3 reasons why Nadine Dorries is totally wrong about password sharing
Frustration abounds as MPs expose their backwards security practises


Shh - what's that? If you listen very, very carefully, you'll hear it; it's the sound of countless security experts smashing their heads against their keyboards in frustration. The cause, as so often before, is the government's laughable attitude to data privacy and cyber security.
Where to begin with this latest shambles? You may recall that First Secretary of State Damian Green was allegedly found to have rude and naughty pictures of the pornographic variety on his government-issued computer, which Green denies.
Nadine Dorries, Conservative MP for Mid Beds, leapt to Green's defence over the weekend, pointing out that if porn was found on Green's computer, it may not have been him who was downloading and/or viewing it on taxpayer time. After all, she said, her staff use her login to access her official computer all the time. Even interns on exchange programmes!
Er, sorry... What?
Yes folks, you read that correctly - Dorries is so free and easy with her access credentials that she even hands them out to visiting exchange students. To make matters worse, several of her fellow MPs admitted they also share their login details with staff, including Nick Boles, Will Quince and Robert Syms.
Of course, Dorries was quick to downplay the seriousness of her actions, stating that all she has on her computer is a shared email account, with no access to government documents. Boles, similarly, said that only the four people he employs to deal with correspondence from constituents have access to the passwords, which are regularly changed.
For the avoidance of doubt, let's be crystal clear: this is a dangerous, insecure and irresponsible practice. Under no circumstances should anyone be sharing one login between multiple staff members. There are numerous ways to ensure staff members can access a shared computer, mailbox or file storage system without having one login that simply gets passed around, and the fact that government MPs are apparently not using any of them is extremely alarming.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
Dorries and co claim that sharing their login with staff isn't an issue, but let's take the time to unpick some of the many, many problems with these arguments.
Firstly, there's the issue of lateral movement. Dorries says that the only thing on the computer is a shared email account. Even if that's true, the computer itself is 'Westminster-based', and is likely to be connected to some kind of internal network. This opens up the possibility for lateral movement, using Dorries' machine as a way to gain access to a more important target within the network.
Then there's the issue of data protection. The shared mailbox used by the staff of Dorries and Boles presumably contains at least a partial list of constituents' names and email addresses, along with who knows what additional information shared as part of their correspondence. Behaviour like this puts all of that information at risk.
Last but not least, accountability is the biggest problem with using a shared login - and one that is best illustrated, ironically, by the very issue that prompted Dorries' admission in the first place. She is quite right in stating that if Green's access credentials were shared by his staff, there's no way of proving that it was him that was allegedly looking at porn, but that's a huge problem.
Let's imagine that, instead of perusing some nudes, the First Secretary of State was instead accused of using his computer to leak classified intelligence data to Russian agents. With a single shared login, it's virtually impossible to trace the source of the leak back to the mole. If everyone has their own credentials, it's instantly obvious.
The concept of not sharing your username and password with anyone is a basic, fundamental tenet of cyber security best practice, and the tools to ensure that you shouldn't need to share your credentials have existed for years. Considering that the Tories are supposed to be the party of business, its own staff seem to be trailing laughably far behind the curve when it comes to keeping up with industry security standards - which would be funny if it wasn't so alarming.
Adam Shepherd has been a technology journalist since 2015, covering everything from cloud storage and security, to smartphones and servers. Over the course of his career, he’s seen the spread of 5G, the growing ubiquity of wireless devices, and the start of the connected revolution. He’s also been to more trade shows and technology conferences than he cares to count.
Adam is an avid follower of the latest hardware innovations, and he is never happier than when tinkering with complex network configurations, or exploring a new Linux distro. He was also previously a co-host on the ITPro Podcast, where he was often found ranting about his love of strange gadgets, his disdain for Windows Mobile, and everything in between.
You can find Adam tweeting about enterprise technology (or more often bad jokes) @AdamShepherUK.
-
Why Microsoft thinks diversity will keep security workers relevant in the age of agentic AI
News Improved AI skills and a greater focus on ensuring agents are secure at point of deployment will be key for staying ahead of attackers
By Rory Bathgate
-
Microsoft: get used to working with AI-powered "digital colleagues"
News Tech giant's report suggests we should get ready to work with AI, revealing future trends for the workplace
By Nicole Kobie
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
By Nicole Kobie
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
Edge devices are now your weakest link: VPNs, firewalls, and routers were the leading source of initial compromise in 30% of incidents last year – here’s why
News Compromised network edge devices have rapidly emerged as one of the biggest attack points for small and medium businesses.
By Bobby Hellard
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
By Ross Kelly
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Bugcrowd’s new MSP program looks to transform pen testing for small businesses
News Cybersecurity provider Bugcrowd has launched a new service aimed at helping MSP’s drive pen testing capabilities - with a particular focus on small businesses.
By Ross Kelly
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
By Nicole Kobie