I recently heard a true story about shared passwords that would make an IT security specialist’s skin crawl.
I was talking to a guy who manages a lot of the day to day operations of a small, non-profit service agency in a small town in North Carolina. Mostly he keeps the organization’s equipment up and running so that the organization members can do their job on a day to day basis. But one of the responsibilities that falls on his plate is to manage the keypad lock on the organization’s office door and managing the shared password/shared key code for the lock.
This non-profit organization has a constant turnover of volunteers, all of whom need to get into the office on a regular basis and all of whom have a need to know the door code. They are security conscious enough to know that they need to change the door code on a regular basis. They have a well controlled email distribution list that they use for distributing the new door code when it is changed. By “well controlled” I mean someone has the specific responsibility to make sure that only people who are current volunteers and staff are on the list. So far so good. for the fairly low risk involved in this organization, that seems like a reasonably secure method for managing the key code/shared password. Mostly they are concerned that, if they have to “fire” a volunteer, the volunteer won’t be able to get back into the office vandalize the place.
I ran across this guy one day as I was going into that organization’s office and he looked to be changing the door code. So I asked him about it. As it turned out, he was not changing our door code but adding a second door code to the lock.
“It’s for the Fire Department,” he said, “They need a PIN code that they can use to get into the building in case of a Fire or other emergency.” It is apparently some sort of Town ordinance or requirement to set this up for the Fire Department.
I asked, “Why can’t they use the same PIN code we use?” His response blew my mind. According to him, the Fire Department requires that all PIN codes on all such locks in town be set to the same 4 digit number so they don’t have to keep track of each door’s PIN code separately. I kinda knew the next answer to my question, but I went ahead and asked it anyway. “What happens when you change the PIN code?” His response, “We’re not supposed to change the Fire Department code.”
Now you see why I’m keeping this story as anonymous as possible.
When Are Shared Passwords OK?
My first thought on hearing this story, after I picked my jaw up off the floor, was, “why isn’t there a crime spree all over town? Why isn’t every key-pad protected door in town being violated with the shared password/pin code? But there isn’t. At least not that I’ve seen in the Town’s papers.
The answer, I think, is because of trust. Everyone trusts the Fire Chief. It’s not an elected position, but it is a position that holds the public trust in a very visible way. Likewise, I have to assume, the Fire Chief buids and maintains a sense of duty and a culture of responsibility in the Fire Department so that the people in the department that know the shared password/pin code that can get them into any keypad locked door in town simply never abuse their authority.
If I mapped all this out on paper and factored in only the actual security controls that are in place, it would look like a nightmare. Completely infeasible. I don’t care which threat modeling method you use. If the threat model only looks at controls and represents people as nothing more than stick-figure actors in a diagram, you’d never be able to use the threat model to explain how this security system manages to actually work in the real world.
To truly understand a security system you not only have to understand the security controls in place, you also have to have a deep understanding of the trust relationships among its participants. And like all human relationships, those trust relationships are messy, hazy, and evolving. I’d be interested in hearing about any threat modeling systems that have a useable way of representing both the security controls and trust relationships. I’d use this Fire Code scenario is a good test case for such a threat modeling systems.