Password-sharing politicians prompt security row

Sharing passwords with staff is apparently common in the House of Commons, with security experts warning this a very bad idea.
Written by Danny Palmer, Senior Writer

Politicians regularly share their log-in details with staff and interns, according to Twitter postings by one MP.

Referring to a row about who could have had access to a PC in first secretary of state Damian Green's office, which was used to view pornography, Conservative MP Nadine Dorries posted a tweet in which she suggested that it wasn't always clear cut who was using a PC in the House of Commons.

"My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous," she said.

Dorries later added that it's common for staff to share passwords in the office.

"All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, 'what is the password?', she said, also adding: "I'm not the Gov. I'm an MP with a computer in a shared office upon which lives an email account. That's as exciting as my computer gets."

Parliament is already a high-profile target for cyberattacks, and earlier this year hackers attempted to break into the email system there, with some accounts being breached.


Some members of parliament don't appear to understand basic cybersecurity issues.

Image: iStock

Dorries isn't even the only member of parliament to openly admit to password sharing: Nick Boles MP also tweeted that the practice is known to occur within his office.

Perhaps unsurprisingly, this stance has been met with criticism from security experts.

See also: What is phishing? Everything you need to know to protect yourself from scam emails and more

The password sharing occurs despite the House of Commons staff handbook chapter on information security specifically stating that MPs must not share passwords.

"The news that MPs regularly share their passwords with members of their staff is an example of the dangers caused by the mentality that 'it won't happen to me', or 'it won't happen to me again'. In this case, the need for teams to easily and quickly access email, social media, or other information has clearly become more of a priority than securing data," Raj Samani, chief scientist at McAfee, told ZDNet.

"The House of Commons needs to take steps to ensure that MPs are aware of the dangers of sharing passwords. It is clear that better cyber-education policy is needed in government," he added.

"It is a reminder that the human element is often the weakest link in the chain -- both Dorries herself as a weak link and those she's willing to trust with her credentials," Paul Bernal, senior lecturer, UEA Law School and specialist in internet privacy, told ZDNet.

Bernal suggests that if MPs can't understand why sharing a password is bad, then they don't have a chance of scrutinising legislation around technology.

"If she can't understand why what she says is so reckless, she's demonstrating a fundamental misunderstanding of privacy, confidentiality, and technology. That's simply unacceptable in an MP these days -- she's expected to vote responsibly on tech laws including surveillance, intellectual property, and more," he said.

On Monday, the Information Commissioner's Office said: "We're aware of reports that MPs share logins and passwords and are making enquiries of the relevant parliamentary authorities. We would remind MPs and others of their obligations under the Data Protection Act to keep personal data secure."

A spokesperson for the House of Commons told ZDNet: "In common with other organisations, Parliament has a cyber security policy that applies to all users of its digital services, including Members, their staff and parliamentary staff. In line with good practice, this policy includes a requirement not to share passwords."

Recent and related coverage

Blame shoddy security for UK parliament hack, says report

Without two-factor authentication, there was nothing stopping hackers from using stolen passwords.

Security services investigate cyberattack against UK Parliament after emails hacked

Parliamentary personnel using 'weak passwords' have had email accounts compromised, and it remains unclear whether MPs, Lords and their staff use two-factor authentication.


Editorial standards