Here's a dirty little secret about passwords in the enterprise: In many organizations, IT administrators sometimes follow insecure password management practices because it's often the easiest way to get the job done.
The root problem is one of complexity. Managing passwords for large numbers of privileged accounts – and ensuring that the people, applications, and services that depend on accessing those accounts are able to do so on a daily basis – is a complex undertaking. Understandably, many IT administrators are reluctant to take steps that might disrupt business operations, even if that means sacrificing a measure of security in the process.
Here's a look at some of the risky password practices that are most likely happening in your business right now.
# 1: Failure to Update Passwords
In some organizations, passwords for Windows/Linux/UNIX privileged accounts, service accounts, and application-specific accounts often remain unchanged for years, even though administrators know better – and despite the fact that regulatory compliance rules require much more frequent changes.
Changing passwords on a regular basis is a well-known security best practice. So why are some admins reluctant to change passwords? The reason has to do with business continuity.
"Changing passwords in many organizations causes outages," says Phil Lieberman, chief executive of security vendor Lieberman Software. "In these organizations, administrators don't know precisely what accounts exist and where they are. If you don't know what machines you have, you might miss some and cause a lockout when you carry out a password change as some machines will still try to use the old credentials. So changing passwords in these organizations is just not going to happen."
# 2: Passwords Stored in Spreadsheets
It's not uncommon for administrators to store privileged account passwords in an Excel spreadsheet that is saved to a shared network drive so that everyone who needs the passwords can easily access them. It's a practical solution, but it means that anyone who opens the spreadsheet has access to every password on it – including ones they don't need to know.
The end result of this practice is often that passwords become widely known among IT staff – and before you know it, passwords are shared outside the IT department, even with contractors and others outside the business. And of course when a password is used, there is no telling who used it, or why. There is, in other words, no accountability or audit trail.
# 3: Default Passwords on Virtual Machines
Security in a virtualized environment can sometimes lag security in the physical world. Here's an example: Many virtualization systems use the concept of a virtual machine library, which contains pre-configured virtual machine templates. Machines made from these templates can be checked out and "spun up" when required – but all will generally spin up with the same embedded credentials.
That's a pretty significant security risk, Lieberman says: "If you can compromise one virtual server, that makes them all vulnerable."
Password Management Tools to the Rescue
The good news is that there are many solutions available that enable simplified and secure password management in enterprise organizations. These password management systems typically include the following features:
- A centralized, encrypted database containing all privileged account passwords.
- A way to enable users to request and "check out" a password, after the system has ensured that they are entitled to access the password they are requesting.
- An audit trail of who accessed which password, the time that they assumed responsibility for it by checking it out, and what time it was "checked in " again.
- Automatic password change as soon as a password is checked back in, preventing the old one being re-used.
- A continuous discovery process that monitors existing accounts and finds new accounts and brings them in to the system as they are created.
- Automatic update of all systems that depend on a given password.
The standard workflow for these products is straightforward: An administrator (staff member or contractor) who needs to use a privileged account accesses the password management system and requests a password for that account. If the system approves the request (the approval process can be carried out automatically or require the explicit approval of a superior) then the system creates a secure random password, which is usually valid for a short period of time – perhaps two hours.
As soon as the administrator checks this password out they are responsible for its use, either until it expires automatically, or until they check it back in. Once checked back in, the password is changed, and other systems that require it are updated automatically.
While password management systems are easy to use, they are complex applications under the hood – and many are capable of handling millions of user accounts . For that reason, these applications tend to be targeted at larger enterprises, with a price tag to match. Lieberman Software, for example, charges approx. $25,000 for its solution. Support and maintenance costs are additional , and pricing is indexed to the number of servers, desktops, and devices under management.
Selected List of Password Management Tools
- AccessMatrix Universal Credential Manager (i-Sprint Innovations)
- Enterprise Password Vault (Cyber-Ark Software)
- Enterprise Random Password Manager (Lieberman Software)
- Password Manager Pro (ManageEngine)
- Privileged Access Manager (Hitachi ID)
- Privileged Account Access (Fischer International)
- Xsuite (Xceedium)
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.