Thursday, July 12, 2007

Securing Passwords

I saw this in ComputerWorld (6/4/2007 in the "Security Log")


Most companies mismanage administrative passwords by keeping them in unsecured locations and not controlling access to them. 57% of companies store their administrative passwords manually, and 18% store them in an Excel spreadsheet; 82% of IT professionals store them mentally.

In my opinion you can equate "store them mentally" as the administrator uses the same password for multiple systems.

I really think that managing administrative, root or "power" passwords (a.k.a. identities) is truly lacking. Who is using one? For what? How is it audited? What did they actually type while they were a superuser? Who authorized that person to have that access?

I bet many companies can't answer those questions...

Technorati Tags:

1 comment:

Anonymous said...

Hi,

True, your comments are very valid.

To help enterprises secure their administrative passwords, many enterprise Password Managers are available in the market.

Password Managers, in general, help enterprises control access to privileged passwords. Every single access to passwords by users, is audited with timestamp.

I work for one such Password Manager named ManageEngine PasswordManager Pro (www.passwordmanagerpro.com), which precisely does all these. In addition, it solves the problem of 'Super Admin' concept you have mentioned.

It works based on 'ownership' and 'sharing' concepts - one who adds the password owns it and no one else, including admin users could see those passwords. If the passwords are to be accessed by others, the owner has to 'share' them.

Thanks,
Bala