Dangers of Using Generic User Accounts

Generic user accounts are typically set up and shared among users that have rotating, temporary or intern positions. While the initial time saving aspect of setting up generic accounts is present, the potential long-term pitfalls outweigh the benefits.  The conflicts that could arise are something to be aware of before deploying generic accounts across your organization.

Generic E-Mail Accounts

When multiple people need to access correspondence relating to an entire department, generic e-mail accounts are typically used. (For example, HR@yourbusinessdomain.ca or marketing@yourbusinessdomain.ca.) These kind of generic accounts prove useful for departments that are inundated with sales, recruitment or marketing solicitations that can take up valuable time and space. In these scenarios, generic email accounts can be setup as shared mailboxes (in Exchange). Several members can be granted full access permissions and “send as” privileges once shared mailboxes have been configured. This kind of structure works well since it eliminates having to worry about archiving and transferring emails when people leave or transition out of their roles. Reassigning or terminating a users access becomes easier.

Generic User Accounts

The consequences of granting access to generic user accounts across your organization should be weighed carefully.

A generic user account is one that is not derived using a standard naming convention. For example, instead of logging into a workstation with your first name/last name, you log in as Admin, Student or Clerk; meaning there is no corresponding real user associated with the account. Generic user accounts are different from generic e-mail accounts; so too are the consequences of granting access to them.

It’s tempting to set up accounts this way especially when duties are shared among multiple users. In the short term it seems beneficial to have an account set up that multiple people can use. However in the long term,  the lack of accountability such an account would have will be problematic. Data Protection laws may require audits of who has access to your business data. Auditing the behaviors of a generic account, determining the user involved in a security breach or controlling the access levels of the account are just some of the common scenarios a company can encounter.

Things to Consider

Permitting generic user accounts even with low privileges (as in read-only accounts) can still be problematic.  It is best practice, and one commonly enforced, to tie each identify and each account to a specific individual, with specific privileged access. It is the best defense against a systemic lack of security controls. Determine if there is an actual business need to create a generic user account. The following points should be considered:

  • Management Issues. When allowing multiple user access to a generic account, a lack of proper management can result. Generic accounts increase the risk associated with accountability. It will also affect the transparency and auditing trail that corresponds with the account.  A plan will need to be in place to address the retention and disposal policies when turnover occurs. It is also important to note that if your organization uses SharePoint, SharePoint will connect with the corresponding user account you are logged in as.
  • Access Thresholds. When sharing accounts among multiple people who are accessing the account at the same time, users will get locked out as the accounts threshold is reached. For example when a user is logged into the digital music service Spotify and a second user logs in from a different location, the first user will be kicked off. Even if the account threshold is a tolerable for the short term, generic user accounts is not a scalable solution.
  • Exit Strategy. Have in place the appropriate policies for when temporary users leave the organization. Determine ahead of time, when an appropriate time will be to change passwords.  You will want to ensure that once a users employment has ended, that so too, has their access to your system.
  • Best Practice. If it is deemed that a business need justifies the creation of a generic user account, be sure to designate a responsible owner. This owner should be responsible for the management of access to the account and track access accordingly.