Changing user passwords on a regular basis has long been a basic – and well known – tenet of IT security. But when it comes to password security, privileged passwords (admin, root and such) are often overlooked.
While we already knew this to be the case, we now have the data to back up our hypothesis. A majority (55%) of IT professionals make end users change their passwords more often than they change administrative credentials. This according to our survey of almost 200 IT professionals at RSA Conference 2016.
That figure is not surprising. Without an automated solution to manage all the privileged credentials that exist in large networks, it’s not uncommon for administrative passwords to be rarely updated in many organizations.
It’s difficult for an IT staff to keep track of all their admin passwords. It gets even more complicated when you’re expected to know every place where the credentials are used – and what might break when they’re updated. But because of the sensitive systems that these credentials protect, frequent privileged password changes are essential.
But how often is this being done? Here’s what we learned in the survey: 10% of respondents admit that they never change administrative credentials.
74% change administrative passwords on at least a monthly basis. That sounds a lot better. After all, most regulatory compliance regulations require organizations to change privileged credentials every 30 days minimally.
However, even a 30 day password update rate may not be frequent enough. Cyber intruders and malicious insiders look for passwords that let them jump from system to system on a network until they find what they want. How much damage can they do in the time before their stolen credentials are invalidated?
Meanwhile, only 1% of those we surveyed change their administrative passwords daily.
Privileged Credential Security Threats Revealed
When an employee leaves a job, there’s typically a standard set of practices that are followed. Checking in physical keys and equipment, transitioning documents and contacts to other employees, and so on. But is there a process for changing the administrative credentials someone used while employed?
We asked respondents: If you left your organization, could you still access your admin credentials remotely? 15% claimed that they could.
This is important because former IT employees and contractors are potentially serious security threats. They often know the password secrets that let them login to systems and applications on the network. If privileged credentials aren’t continuously changed, shutting off former employees’ logins, odds are these ex-employees can still gain administrative access long after their employment ends.
How about among current employees? How secure are the privileged credentials they use? We decided to look at how many IT pros share administrative passwords within their IT groups. Turns out, 36% of them said this occurs at their organizations.
It’s a common IT administration practice. IT pros are busy people, balancing their daily administration tasks with unexpected emergency repairs. So, looking to simplify matters, systems administrators often re-use the same password across many systems and share this password with other IT administrators.
This is convenient for them. The problem is, if a hacker or malicious insider gets hold of this shared password, he’s just gained access to systems around the network.
If you want more information on these and other findings (including how many respondents say they’re prepared for a cyber attack) see http://go.liebsoft.com/rsa-conference-2016-survey.