How old is the oldest password in your organization? Do you even know?
In my nearly two decades of professional cybersecurity experience, the longest-lived password I’ve personally witnessed was 17 and a half years old. In other words, at the time I saw it, that password dated back to the last century. I found it at a customer site during a discovery process. Until that moment, the customer had no idea this password existed.
It would be bad enough if this had been a typical user account password. But this was an administrative password that granted elevated privileges into a critical system on the customer’s network.
Securing Admin Passwords
Today is Password Day. That seems like a good time to reflect on the security of a certain type of password that many people never think about – administrative passwords.
In the IT world, most systems administrators must deal with managing administrative passwords for privileged accounts. The built-in Windows administrator account is one example of a privileged account.
It’s a security best practice to continuously change these passwords. In some organizations the admin passwords are changed to comply with regulatory mandates like PCI-DSS, HIPAA or GDPR. Sometimes the motivation to change admin passwords occurs when an employee who knows the credentials leaves the company. Regardless, these passwords must be frequently changed for the security of the company and the data the company is required to protect.
Understanding the Privileged Password Security Problem
Unfortunately, not all companies and government agencies proactively secure their administrative passwords. In many of the organizations I’ve seen, the IT group cuts corners by using the same administrator account name and the same basic password on each system. And, in most of these cases, this password has not been changed since the systems were originally deployed.
Additionally, employees are writing down passwords, a risky behavior that’s on the rise. In Bomgar’s 2018 Privileged Access Threat Report, the results revealed that 65% of organizations said “sometimes” to writing down passwords, a 10% increase over the previous year. And telling colleagues passwords was a problem for 46% of organizations in 2017, rising to 54% in 2018. This rise may be genuine and the sign of a growing issue, or it may be that organizations are more keenly aware of these risky behaviors due to the increased focus on data protection and preventing breaches. Either way, the numbers indicate that an issue that needs to be addressed.
You may wonder how serious this issue really is. Judge for yourself by answering these questions:
- How many people know your admin passwords?
- Do all those people still work for your organization?
- If some of the people who know your admin passwords no longer work for the company, did they leave amicably?
- Do all your systems share the same admin password?
- Are your admin passwords complex and frequently changing?
Starting at the top of this list, it's fair to say that the more people who know a secret, the more likely it is that the secret will get out. That’s the problem with setting the same admin password for every system and then sharing this password with the entire IT group. When organizations do this, they eventually start finding machines with various unapproved settings. They also discover regular end-users who know the shared admin password.
When Password Secrets Walk Out the Door
If all those people who know the passwords still work for your company and are happy and dutiful employees, this access risk is slightly mitigated. But you never know when you might have a malicious user to contend with. If any of those employees or contractors left the company on bad terms, you may have a loose, hostile element out there who knows how to break into your network using an otherwise untraceable account. Here is one recent example that tells the story of a former IT employee who logged in to her old company to wreak havoc.
It’s not uncommon. I've known people who continued to log in to systems at a previous employer just because they could. It's mildly amusing that they are pointing out the poor practice of not changing administrative passwords, but it is also frightening to consider the damage they could do if they have malicious intent.
Why Password Age Matters
Password age is relevant because time is really what you are up against when dealing with stolen credentials. The 17-and-a-half-year-old password I mentioned at the start of this article is a particularly egregious example.
A password that isn’t changed frequently gives a bad guy all the time he needs to steal it. And once he has the password, he gains persistent access into all the systems sharing that password, until it’s finally updated. If it ever is.
What this really means is that given the will to steal an administrator password and break into systems throughout a network, all someone really needs is time. But by continuously changing privileged account passwords, you’re denying your adversaries the tools they need to succeed.