A good bit of attention has been given to a new report that suggests that there are organizations that don’t change their administrative passwords at all, ever. While it may be a bit eye opening that many IT professionals said they did not change their administrative passwords, this report is shining a light on something for the first time. Ultimately, however, I am not surprised by the results of the survey. Call me cynical or tell me that I’m being unreasonable for assuming that many administrative passwords are never changed, but surprised? Not so much.
Passwords are in the news every day either for their lack of use, lack of user appreciation or that fact that they have been hacked, given away, sold or remain unused. How many times do we seem to hear about pre-set “admin” passwords getting broken into because the folks who take the machines and devices out of the box fail to reset them from their factory pre-sets? Too many.
Should we really care about the number of times our supervisors change their passwords compared to us? Probably not. We should be interested in addressing the bigger problem – managing access credentials in an automated and timely fashion with solutions that make the entire process more efficient and more secure without focusing on when and how to change every password.
Passwords are important (despite over exaggerated news of their impending death) yet maybe we should focus more on simplifying the user experience rather than examining it in a way that seems overly scientific and quizzical. For example, automating the single sign-on process solves most of these password management problems; one password or access credential for use across all platforms. Through such a simple-to-use solution, rules can be put in place that require all passwords to be changed regularly for everyone in the system in mandate intervals. Pretty simply alleviates a number of issues.
Taking such an approach rids us of the I-can’t-believe-they-do-it-that-way-how-dare-those-password-neandrathals ways and allows us to focus on security of an organizations information and getting our work done. Less time can be spent on people and their poor password management skills. Less time can be spent talking about passwords and their lack of management and more time on how passwords and their (automated) management are doing exactly what they are designed to do: protect user and organizational information.
Perhaps then we can focus less on just how poor some of our password protocols are and how this manager defines password management strategy versus this manager over here, and they can get back to the duty of managing the work they’re paid to manage.
With access governance solutions, there’s no need to worry about whether a network admin password is changed or not. Not only can the solutions tell you that no activity has taken place, they can be set so that a change can be mandated.
The same solutions can be used to alleviate against other issues “discovered” in the survey. For example, access management solutions can easily be set up to terminate access to an employee’s account in the event that the person leaves the organization. This is simple, easy and can be automated to mitigate against the finding that says 30 people of the 200 surveyed would still be able to access their information if they were to leave the organization.
Access management is especially important when trying to protect against insider threats. Frankly, imagine how granular access and review of account access could protect an organization and its information. The Panama Papers case is a good example of this.
However culled and collected the information that became a more than 11-million document information leak to the press was an insider from the law firm, Mossack Fonseca. Granted, the organization may know who gathered and released the information, but imagine if the firm was aware of this while the information was being pirated; they could have stopped the leak.
Despite this, it was probably for the best that this information made it into society’s hands, but my point is made. Having a granular view of operations – of the who, what and when of information access – is absolutely worthwhile for the safety of an organization’s information and being able to track who may be acquiring or viewing information in the system that they should not be accessing. The number of password change requests maybe a bit less so, as long as solutions are in place to replace the manual processes.