How old is the oldest password in your organization? Do you even know?
In my nearly two decades of professional cybersecurity experience, the longest-lived password I’ve personally witnessed was 17 and a half years old. In other words, at the time I saw it, that password dated back to the last century. I found it at a customer site during a discovery process. Until that moment, the customer had no idea this password existed.
It would be bad enough if this had been a typical user account password. But this was an administrative password that granted elevated privileges into a critical system on the customer’s network.
Securing Admin Passwords
Today is Password Day. That seems like a good time to reflect on the security of a certain type of password that many people never think about – administrative passwords.
In the IT world, most systems administrators must deal with managing administrative passwords for privileged accounts. The built-in Windows administrator account is one example of a privileged account.
It’s a security best practice to continuously change these passwords. In some organizations the admin passwords are changed to comply with regulatory mandates like PCI-DSS, HIPAA or GDPR. Sometimes the motivation to change admin passwords occurs when an employee who knows the credentials leaves the company. Regardless, these passwords must be frequently changed for the security of the company and the data the company is required to protect.