System access credentials must be unique for each actor.
CIS Controls. 4.4 Use Unique Passwords. Where multi-factor authentication is not supported (such as local administrator, root, or service accounts), accounts will use passwords that are unique to that system
HIPAA Security Rules 164.312(a)(2)(i): Unique User Identification: Assign a unique name and/or number for identifying and tracking user identity.
OWASP Top 10 A2:2017-Broken Authentication. Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
PCI DSS v3.2.1 - Requirement 6.5.10 Address common coding vulnerabilities in software-development processes such as broken authentication and session management.
PCI DSS v3.2.1 - Requirement 8.1.1 Assign all users a unique ID before allowing them to access system components or cardholder data.
PCI DSS v3.2.1 - Requirement 8.5 Do not use group, shared, or generic IDs, passwords, or other authentication methods.
Start with Fluid Attacks
We are a proud corporate member of the OWASP Foundation