A thought experiment about shared credentials
Published: Jul 21, 2017
Author: Marc Spitler
Earlier this year the following question was posed to us: "What is more likely to get compromised by an external attacker? One account with a strong password shared by 5 people or 5 accounts with strong passwords known only individually?"
The instinctive reaction is to shout the evils of shared passwords, but the specific question raised the degree of difficulty providing an answer. Internal misuse and accountability provided by unique user logins was not to be factored in. Assuming the same behavior for all internal users (likelihood to click on links, web surfing habits, etc.) is equal, and all other controls are the same for all devices, then the probability that a single account (1 of the 5 unique credentials vs 1 shared credential) would be close to, if not equal. Here is my rationale: I am assuming three places for potential compromise, the device itself (what is being logged into), the user devices used to remote authenticate in, and the users themselves.
For the most common threat actions that would attack the users, such as phishing, the likelihood again would be close. In each scenario there would be 5 possible human targets, and the methods used would not leverage the fact that the password is shared vs. unique. "Hey this is Mitch from IT, I'm a great guy, we support the same local sports team, by the way what's your password?". One could argue that if it was a known shared account that a user may be more hesitant to agree to provide the password to assist in a reset as it would affect others' access. On the other hand a user may be more easily fooled into sharing the password if they are convinced that the person needed to be added to the group who uses said password.
For threat actions that would target the users' devices such as keyloggers, again the fact that the password is the same would not factor in to the probability. The keylogger pulling information from user input does not know/care if another user uses the same account. So if the devices are equally at-risk for malware infection, then they are close to equal, if not equally at risk for a keylogger or other malware capturing that credential.
Threat actions that would target the server device like password cracking, or brute force may have different probabilities of success. This is because there are 5 hashes that could possibly be in rainbow tables, or possibly be in the list of passwords thrown at it , then the probability of a compromise is slightly higher as now there are 5 targets to crack, not 1 repeated 5 times. But that is not a recommended security control.
Moreover, in the brute force scenario the probability would only be improved if the external actor already knew the username component of the equation. So long story short, the common threat actions used by external actors to steal user credentials are not influenced/helped/hindered by whether or not that username/password is unique.
So the probability that 1 of the 5 unique credentials is compromised versus 1 of 5 identical credentials is close to equal. And without any research on the potential variables I spoke to above (e.g., "Are people more likely to disclose shared passwords to an external pretexter" or "How much more likely is a password cracking attack going to be successful against 1 hash versus 5 hashes") then it should be treated as that. The initial question seemed to ask of the probability that all 5 unique credentials are compromised versus a single shared credential and that is different. All things being equal, it is much likelier that a single credential will be compromised than all 5. You would need to social engineer all 5 users, install a keylogger on all 5 user devices, crack or brute force all 5 stored passwords. But that is not the security question that I believe needs to be asked.
If any of the 5 are compromised, then the attribute loss to the device in question is the same (assuming the levels of access for all 5 users are equal). So why push for 5 unique credentials? For the obvious reasons that were taken out of the equation (Insider Misuse), inability to identify exactly which user is doing what , etc.
Another reason is for improved detective controls to identify a potential compromised account. The behavior of 5 different people using an account may be harder to baseline than 5 individual users and their individual account usages, especially in a multi-time zone, or shift work environment.
It may be "normal" to see the shared user 'box_admin' log in at 1600 Pacific Time, because one of the 5 shared users is based in Seattle, but if a Boston-based user 'ron.swanson' logs in, then that could be flagged as unusual or interesting traffic if Ron does not typically use that resource after normal business hours.