Password overload

By | April 13, 2005

I´ve got password overload syndrome! When I went to see my doctor he quietly admitted it had got him too – as he fumbled to access my notes on-screen.

We all have too many pin numbers and passwords to remember. Have you ever taken the time to count up how many you use in the course of a day? Have you ever sat in front of your screen with your mind absolutely blank? If you think you´ve got it bad, what about the IT administrative guy who has got hundreds to memorize including the ones that give access to the most sensitive parts of the company. He may just resort to sticking them onto a post-it note, or shoving them into a drawer or onto a spreadsheet. Hmmm – you can hear those hungry hackers licking their lips at the very thought, and all those aggrieved staff thinking that this is the way to get back at the boss.

The backbone of every enterprise infrastructure is a massive network of servers, network devices, security and other infrastructure that creates the complex nerve centre of a company. Every day, systems, network and security administrators are logging onto these critical infrastructure points for routine maintenance, repair and application of the latest security patches. Many of them are running around with root and administrator privileges, and they´re losing or forgetting them all the time!

Administrators may have the best of intentions, but the more passwords change hands or remain unchanged, the greater the likelihood of a security breach. Because administrative passwords frequently need to be shared, there is increased risk that they are just left lying around. This results in administrative passwords becoming widely known and changed less frequently.

Since administrative privileges are needed for emergency and disaster recovery scenarios, only a reliable password management policy can guarantee that the correct passwords will be promptly available in these circumstances.

It´s surprising how many organizations resort to storing passwords simply around the office on spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents.

Mismanagement of administrative passwords is a major cause of security breaches and one of the top reasons for long recovery processes from IT failures.

Companies have to look closely at the way passwords are saved, controlled and managed. The most effective way to reduce the hazards of password overload syndrome is to apply an effective policy.

My advice to my doctor is keep smiling – it´s the best therapy! For those IT guys there is a light and hope at the end of the tunnel – password overload syndrome can be beaten with new treatment: putting the right measures and products in place for the fog to disappear.

Once it does, they´ll find those passwords are safe and secure tucked up where no-one else can get to them apart from those who need to.

an effective password policy should include:

· Centralized administration: Often, different IT groups control different pockets of passwords. It´s important to take steps to create a centralized policy, procedures and enforcement mechanism. Otherwise, there is no way to ensure that each business or technical unit is doing its best to protect the keys to the kingdom.

· Secure storage: Administrative passwords should be securely stored in a way that offers strong authentication, granular access control, encryption and auditing to safeguard every password.

· Worldwide secure availability: At the same time, remote access is also critical. With today´s distributed enterprises, administrators need access beyond network boundaries, where they can securely access and share passwords from anywhere within or outside the enterprise network.

· A dual-control mechanism: This would require two or more administrators to access passwords to the most sensitive or vulnerable servers.

· Routinely changing passwords and tracking histories: In addition to secure storage, the only way to ensure the long-term security of passwords is to alter them routinely.

· Intuitive auditing: As passwords are used, changed or added, organizations will need to audit the whereabouts and use of passwords without poring over log files. Regulatory compliance measures are also driving routine auditing and tracking of access to vital systems.

· Disaster recovery planning: Administrative accounts play a major role in recovering from incidents that range from a simple problem to a full off-site disaster recovery. Look into technologies for automated, safe replication of vital administrative information that can guarantee the availability of those accounts in time of need.

· Provision of a ´safe haven´ or vault within the network where all administrative passwords can be securely archived, transferred and shared among IT staff, on-call administrators, as well as administrators in the field.

Leave a Reply