Let me first talk about why this seems like a good idea, before I talk about why it’s a bad one. In the case of volunteers or part-time employees, it can be tedious to go through all the paperwork and HR duties to set up someone who is only working 5-10 hours a week. There are background checks that need to be done, tax forms for payment, employee handbooks, sometimes even training and certifications to be around confidential materials, it’s a lot. I get it. The last thing you want to do is also file a new user form with your IT department and deal with user credentials and everything. Managers also don’t really want to pony up another $6 per month for basic access to the company’s files that they might not even need.

In the case of high turnover in a business position, it might also make sense to have generic logins. Especially with today’s work landscape, a lot of people don’t stay in jobs for long, so making a generic “bookkeeper@” account might seem like a valid shortcut to getting a new accountant setup. Just change the password and they’re ready to go, just like the old one.

Now, let’s talk about some of the risks here, starting with shared logins. This is where you have a generic “volunteer@” account that multiple people use. When it comes to security risks, imagine there is an incident where a file is deleted or changed somehow, and you want to know who did it. The only thing we can tell you is it was one of the volunteers. Maybe they are using a shared email account, and it gets hacked. Who was responsible? Who needs more training on phishing attempts so that they don’t get hacked again? It’s virtually impossible to know who did what when they’re all using the same account. So, the lack of accountability here is a big issue. Psychologically, people who are using a shared login can be less careful because their name isn’t tied to their actions.

Talking about getting hacked through a shared login, imagine that 5 people have access to the same set of credentials. That makes it 5 times more likely that those credentials will get leaked out somewhere. It also means that most likely you’ll be using a password that’s easier to guess, since all 5 people need to know what it is, and it can’t be personalized. And finally, with multifactor authentication, the most common workaround is to disable MFA, since operationally, it’s a big hassle to have it enabled on these kinds of accounts.

The last security risk I want to bring up is revoking access to company assets when a person leaves the organization. Let’s look at the shared access first. 5 people know a single username and password, but one of them leaves. What are the chances that we’re going to reset that password, making the other 4 individuals learn a new one? Operationally, that’s difficult. Or what about in the generic login case? We’re doing this to make our lives easier, right? What’s easiest? Just give that new person the old password of course. This happens all the time.

Okay, so now let’s talk about how these shortcuts affect us operationally. We have a client in the health space that has a bunch of nurses. Their old IT vendor set up a shared “nurse” account and shared that with everyone. This was not done to keep costs down, but rather to keep IT from having to deal with a lot of accounts. Once MFA was added, they decided to just use the office manager’s phone for the second authentication method. Whenever someone needed to log back in, which was fairly often, the office manager was taken away from their duties to provide a code. If they were in a meeting or otherwise indisposed, that nurse couldn’t access email and other business resources. Obviously, the easier solution for the nurse and the office manager is just to have IT create a login for that nurse so they can manage the credential and MFA themselves.

When looking at the generic login, imagine you are starting a new job. You’ve been in the workforce now for several years and have a method on how to deal with email, organize files, etc., that makes sense to you. But at this new job, you sit down and log in with the generic credential provided to you. The desktop background is a picture of some children you don’t know. The colors are all wacky and the text is huge. There are rules throughout Outlook moving emails from the inbox to folders that you don’t understand. The homepage on your web browser is another person’s Facebook, signed in and everything. The previous employee spent a lot of time making this computer their own, and now you’re going to have to undo all of that to make it yours. That’s not the kind of first day I would want.

I would love for us all to agree that in today’s world, apart from a very few select instances, shared and generic logins are bad. We have made it our policy to avoid them whenever possible, and hope that this post helps you understand why.

-Nate