In the IT world, most systems administrators must deal with the need to regularly change passwords for privileged accounts, like the built-in Windows administrator account.
There are many reasons why an IT administrator might be compelled to change admin passwords. Often it’s to comply with regulatory mandates like PCI-DSS, SOX, HIPAA and a host of others. Sometimes administrators are motivated to change passwords when an employee who knows the credentials leaves the company. Regardless, the IT administrator has to change these static administrator passwords for the security of the company and the data the company is required to protect.
Understanding the Privileged Account Security Problem
In many of the IT shops I’ve seen, all the systems have the same administrator account name and the same basic password. And, in most of these cases, this password has not been changed since the systems were deployed.
You may wonder how serious this issue really is. Here’s one way to look at the problem. When someone asks me, “How long does it take to crack an admin password?”, I answer the question with these questions:
- How many people know the password?
- Do all those people still work for your organization?
- If some of the people who know the account’s password no longer work for your company, did they leave amicably?
- Do all your systems use the same password for privileged accounts?
- Are your passwords complex and changed frequently?
I know I’ve cracked long admin passwords (14+ characters) with special characters, numbers and letters in less than two minutes. I’ve done it just by using rainbow tables – including the extraction of the encrypted values.
Password Secrets Don’t Remain Secret for Long
Starting at the top of this list, it’s fair to say that the more people who know a secret, the more likely it is that the secret will get out. I’ve seen many companies where the IT administrators felt it was convenient to set the shared password to the same value. And then they tell the IT staff what the passwords were. Of course, as time passed, the company started finding machines with various unapproved settings. They also discovered regular users who were able to log into these accounts.
The Rogue IT Administrator
If all the people who know the passwords still work for the company and are otherwise happy and dutiful employees, this access risk is slightly mitigated. But you never know when you might have a malicious user to contend with. If any of those users left the company on bad terms, you have a loose, hostile element that knows how to break into your network using an otherwise untraceable account.
According to a survey we did a while back, 13% of polled IT professionals said they can access previous employers’ systems using their old credentials.
I’ve know people who continued to log in to a network at a previous employer just because they could. It’s mildly amusing that they are pointing out the poor practice of not changing admin passwords. But it’s also frightening to consider the damage they could do if they had malicious intents.
Time Is Not On Your Side
Password age is relevant because time is what you’re up against when dealing with stolen credentials. An admin password that isn’t changed frequently gives a bad guy all the time he needs to crack it. There are plenty of free tools available on the Internet that can help him. And once he has the password he gains persistent access into all the systems using that password, until it’s finally changed.
What this really means is that given the will to crack an admin password and break into your systems, all your attackers need is time. But by continuously changing the passwords for powerful privileged accounts with a privileged password management solution, you’re denying your adversaries the tools they need to succeed.
For a deeper dive into this topic, see the white paper Who Holds the Keys to the IT Kingdom?
By Chris Stoneff, Vice President Technical Management, Lieberman Software
Chris Stoneff oversees product management, quality assurance and technical support at Lieberman Software, and is instrumental in guiding the development of the Lieberman Software products portfolio.