You use long passphrases with letters and numbers. You’re careful to make sure your passwords are always unique. But there may be one threat to your digital security that you haven’t fully considered: love.
While everyone should know that sharing login credentials is a big security no-no, in the context of a romantic relationship, the reality is that it’s far from unusual. “Basically everybody shares accounts,” says Jason Hong, a professor at Carnegie Mellon University’s Human-Computer Interaction Institute. “If you're not sharing accounts, then you are the oddball.”
Hong is part of a research group focused on social cybersecurity, which takes real-world human behaviour as a starting point for security practices. “If you look at cybersecurity today, they sort of assume that people are individual actors, and sort of rational,” he says. “A lot of research has shown that that's not really the case.”
In a 2018 paper, Hong and colleagues found that, out of 195 participants, 86 per cent were sharing at least one account with their partner, and up to 39 accounts in extreme circumstances; the median number of accounts shared was four. Many also made new accounts specifically to use together. In a 2020 study, Hong’s team asked couples to keep a diary of how they shared accounts; one observation they made was that people used shared accounts more during Covid-19 quarantine, especially entertainment accounts.
Often, the reason for sharing accounts is simply a matter of convenience, especially for cohabiting couples. Sharing one Netflix or Spotify account, for instance, saves money, and using one Amazon account may help couples stay on top of household purchases and shared spending. If couples share an admin task, they may share the login information to deal with it, just for convenience.
There’s also an emotional aspect, however. In a relationship, account sharing can be seen as a sign of intimacy. Somewhere between leaving a toothbrush in a romantic partner’s bathroom and trusting them with a spare key, perhaps you give them access to more of your digital world. “It's also sort of a sign of trust that you're sharing something secret with them,” Hong says. In the 2018 study, the main factor that affected how many accounts people shared was the stage of the relationship. Entertainment accounts were most commonly shared, with Netflix, Amazon, and Hulu were at the top of the list, but plenty shared potentially more private information; 13 people reported sharing their Facebook details.
Hong points out that even if accounts are not shared explicitly—if you don’t make a point of giving a partner your login info—they may be shared implicitly. For example, if your partner is able to unlock your phone or computer, they may have implicit access to other accounts, such as email or social media, even if you trust them not to peek. “There’s a whole bunch of accounts that I have, for example, that if my wife really needed to, she could get access to,” Hong says. A 2016 paper by Google researchers found that sharing apparently "personal" devices was very common, with two main influencing factors again being convenience and trust.
But this trust can of course leave you vulnerable. “Ultimately, you're dependent upon their cybersecurity hygiene practices,” says Raj Samani, chief scientist at McAfee (who says his wife doesn’t have access to any of his accounts). Your own security might be excellent, but if you’ve shared your credentials, you’re at the mercy of the weakest link. And if your own security is not so great, the risk is particularly grave: If you reuse passwords, for example, then one getting compromised can result in attacks on other accounts associated with the same email or username.
The problem is that, despite the prevalence of sharing accounts, most tech services are designed with the assumption that an account will only be used by the person who set it up. “There’s sort of this mindset of one account equals one person,” Hong says. An exception to this is accounts offered by services such as Netflix which allow more than one person access under a different subprofile, so multiple people can use the same account but keep their activity separate. (An added advantage to this is that your recommendations don’t get messed up by your partner’s terrible taste.)
One problem with the one-user-one-account assumption is the use of two-factor authentication—a widely recommended security practice. Using two-factor authentication usually means logging in with your username and password and then authenticating the login by another means, often by typing in a code sent by text message. But this doesn’t work if two people are using the account; if the two-factor code is only sent to one phone, it may make it inaccessible to the person trying to access it at that moment (and could panic the recipient of the text message, who may worry they’ve been hacked if they don’t know it’s only their partner trying to log in). This makes two-factor unusable for couples who use accounts in this way. “They're deliberately not using best security practice because of the convenience factors,” Hong says.
Perhaps the biggest risk with account sharing, of course, is that you’re relying on the relationship to remain healthy and stable. While some couples may willingly share accounts in a way that brings them closer together, account sharing in an unhealthy relationship can be part of a pattern of abuse—for example, if someone pushes their partner into sharing accounts they don’t want to, invading their privacy or enabling them to monitor or control their online activity. Kate Barnes, a support worker at Women’s Aid, emphasizes that there should never be an expectation to share passwords in a healthy relationship; forcing or pressuring someone to share a password can be part of coercive control.
And even a healthy relationship can go south. Someone you previously trusted can turn into a bad actor, posing a new kind of inside threat if they still have access to your accounts. David Emm, principal security researcher at Kaspersky, compares it to getting a house key back from an ex. “As you separate physically from somebody, then you need to also think about what the digital separation looks like as well,” he says. But given the number of accounts most people have these days (a median of 80, according to one 2018 study), this can be quite tricky.
This is where it’s really helpful if you’ve been using a password manager, which is highly recommended as a security practice. In this instance, you’ll effectively have a list of all of your accounts and be able to easily update the passwords, without having to individually remember every account you’ve signed up for. Once again, however, the breakup situation is particularly bad if you reuse passwords, as even if you’ve only given someone access to an account you consider inconsequential, they could try these credentials on something more important and get access.
If you’re considering sharing accounts at all, Emm says—though he recommends you don’t—it’s important to think of the potential consequences: “There is a hierarchy, for sure.” Anything that has your bank details attached is obviously a risk, especially if your card details have been stored. The one you must never share is your email. This is because your email is often used to access all sorts of other accounts, and can also be used for password recovery, meaning it can have a knock-on effect on many other aspects of your digital life. Changing your email address is not something you want to have to do.
One way to help design for couples, including the potential breakup scenario, says Hong, is through occasional login notifications. A program or service could let you know if someone logs in from a new device or location, for example, or give monthly summaries of account access so that you can see if anyone has been doing something they shouldn’t—and perhaps be reminded if you need to change a password. “You don't want to notify people of every single thing, but in breakups it actually is important to know things like, well, your former partner still has access to your Dropbox account or to your Google file drive,” he says.
This could also potentially help with another risk, especially in the context of an abusive or coercive relationship: stalkerware. Hong suggests that Android and iOS could remind people regularly that they have a tracking app on their phone; if they were unaware it was there in the first place, they would be alerted to its presence. “Based on the name of the app, you could actually let people know maybe like once a week, ‘Hey, you’ve got this thing running on your phone,’” he says.
Meanwhile, it’s not just couples’ behavior which is throwing a spanner in the works when it comes to account security. Another group of people who are bad at password sharing: colleagues. This has gotten worse, Samani says, as more work has moved online during the pandemic. Not only are people within businesses often sharing accounts, but the passwords they are using are often very weak—if there’s one at all. “I've seen examples where companies are having literally the front door to their network as like ‘welcome’ or ‘12345,’” he says.
This story originally appeared on WIRED UK.