Today is Password Day. That seems like a good time to reflect on the security of a type of password often forgotten – administrative passwords.

Understanding the Privileged Password Security Problem

Unfortunately, not all companies and government agencies proactively secure their administrative passwords. In many of the organizations I’ve seen, the IT group cuts corners by using the same administrator account name and the same basic password on each system. And, in most of these cases, this password has not been changed since the systems were originally deployed.

Additionally, employees are writing down passwords, a risky behavior that’s on the rise. In Bomgar’s 2018 Privileged Access Threat Report, the results revealed that 65% of organizations said “sometimes” to writing down passwords, a 10% increase over the previous year. And telling colleagues passwords was a problem for 46% of organizations in 2017, rising to 54% in 2018. This rise may be genuine and the sign of a growing issue, or it may be that organizations are more keenly aware of these risky behaviors due to the increased focus on data protection and preventing breaches. Either way, the numbers indicate that an issue that needs to be addressed.

65% of organizations in Bomgar's 2018 Privileged Access Threat Report admit to employees writing down passwords "some of the time' - up 10% over 2017.

You may wonder how serious this issue really is. Judge for yourself by answering these questions:

  • How many people know your admin passwords?
  • Do all those people still work for your organization?
  • If some of the people who know your admin passwords no longer work for the company, did they leave amicably?
  • Do all your systems share the same admin password?
  • Are your admin passwords complex and frequently changing?

Starting at the top of this list, it's fair to say that the more people who know a secret, the more likely it is that the secret will get out. That’s the problem with setting the same admin password for every system and then sharing this password with the entire IT group. When organizations do this, they eventually start finding machines with various unapproved settings. They also discover regular end-users who know the shared admin password.

When Password Secrets Walk Out the Door

If all those people who know the passwords still work for your company and are happy and dutiful employees, this access risk is slightly mitigated. But you never know when you might have a malicious user to contend with. If any of those employees or contractors left the company on bad terms, you may have a loose, hostile element out there who knows how to break into your network using an otherwise untraceable account. Here is one recent example that tells the story of a former IT employee who logged in to her old company to wreak havoc.

It’s not uncommon. I've known people who continued to log in to systems at a previous employer just because they could. It's mildly amusing that they are pointing out the poor practice of not changing administrative passwords, but it is also frightening to consider the damage they could do if they have malicious intent.

Why Password Age Matters

Password age is relevant because time is really what you are up against when dealing with stolen credentials. The 17-and-a-half-year-old password I mentioned at the start of this article is a particularly egregious example.

A password that isn’t changed frequently gives a bad guy all the time he needs to steal it. And once he has the password, he gains persistent access into all the systems sharing that password, until it’s finally updated. If it ever is.

What this really means is that given the will to steal an administrator password and break into systems throughout a network, all someone really needs is time. But by continuously changing privileged account passwords, you’re denying your adversaries the tools they need to succeed.

Photograph of Chris Stoneff

Chris Stoneff, VP Security Solutions, Development