Perils of password sharing in enterprises

Balasubramanian: What is the point of having passwords if you let anyone use them, without accountability?

Administrative passwords are plentiful in enterprises of all sizes. They are mostly insecurely shared and scattered around, leaving little scope for any internal controls.

Though the security and operational problems caused by shared administrative passwords are so obvious, no organisation can afford to eliminate them altogether.

Administrative passwords are omnipresent and all-pervasive. Servers, databases, network devices and numerous other IT applications are controlled through many administrative passwords.

Those who log in through the privileged, administrator mode may access absolutely anything with ease.

Most shared passwords are used in a shared environment. That means a group of administrators use a common privileged account to access the resource. The privileged accounts are accessible to all the members of a team.

Apart from the ‘officially shared’ passwords, users often tend to reveal administrative passwords to their colleagues for some reason or other. The most common reason for such an ‘unofficial share’ is an emergency in one’s absence. For example, an IT manager revealing his password to someone else to cover his role when he has gone on holiday.

Whether official or casual, such sharing may have disastrous repercussions. Mismanagement of administrative passwords leads to information theft, manipulations and sabotage without a trace.

It is always good to avoid sharing of administrative passwords yet business requirements demand selective sharing of passwords. Just a single instance of a database could have as many as 30 administrative accounts. Even a small enterprise with a modest number of devices and applications may have thousands of privileged passwords.

In reality, the passwords are just left open to be managed by the group or shared environment.

Developers, help desk staff and in certain cases, third-party vendors that require access to privileged passwords temporarily are supplied with the required passwords. There is no process to revoke temporary access and reset the password afterwards, which leaves a large security hole.

It is quite common to see administrators assigning some familiar words or short phrases as passwords, for ease of use. The passwords are maintained in text files, spread sheets, homegrown tools or even in physical vaults.

And, it is not uncommon to see a UNIX administration team having full access to the Windows passwords, developers having full access to database passwords and so on.
Apart from the shared accounts, even the ‘personal’ accounts of the senior IT team may be revealed to the team members to tackle emergency issues.

Surveys by industry analysts have time and again pointed out that administrators often tend to casually tell passwords to their colleagues to carry out certain work in proxy
At the end of the day, all you will know is that someone has logged in as ‘Administrator’. But who is that ‘someone’?

Internal controls become fragile. Organisations might have secured their external face against attacks, but a still bigger attack might just be waiting to happen from within.

Mistakes, accidental or intentional, could never be traced to individuals. Enterprises lack accountability for their actions.

If the text file or spreadsheet containing the shared administrative passwords reaches the hands of a malicious user, data security and business reputation may be thrown to the four winds.

When passwords are not kept secret, the purpose of having an authentication mechanism to grant access to the resources is defeated.

Passwords of the resources are often changed by one administrator without the knowledge of other administrators. Without close cooperation among administrators, day-to-day operations would become messy. Resource lock-out events could become common.

These things can and should be fixed.

V Balasubramanian is a senior analyst and ManageEngine password manager professional at Zoho Corp