It seems there’s a nearly unending stream of website hacking news stories these days. Just last week, the New York Times came out with an interactive feature to help you see if your personal information was compromised in a whole string of incidents that the paper covered.
Most of these high-profile hacks are targeted, meaning that a hacker or hackers specifically chose a company and tried to hack it. However, instead of being the victim of an evil hacker, us small-time website owners mostly need to worry about automated hacking efforts that target outdated website software (WordPress, plugins, themes, including those of other sites on the same hosting plan) and weak passwords or those exposed in previous hacks. ((This is why you want to use a different password on each site. When a hacker publishes a list of user accounts, those passwords are added to password “dictionaries” used by bots that attempt guess user accounts. If you’re unaware, this is happening to every WordPress site on the internet every day and why you shouldn’t use the “admin” username.))
But there is one type of targeted hacking that even small nonprofits should be concerned about: that of former employees. I’m not saying that this happens a lot, and most potential “hacking” could be fairly benign. For instance, someone could briefly deface a web page or even just look at private unpublished information in a website or other web-accessed system. However, this stuff is easy to avoid.
It’s easy to avoid, but that doesn’t mean people avoid it. Here’s the Times on the recent Major League Baseball hacking scandal:
Investigators believe Cardinals officials, concerned that Mr. Luhnow had taken their idea and proprietary baseball information to the Astros, examined a master list of passwords used by Mr. Luhnow and the other officials who had joined the Astros when they worked for the Cardinals. The Cardinals officials are believed to have used those passwords to gain access to the Astros’ network, law enforcement officials said. [Emphasis added]
If your organization were “hacked,” would the New York Times’ coverage read the same? ((And would the maxim prove true that all publicity is good publicity?)) In my experience working with lots of organizations, this type of password and user account management is quite common. Luckily, it’s also easy to avoid and something I’ve written about before:
Each site editor should have their own user account, and each user account should belong to an individual…
- Security – A shared password is a big flashing red warning sign that your system isn’t as secure as it could be. In my experience, shared passwords also tend to be less complex.
- Logistics – If a user forgets their shared user account’s password, where does the reset email go and how do they make sure everyone with access knows it has changed? There is no good answer to this question.
- Administration – If someone leaves an organization or site, it’s easy to delete a single user. It’s much more complicated to remove their access to a shared account.
- Attribution – CMSes often use user accounts to track and display content creation and editing. This is useful for site visitors to know who wrote something and useful for edit-tracking in the case of a site audit or internal collaboration.
…As best I can tell, there are no advantages to sharing user accounts when considering the above… It may feel easier at first to share accounts, but it rarely ends well. Trust me, I’ve been been on both ends of this one. [Emphasis added]
It’s a real pain to change a password that everyone has to use. It’s easy to just remove the account of someone who has left your organization. This process can even be written straight in to any other documentation that exists about personnel management.
Unfortunately, the hardest part of implementing this type of system for your organization is the culture change. You’ll need to teach people not to share passwords via email, request new accounts from an administrator rather than borrow them from a colleague, and to regularly audit and cleanup user accounts to make sure only people who need access to each system have it.
I’m generally not a paranoid person, nor do I encourage you to be one, but just this once, maybe harness a bit of paranoia and get on this! Get people their own accounts, remove the old ones that were shared, and then join me in feeling embarrassed for a baseball team rather than your own organization.