RE: Sharing of User IDs and Passwords
June 4, 2019

Post

Dear Colleagues,

As a reminder, Administrative Regulation 6006 prohibits the sharing of account credentials (account name and password).

Although sharing accounts and passwords is often viewed as a way to get something done quickly, it is important that everyone understand the potential implications of doing so. For instance:

  • The borrower can get access to restricted areas, confidential information, run sensitive processes, and disregard clearly-defined controls.
  • The borrower can commit fraud using the owner’s account and the owner be held partially liable.
  • If the borrower’s computer is compromised, a cybercriminal can steal and reuse the credentials of the owner’s account.
  • Auditors can cite the institution depending on the breadth of the finding (includes posted notes with passwords viewable in plain sight).

Fortunately, there are plenty of other options. For example, email and calendars can be delegated, PeopleSoft access can be granted (e.g. TARS), files shares can be created for collaborating, etc. IITS encourages you to contact the IITS Help Desk if you need assistance finding an appropriate method.

If you encounter someone offering or asking for a password, please reiterate the information above or report it to the IITS Help Desk. IITS will conduct the discussion as educational opportunity rather than a punitive measure.

Likewise, as a manager, if you find someone within your department sharing passwords, please verbally reiterate the information above and take the opportunity to recap the discussion in the form of a generic email (to avoid singling out a specific person) to your entire staff.

Thank you for assisting in the effort to keep your credentials, and the credentials of your coworkers, safe from potential abuse.