A recent New York Times article, “A Strong Password Isn’t the Strongest Security,” offers a great assessment of the complacency of many IT security professionals. The assertion that password strength is not as important as protecting passwords against interception has some real validity.
However, user logins are just one aspect of the problem. It’s also important to consider that systems administrators may be walking out the door knowing passwords for the most sensitive privileged accounts in an organization. Even worse, many supposedly security-conscious organizations put their critical privileged passwords on spreadsheets and share them indiscriminately over the company network for the sake of convenience.
In some cases, the same privileged account password is deployed on all systems in an enterprise and everyone in IT knows this common “back door password.” When an IT problem occurs and management needs to learn who made the undesired change, it becomes clear that the convenience of a well-known and common password leads to the most basic failure of security controls – lack of segregation of duties. Or, in basic English, it’s impossible to say with certainty who did what and when.
In general, there are already guidelines for the strong management of passwords (length, complexity, change frequency, etc.), but I have seen these standards neglected by IT groups managing their own internal resources. In other words, when it comes to the security of IT and its most sensitive resources (privileged identities), the shoemaker’s children go barefoot.
As a matter of full disclosure, my company sells privileged identity management solutions that eliminate the common “back door password” problem, but you would be surprised by how many IT organizations reject such fundamental security in favor of “convenience”.