How old is the oldest password in your organization? Do you even know?
In my nearly two decades of professional cybersecurity experience, the longest-lived password I’ve personally witnessed was 17 and a half years old. In other words, at the time I saw it, that password dated back to the last century. I found it at a customer site during a discovery process. Until that moment, the customer had no idea this password existed.
It would be bad enough if this had been a typical user account password. But this was an administrative password that granted elevated privileges into a critical system on the customer’s network.
Securing Admin Passwords
Today is Password Day. That seems like a good time to reflect on the security of a
certain type of password that many people never think about – administrative
In the IT world, most systems administrators must deal with managing administrative passwords for privileged accounts. The built-in Windows administrator account is one example of a privileged account.
It’s a security
best practice to continuously change these passwords. In some organizations the
admin passwords are changed to comply with regulatory mandates like PCI-DSS,
HIPAA or GDPR. Sometimes the motivation to change admin passwords occurs when
an employee who knows the credentials leaves the company. Regardless, these
passwords must be frequently changed for the security of the company and the
data the company is required to protect.
Understanding the Privileged Password Security Problem
all companies and government agencies proactively secure their administrative
passwords. In many of the organizations I’ve seen, the IT group cuts corners by
using the same administrator account name and the same basic password on each
system. And, in most of these cases, this password has not been changed since
the systems were originally deployed.
Additionally, employees are writing down passwords, a risky behavior that’s on the rise. In Bomgar’s 2018 Privileged Access Threat Report, the results revealed that 65% of organizations said “sometimes” to writing down passwords, a 10% increase over the previous year. And telling colleagues passwords was a problem for 46% of organizations in 2017, rising to 54% in 2018. This rise may be genuine and the sign of a growing issue, or it may be that organizations are more keenly aware of these risky behaviors due to the increased focus on data protection and preventing breaches. Either way, the numbers indicate that an issue that needs to be addressed.
You may wonder how serious this issue really is. Judge for yourself by answering these questions:
How many people know your admin passwords?
Do all those people still work for your organization?
If some of the people who know your admin passwords no longer work for the company, did they leave amicably?
Do all your systems share the same admin password?
Are your admin passwords complex and frequently changing?
Starting at the top of this list, it's fair to say that the more people who know a secret, the more likely it is that the secret will get out. That’s the problem with setting the same admin password for every system and then sharing this password with the entire IT group. When organizations do this, they eventually start finding machines with various unapproved settings. They also discover regular end-users who know the shared admin password.
When Password Secrets Walk Out the Door
If all those people
who know the passwords still work for your company and are happy and dutiful
employees, this access risk is slightly mitigated. But you never know when you
might have a malicious user to contend with. If any of those employees or
contractors left the company on bad terms, you may have a loose, hostile
element out there who knows how to break into your network using an otherwise
untraceable account. Here is one recent example that tells the story of a former IT employee who logged in to her
to wreak havoc.
It’s not uncommon. I've
known people who continued to log in to systems at a previous employer just
because they could. It's mildly amusing that they are pointing out the poor
practice of not changing administrative passwords, but it is also frightening
to consider the damage they could do if they have malicious intent.
Why Password Age Matters
Password age is
relevant because time is really what you are up against when dealing with
stolen credentials. The 17-and-a-half-year-old password I mentioned at the
start of this article is a particularly egregious example.
A password that
isn’t changed frequently gives a bad guy all the time he needs to steal it. And
once he has the password, he gains persistent access into all the systems sharing
that password, until it’s finally updated. If it ever is.
What this really means
is that given the will to steal an administrator password and break into
systems throughout a network, all someone really needs is time. But by continuously
changing privileged account passwords, you’re denying your adversaries the tools they need to succeed.
Stay Up To Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.