions are all true:
- one and only one of those users is in charge of this machine at any moment
- the account can only be used on the local machine - disabled via network
This may happen on 7/7 24/24 systems. In that use case, you still keep an acceptable imputability by knowing the user that was present at a specific moment, provided you could set the above second rule. But in fact, it is equivalent at having an account with no password, and only using physical security.
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
I only know one exception to that rule. There is one single machine that is shared by several users, and the following assertions are all true:
- one and only one of those users is in charge of this machine at any moment
- the account can only be used on the local machine - disabled via network
This may happen on 7/7 24/24 systems. In that use case, you still keep an acceptable imputability by knowing the user that was present at a specific moment, provided you could set the above second rule. But in fact, it is equivalent at having an account with no password, and only using physical security.
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
answered yesterday
Serge BallestaSerge Ballesta
16.8k32661
16.8k32661
add a comment |
add a comment |
Best practices are nowhere "defined", that's what the term means. A best practice is simply an established way of doing things that most people think is the best way.
It goes the other way around. Once a "best practice" is dominant, usually someone on a standards board decides to put it into some ISO or other norm. It then rests there, usually without explicit reasoning, or a circular reasoning pointing out that this is best practice.
The reasons for this particular practice are likewise practical ones. If Alice and Bob share an account and something bad happens, they will both point to the other person and you have no way of figuring out who did it. With personal accounts, they'll claim it was compromised, but then you at least have a single point to investigate further.
There are also explicit requirements for accountability in many sub-fields such as compliance, and they play into this.
answered yesterday
TomTom
5,323831
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
add a comment |
Best practices are nowhere "defined", that's what the term means. A best practice is simply an established way of doing things that most people think is the best way.
It goes the other way around. Once a "best practice" is dominant, usually someone on a standards board decides to put it into some ISO or other norm. It then rests there, usually without explicit reasoning, or a circular reasoning pointing out that this is best practice.
The reasons for this particular practice are likewise practical ones. If Alice and Bob share an account and something bad happens, they will both point to the other person and you have no way of figuring out who did it. With personal accounts, they'll claim it was compromised, but then you at least have a single point to investigate further.
There are also explicit requirements for accountability in many sub-fields such as compliance, and they play into this.
answered yesterday
TomTom
5,323831
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
add a comment |
Best practices are nowhere "defined", that's what the term means. A best practice is simply an established way of doing things that most people think is the best way.
It goes the other way around. Once a "best practice" is dominant, usually someone on a standards board decides to put it into some ISO or other norm. It then rests there, usually without explicit reasoning, or a circular reasoning pointing out that this is best practice.
The reasons for this particular practice are likewise practical ones. If Alice and Bob share an account and something bad happens, they will both point to the other person and you have no way of figuring out who did it. With personal accounts, they'll claim it was compromised, but then you at least have a single point to investigate further.
There are also explicit requirements for accountability in many sub-fields such as compliance, and they play into this.
answered yesterday
TomTom
5,323831
Best practices are nowhere "defined", that's what the term means. A best practice is simply an established way of doing things that most people think is the best way.
It goes the other way around. Once a "best practice" is dominant, usually someone on a standards board decides to put it into some ISO or other norm. It then rests there, usually without explicit reasoning, or a circular reasoning pointing out that this is best practice.
The reasons for this particular practice are likewise practical ones. If Alice and Bob share an account and something bad happens, they will both point to the other person and you have no way of figuring out who did it. With personal accounts, they'll claim it was compromised, but then you at least have a single point to investigate further.
There are also explicit requirements for accountability in many sub-fields such as compliance, and they play into this.
answered yesterday
TomTom
5,323831
answered yesterday
TomTom
5,323831
answered yesterday
TomTom
5,323831
answered yesterday
TomTom
5,323831
5,323831
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
add a comment |
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
1
1
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
It's not rare for someone (or an organization) to write and publish something that documents best practices, though. That doesn't define them, and it can be controversial which practices should/shouldn't be included in this document, but not sharing accounts is clearly agreed upon and the OP is simply asking if anyone has written that down someone.
– Peter Cordes
5 hours ago
add a comment |
Another issue not yet mentioned is that if someone receives notification that their account is being accessed or has been accessed at a time when they're aren't/weren't accessing it and wouldn't expect anyone else to do so, they're much more likely to sound an alarm than they would be if they thought that the account might have been accessed by someone whom they'd authorized.
Given that the number of cases where it may be necessary for someone to authorize someone else to perform some particular action on their behalf, it would be extremely helpful if services could at include a means by which accounts could authorize and revoke secondary credentials with limited rights. That would allow the system to report which credential was used to access an account, thus allowing someone to better distinguish expected from unexpected activity.
answered 20 hours ago
supercatsupercat
1,65469
add a comment |
Another issue not yet mentioned is that if someone receives notification that their account is being accessed or has been accessed at a time when they're aren't/weren't accessing it and wouldn't expect anyone else to do so, they're much more likely to sound an alarm than they would be if they thought that the account might have been accessed by someone whom they'd authorized.
Given that the number of cases where it may be necessary for someone to authorize someone else to perform some particular action on their behalf, it would be extremely helpful if services could at include a means by which accounts could authorize and revoke secondary credentials with limited rights. That would allow the system to report which credential was used to access an account, thus allowing someone to better distinguish expected from unexpected activity.
answered 20 hours ago
supercatsupercat
1,65469
add a comment |
Another issue not yet mentioned is that if someone receives notification that their account is being accessed or has been accessed at a time when they're aren't/weren't accessing it and wouldn't expect anyone else to do so, they're much more likely to sound an alarm than they would be if they thought that the account might have been accessed by someone whom they'd authorized.
Given that the number of cases where it may be necessary for someone to authorize someone else to perform some particular action on their behalf, it would be extremely helpful if services could at include a means by which accounts could authorize and revoke secondary credentials with limited rights. That would allow the system to report which credential was used to access an account, thus allowing someone to better distinguish expected from unexpected activity.
answered 20 hours ago
supercatsupercat
1,65469
Another issue not yet mentioned is that if someone receives notification that their account is being accessed or has been accessed at a time when they're aren't/weren't accessing it and wouldn't expect anyone else to do so, they're much more likely to sound an alarm than they would be if they thought that the account might have been accessed by someone whom they'd authorized.
Given that the number of cases where it may be necessary for someone to authorize someone else to perform some particular action on their behalf, it would be extremely helpful if services could at include a means by which accounts could authorize and revoke secondary credentials with limited rights. That would allow the system to report which credential was used to access an account, thus allowing someone to better distinguish expected from unexpected activity.
answered 20 hours ago
supercatsupercat
1,65469
answered 20 hours ago
supercatsupercat
1,65469
answered 20 hours ago
supercatsupercat
1,65469
answered 20 hours ago
supercatsupercat
1,65469
1,65469
add a comment |
add a comment |
Steve Venton is a new contributor. Be nice, and check out our Code of Conduct.
Steve Venton is a new contributor. Be nice, and check out our Code of Conduct.
Steve Venton is a new contributor. Be nice, and check out our Code of Conduct.
Steve Venton is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f204249%2fwhy-avoid-shared-user-accounts%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
25
Auditing is the main argument.
– ThoriumBR
yesterday
cf. Is logging in as a shared user a bad habit?
– user22a6db72d7249
10 hours ago
In a word: non-repudiation. security.stackexchange.com/questions/6730/…
– Christopher
2 hours ago