Take a look at the following conversation between two IT administrators:
Pete: “Hey Emma, could you please cover for me this afternoon? I need to head out for a personal emergency.”
Emma: “Sure, no problem Pete.”
Pete: “Great! Well, there’s just one thing that needs attention right away. The newly installed router on 3rd floor-East is not transmitting. Could you recheck its configuration files and see if something’s missing or wrong?”
Emma: “Ok, but I’ll need admin access as well as the router password.”
Pete: “Oh, you can use this workstation. I’ll email you the required credentials now.”
Emma: “Alright then, I’ll take care of it.”
Pete: “Thanks a lot, Emma!”
Now, there are a number of things wrong with this conversation. First, Pete doesn’t even think twice before sharing his administrative credentials with Emma via email, which is actually a high-risk medium for password sharing. Second, Pete’s sharing not one but two passwords insecurely — the login credentials of an admin workstation and the router’s password. Finally, if Pete does not reset his passwords later, Emma will continue to possess elevated privileges to access the company’s critical assets at will. Some of you might think, how much harm can a couple of passwords bring? A lot. For instance, in July 2016, a disgruntled Citibank IT admin deliberately wiped nine routers, bringing down ninety percent of the firm’s network across America.
Today, any organization with a decent network infrastructure has to understandably work its way through a multitude of administrative passwords every day in order to manage the various IT resources that sustain its business. However, danger lurks where true power resides; and privileged passwords consistently prove to be a favorite hotspot for hackers and malicious insiders.
Oblivious to the associated risks, a team of IT administrators may casually share passwords in plain text through chat, email, or sticky notes. Without proper controls, passwords can quickly circulate throughout the company and land in the wrong hands.
Implementing a few ground rules for storing and sharing privileged account credentials can help you deal with password leaks efficiently. Here are a few best practices that are always effective:
#1 Use a secure vault for password storage.
Consolidating and storing privileged passwords in a safe, centralized repository—instead of Excel spreadsheets—is a common, but often overlooked, security measure. A well-built vault with encryption can go a long way in ensuring security.
#2 Provide restricted access to passwords based on a user’s role.
Deciding a user’s privilege level, based on their role in the organization, can help you limit access permissions accordingly. Most users do not even need to see plain text passwords to get their jobs done.
#3 Allow access to IT systems without revealing privileged passwords in plain text.
Permitting users to directly connect to IT resources, without disclosing respective passwords in plain text, helps your IT team maintain effective control of shared privileged accounts and their access. For instance, you can allow users to initiate a remote desktop session through a secure gateway without requiring them to manually provide the account credentials.
#4 Extend temporary access with one-time sharing provisions.
Provide employees with only temporary access to passwords as needed. Provisions to share passwords for a limited period of time and revoke permission once a user completes the task ensures that no unsupervised transactions are carried out.
#5 Reset shared passwords instantly after a single use.
To avoid unauthorized access attempts in the future, configure shared passwords to reset automatically once users complete their tasks. Temporarily shared passwords eliminate the possibility of users gaining improper access to IT resources.
#6 Require admin approval for password retrieval.
For further safety and tighter control of shared passwords, mandate IT administrator approval for employee password access requests, ensuring that all password-related actions, including resets, go through a request-release workflow.
#7 Create comprehensive audit trails on share activities.
Audit all share operations and other password-related activities with a timestamp and the user’s IP address. Audit trails can be used to understand who did what with a password, from where, and when.
#8 Generate instant alerts for password access and sharing.
Set up real-time alerts to notify admins when users access critical passwords, modify/delete them, or share them with other users.
Put together, these best practices can help ensure standardization of password sharing aspects in your organization. Designed along the same lines, Password Manager Pro helps you adopt these best practices and reinforce your password sharing standards.
If you haven’t tried Password Manager Pro yet, you can download our 30-day trial here.
Quick video | Free trial download | White papers | Success stories