Password Overload Syndrome Ė The Latest Disorder Ravaging The IT Industry
by Calum MacLeod - Senior Consultant for Cyber-Ark - Thursday, 9 December 2004.
Iíve got password overload syndrome! When I went to see my doctor he quietly admitted it had got him too Ė as he fumbled to access my notes on-screen? The chap at the pharmacist strangely has it too and neither of them even works in IT! Itís all come down to the fact that we all have too many pin numbers and passwords to remember. Have you ever taken the time to count up how many you use in the course of a day? Have you ever sat in-front of your screen and your mind has gone absolutely blank? If you think youíve got it bad what about the IT administrative guy who has got hundreds to memorize including the ones that give access to the most sensitive parts of the company. He may just resort to sticking them onto a post-it note, or shoving them into a draw or onto an excel spreadsheet or word document. Hmmm Ė you can hear those hungry hackers licking their lips at the very thought, and all those aggrieved staff thinking yippee this is the way Iíll get back at my boss.

The backbone of every enterprise infrastructure is a massive network of servers, network devices, and security and other infrastructure that creates the complex communications network, or nerve centre, of a company. Every day, systems, network and security administrators are logging onto these critical infrastructure points for routine maintenance, repair and application of the most updated security patches. Many of them are running around with "root" and "administrator" privileges, either with their personal user or with their commonly used accounts. And theyíre losing or forgetting them all the time!

Administrators, like most of us, have the best of intentions, but the more those passwords exchange hands or remain unchanged, the greater the likelihood of a security breach. Also because administrative passwords frequently need to be shared, there is increased risk that they are just left lying around somewhere. This results in administrative passwords becoming widely known and changed less frequently. Since administrative privileges are required for emergency and disaster recovery scenarios, only a reliable password management policy can guarantee that the correct passwords will be promptly available in these time-sensitive circumstances.

Itís surprising how many organisations resort to storing passwords simply around the office on spreadsheets and simple databases. A quick penetration test will show just how easy it is to get at these documents. Mismanagement of administrative passwords is a major cause of security breaches and one of the top reasons for long recovery processes from IT failures.

The problem would be easy to fix if large organisations didn't demand near-instant access for administrators struggling to keep up with crashes and maintenance, or only employed female administrators. But since this is unlikely to change, companies have to look closely at the way passwords are saved, controlled and managed.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th