You use long passphrases with letters and numbers. You’re careful to make sure your passwords are always unique. But there may be one threat to your digital security that you haven’t fully considered: love.
This story originally appeared on WIRED UK.
While everyone should know that sharing login credentials is a big security no-no, in the context of a romantic relationship, the reality is that it’s far from unusual. “Basically everybody shares accounts,” says Jason Hong, a professor at Carnegie Mellon University’s Human-Computer Interaction Institute. “If you’re not sharing accounts, then you are the oddball.”
Hong is part of a research group focused on social cybersecurity, which takes real-world human behaviour as a starting point for security practices. “If you look at cybersecurity today, they sort of assume that people are individual actors, and sort of rational,” he says. “A lot of research has shown that that’s not really the case.”
In a 2018 paper, Hong and colleagues found that, out of 195 participants, 86 per cent were sharing at least one account with their partner, and up to 39 accounts in extreme circumstances; the median number of accounts shared was four. Many also made new accounts specifically to use together. In a 2020 study, Hong’s team asked couples to keep a diary of how they shared accounts; one observation they made was that people used shared accounts more during Covid-19 quarantine, especially entertainment accounts.
Often, the reason for sharing accounts is simply a matter of convenience, especially for cohabiting couples. Sharing one Netflix or Spotify account, for instance, saves money, and using one Amazon account may help couples stay on top of household purchases and shared spending. If couples share an admin task, they may share the login information to deal with it, just for convenience.
There’s also an emotional aspect, however. In a relationship, account sharing can be seen as a sign of intimacy. Somewhere between leaving a toothbrush in a romantic partner’s bathroom and trusting them with a spare key, perhaps you give them access to more of your digital world. “It’s also sort of a sign of trust that you’re sharing something secret with them,” Hong says. In the 2018 study, the main factor that affected how many accounts people shared was the stage of the relationship. Entertainment accounts were most commonly shared, with Netflix, Amazon, and Hulu were at the top of the list, but plenty shared potentially more private information; 13 people reported sharing their Facebook details.
Hong points out that even if accounts are not shared explicitly—if you don’t make a point of giving a partner your login info—they may be shared implicitly. For example, if your partner is able to unlock your phone or computer, they may have implicit access to other accounts, such as email or social media, even if you trust them not to peek. “There’s a whole bunch of accounts that I have, for example, that if my wife really needed to, she could get access to,” Hong says. A 2016 paper by Google researchers found that sharing apparently “personal” devices was very common, with two main influencing factors again being convenience and trust.
But this trust can of course leave you vulnerable. “Ultimately, you’re dependent upon their cybersecurity hygiene practices,” says Raj Samani, chief scientist at McAfee (who says his wife doesn’t have access to any of his accounts). Your own security might be excellent, but if you’ve shared your credentials, you’re at the mercy of the weakest link. And if your own security is not so great, the risk is particularly grave: If you reuse passwords, for example, then one getting compromised can result in attacks on other accounts associated with the same email or username.
The problem is that, despite the prevalence of sharing accounts, most tech services are designed with the assumption that an account will only be used by the person who set it up. “There’s sort of this mindset of one account equals one person,” Hong says. An exception to this is accounts offered by services such as Netflix which allow more than one person access under a different subprofile, so multiple people can use the same account but keep their activity separate. (An added advantage to this is that your recommendations don’t get messed up by your partner’s terrible taste.)