Authored by: Morey J. Haber CTO, CISO BeyondTrust
As a security educated end user within my organisation, I have repeatedly instructed employees never to share their corporate passwords with anyone. In fact, as a security best practice, they should never share any password, personnel or professional, with anyone. Unfortunately, within some organisations this basic lesson has not been deiminated to the rank and file and departments like human resources and information technology who still think it is acceptable to disclose a password for a given task. While the risks are well established about communicating a password, I question why a department would ever ask for it. If you do not think this ridiculous, you definitely should continue to read.
As a true story, an end user recently made me aware of a situation that they encountered and placed themselves in hot water with human resources. Their corporate issued computing device needed some maintenance from the IT department. In order to fix the issue, they requested the end user’s password. The employee refused to provide and asked them to just reset the password for their usage and then he would change it back without exposing it. The IT department refused and escalated the issue to HR since he would not provide it. HR saw no reason for him to withhold it and threated disciplinary action if he continued to refuse. Ultimately, the employee provided it, the maintenance was conducted, and he changed it as soon as he got the system back under his possession. This raises a few questions:
There are no good answers for any of these, except ignorance.
As a matter of privileged attack vector risk mitigation, every system should have a unique password, for every account, meet basic complexity requirements, and not be shared with any other individual. While we can expand on these basics, the sharing of passwords is a risky concept that everyone should consider fundamental. And, at no time within any organisation should departments demand, under the threat of HR retribution, you expose your password. IT should have enough control over any resource to reset passwords themselves. The risks are just too large especially if the end user is not required to change their password after the asset is returned to their possession and when the password is forcibly shared. In the case of this true story, a change was also not required after maintenance and the default passwords IT assigns are a mixed combination of company name, username, and year. A perfect target for a brute force or spray attack. Changing them is up to the end user and not enforced by IT. This becomes a liability for any guessing type of privileged attack throughout the entire organisation for both insider and external threats.
The lessons learned from this tale from the trenches are basic:
Solutions to manage privileged accounts can help ensure IT always has unique credentials for system maintenance on any device and that end users are never placed in a situation to violate security best practices.