If you are a regular reader of security blogs and follow cybersecurity best practices, you are aware that all your passwords should be unique and should be complex. In other words, no two accounts should ever have the same password, nor should any password be recycled and reused again on another application after it was expired elsewhere. However, for many individuals and organizations, remembering and documenting all of their passwords is the foremost challenge on the path to password security best practices.
One report claims the average employee has 191 passwords (this does not even take into consideration privileged credentials!), with the average 250-person company having over 47,000 passwords used across the organization. Thus, it’s easy to see how the scale of this password management challenge can present a logistical nightmare even for relatively small businesses. Yet, modern security absolutely hinges on protecting the identity—and that means securing the credentials.
In the spirit of World Password Day, let's review some common malpractices, and then explore how to rectify it to put your organization on a path to better password security.
How are organizations doing password management wrong?
1. The most widespread password security lapse is simply the absence of systemized password management altogether—in other words, doing nothing. This is the “bury your head in the sand approach” of completely ignoring the problem. There are no tools, workflow, policies, procedures, or required steps for documenting passwords, nor for changing them on a regular basis. While management may “instruct” individuals on the best practices, there is no way to ensure that all passwords are unique and complex, nor is there any way to prevent passwords from being shared. Organizations in this category make themselves easy pickings for threat actors, and should be unsurprised at incurring breach after breach. Thus, their strategy is simply, no strategy.
2. The second method ranks hardly as an improvement upon the first, but is grossly underestimated as an attack vector by organizations. Organizations in this category recognize the threat posed by unmanaged passwords, so empower employees to use personal password managers as a solution to manage risk. While the business may standardize on one vendor, or allow individuals to choose their own solution, the risk remains the same. While their strategy recognizes the risk, it leaves it to individual teams or users to mitigate the risk.
3. The third password management approach that organizations get wrong is “doing the right thing”, but failing to provide complete coverage for the organization. Yes, these businesses have embraced an enterprise password management solution, however, they have chosen to implement it for only select, sensitive assets. While this does provide protection for critical resources against direct credential-based threats, those resources are still vulnerable to lateral attacks.
Personal password managers lack the required capabilities to certify, audit, and report on access requests and provide necessary session monitoring for highly sensitive accounts. Essentially, they are a glorified database for storing passwords with the ability to automatically inject credentials into applications and recommend randomized passwords when they are set or changed. Personal password managers may operate very well for the individual, but lack the capabilities required of an enterprise security policy. Another downside is that if an employee leaves the organization or is out on leave, their passwords are locked up with them. As a consequence, another individual with appropriate “need to know access” may be shut out from something they are tasked to do. Finally, the security of a personal password management may fall well short of the security and regulatory requirements of the enterprise. This includes everything from SOC compliance to required authentication, like 2FA.
Threat actors typically target misconfigurations in the cloud or end users via phishing emails to infiltrate an environment, and then, via lateral movement, eventually gain access to the target resources. Then, and only then, does an enterprise password manager protect the organization. If the end user interacts with those resources, and their system is infected with malware, then the threat is not mitigated by the password manager. All assets that interact with sensitive information directly—from users to service accounts and automation scripts—should be under management, otherwise the risk is surface is not truly managed. Ergo, the strategy is sound but the coverage, implementation, or required licensing is not sufficient to provide proper coverage.
How do organizations get enterprise password management right?
First, think about the flaws highlighted in what organizations are doing wrong. Lack of process, inadequate features, improper emergency and break-glass situations, and scope of solution coverage are all contributing factors. This will help us formulate a proper password management solution strategy.
1. Any password management solution deployed within an enterprise must absolutely start with enterprise-grade features (session management/monitoring, remote access capabilities, etc.).
2. Next, the technology needs to honor appropriate role-based access. That is, multiple people should have access to credentials and passwords when properly delegated amongst multiple individuals or groups.
3. The solution should have the appropriate reporting and attestation tools to demonstrate when passwords were retrieved and by whom. These features are absolute requirements for any enterprise-grade password manager, but do not take into consideration key business requirements, like password rotation and third-party integrations, that will make any solution truly useful.
4. Finally, true risk mitigation can only be achieved if the scope of the deployment is appropriate. Password managers not only need to manage direct access to resources, but also all accounts that may have indirect access to sensitive data and critical infrastructure. A compromise in any one of these accounts or resources could lead to an attack vector that can circumvent a password manager that has been deployed with too limited a scope. Coverage is important. And having an enterprise-class solution deployed with the proper coverage is the only method to secure the vast amount of passwords a typical organization may have to manage.
And, do not forget one of the most important aspects of privileged access management--it is not enough just to manage passwords, but rather it is equally important to remove unnecessary administrative rights wherever, and whenever possible. Threat actors target passwords with administrative access because they are your “keys to the kingdom” and, if your password manager is “full” of privileged accounts, you most likely have too many administrators and administrative accounts in daily operations. Least privilege, or the removal of excessive administers and administrative rights is the correct strategy to resolve this problem. That is a discussion for another blog.
To learn more about privileged password management, check out this paper: Privileged Password Management Explained. Or, for a holistic approach to securing and managing your entire universe of privileges, check out: Universal Privilege Management: The Journey to Securing Every Privilege, Every Time.
Morey J. Haber, Chief Security Officer, BeyondTrust
Morey J. Haber is the Chief Security Officer at BeyondTrust. He has more than 25 years of IT industry experience and has authored three books: Privileged Attack Vectors, Asset Attack Vectors, and Identity Attack Vectors. He is a founding member of the industry group Transparency in Cyber, and in 2020 was elected to the Identity Defined Security Alliance (IDSA) Executive Advisory Board. Morey currently oversees BeyondTrust security and governance for corporate and cloud based solutions and regularly consults for global periodicals and media. He originally joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition where he served as a Product Owner and Solutions Engineer since 2004. Prior to eEye, he was Beta Development Manager for Computer Associates, Inc. He began his career as Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelor of Science degree in Electrical Engineering from the State University of New York at Stony Brook.