First in our series of 3 blogs covering privileged password management fundamentals, definitions, challenges, threats, best practices, benefits, and solutions.
Privileged password management, sometimes called enterprise password management, refers to the practice and techniques of securely controlling credentials for privileged accounts, services, systems, applications, and more. The ultimate goal of privileged password management is to reduce risk by identifying, securely storing, and centrally managing every credential that provides elevated access. Privileged password management works hand-in-hand with implementing least privilege, and should be a foundational element of any organization’s privileged access management (PAM) initiatives.
Whereas in decades past an entire enterprise might be sufficiently managed through just a handful of credentials, today’s environmental complexity means privileged credentials are needed for a multitude of different privileged account types (from Domain admin and sysadmin to workstations with admin rights), operating systems (Windows, Unix, Linux, etc.), directory services, databases, applications, cloud instances, networking hardware, internet of things (IoT), social media and more.
Most organizations rely on some variation of a privileged password management “solution.” It could simply (but hopefully not) be an Excel spreadsheet for simple password tracking, or it could be an advanced enterprise password management solution that automates privilege account and credential discovery, onboarding, access control, centralized protection and storage, rotation, alerting, reporting, and oversight of all the enterprise’s credentials that provide elevated privileged access rights.
While beyond the scope of this blog, it is worth mentioning that organizations can also benefit from personal password tools that manage employee login information for standard users. These personal password managers generate random passwords secured by a single master password the user needs to remember, and can auto-login the user to the resources they use.
In this series of three blogs we’ll cover privileged password management fundamentals, including some important definitions, challenges, threats, best practices, benefits, and solutions.
What is a Privileged Password?
A basic definition for a password is a word or phrase intended to differentiate an authorized user or process (for the purpose of permitting access) from an unauthorized user. Privileged passwords are a subset of credentials that provide elevated access and permissions across accounts, applications, and systems. Privileged account passwords—such as Root in Linux and Unix, and Administrator in Windows—are often referred to as “the keys to the IT kingdom,” as they can provide the authenticated user with almost limitless privileged access rights across an organization’s most critical systems and data. With so much power inherent of these privileges, they are ripe for abuse by insiders, and are highly coveted by hackers. In fact, the 2016 Verizon Data Breach Investigations study implicated weak, default, or stolen passwords in 63% of confirmed data breaches, while Forrester estimates that 80% of security breaches involve privileged credentials.
What Makes for a Strong Password?
Before diving deeper into privilege management-specifics, here are some password management best practices universal to most types of passwords:
- Password length of at least 12 characters.
- Passwords should be unique, complex, and nonsensical, comprised of a mix of non-repeating letters (upper and lower case), numbers, and symbols that do not contain dictionary words in any language, or have any other guessable context (employee ID, dates, etc.), or sequences from a keyboard like ‘qwerty’ or ‘zxcvb’.
- Frequently change passwords—a process referred to as password rotation. The frequency of rotation should vary based on the password age, usage, and security importance. For instance, a password for a standard user account may only require rotation at 60-day intervals, a process that can be forced through password expiration. On the other hand, you should consider rotating superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords, at more frequent intervals, including after each use—known as one-time-passwords, or (OTPs)—for your most sensitive accounts.
- Prohibit password re-use. Employees should be forbidden from using the same passwords across their personal and work accounts.
- If you ever need to share your password, change it when the other person is done with using it.
Challenges and Pitfalls of Human-Managed Passwords
While the password best practices cited above seem simple enough, what makes it difficult to translate these principles into practice?
Today, the number of passwords any employee may need to remember for access to various accounts, systems, and applications can range from dozens, to over one hundred. When it comes to an organization’s privileged credentials, the number of passwords to manage can easily range in the tens of thousands, or even exceed a million.
The onus of having to manually remember so many (constantly changing) passwords invariably trips up employees in ways that increase risk to credentials and cause downtime. Employees are prone to forget passwords from time-to-time, potentially locking them out of systems. To compensate, they may apply the same passwords for multiple accounts, select easy-to-guess passwords, or resort to recording passwords on paper or within electronic documents, such as MS Word or spreadsheets. Consequently, part of the danger here is that hackers can correlate, along with email addresses and user names, the password from one compromised account to other services that may be using the same password. So, for instance, using the same privileged credential on a server, application, switch, and social media account means that one compromised account also jeopardizes the other accounts.
While password management automation is gaining ground, most organizations still rely, to some degree, on manual/human password management practices. Consequently, in practice, passwords are inadequately rotated and audited—leaving organizations susceptible to privileged credential exploits.
Next week, in part 2 of this blog series, we will cover specific types of privileged password challenges as well as attacks that can exploit inadequately managed privileged credentials.