In many organizations, IT administrators sometimes follow insecure password management practices because it's often the easiest way to get the job done.
The root problem is one of complexity.
Managing passwords for large numbers of user accounts – and ensuring that the people, applications, and services that depend on accessing those accounts are able to do so on a regular basis – is a complex task. Understandably, many IT administrators are reluctant to take steps that might disrupt business operation services, even if that means sacrificing a measure of security in the process.
Failure to Update Passwords
In some organizations, passwords for Windows/Linux/UNIX privileged accounts, service accounts, and application-specific accounts often remain unchanged for years, even though administrators know better – and despite the fact that regulatory compliance rules require much more frequent changes.
Changing passwords on a regular basis is a well-known security best practice. So why are some admins reluctant to change passwords? The reason has to do with business continuity.
Changing passwords in many organizations may cause service disruption. In these organizations, administrators don't know precisely what accounts exist and where they are. If you don't know what machines you have, you might miss some and cause a lockout when you carry out a password change as some machines will still try to use the old credentials. So changing passwords in these organizations is just not going to happen."
Passwords Stored in Spreadsheets
It's not uncommon for administrators to store privileged account passwords in an Excel spreadsheet that is saved to a shared network drive so that everyone who needs the passwords can easily access them. It's a practical solution, but it means that anyone who opens the spreadsheet has access to every password on it – including ones they don't need to know.
The end result of this practice is often that passwords become widely known among IT staff – and before you know it, passwords are shared outside the IT department, even with contractors and others outside the business. And of course when a password is used, there is no telling who used it, or why. There is, in other words, no accountability or audit trail.
Default Passwords on Virtual Machines
Security in a virtualized environment can sometimes lag security in the physical world. Here's an example: Many virtualization systems use the concept of a virtual machine library, which contains pre-configured virtual machine templates.
Machines made from these templates can be checked out and "spun up" when required – but all will generally spin up with the same embedded credentials.
That's a pretty significant security risk, Lieberman says: "If you can compromise one virtual server, that makes them all vulnerable."
Password Management Tools to the Rescue
The good news is that there are many solutions available that enable simplified and secure password management in enterprise organizations. These password management systems typically include the following features:
A centralized, encrypted database containing all privileged account passwords.
A way to enable users to request and "check out" a password, after the system has ensured that they are entitled to access the password they are requesting.
An audit trail of who accessed which password, the time that they assumed responsibility for it by checking it out, and what time it was "checked in " again.
Automatic password change as soon as a password is checked back in, preventing the old one being re-used.
A continuous discovery process that monitors existing accounts and finds new accounts and brings them in to the system as they are created.
The standard workflow for these products is straightforward: An administrator (staff member or contractor) who needs to use a privileged account accesses the password management system and requests a password for that account. If the system approves the request (the approval process can be carried out automatically or require the explicit approval of a superior) then the system creates a secure random password, which is usually valid for a short period of time – perhaps two hours.
As soon as the administrator checks this password out they are responsible for its use, either until it expires automatically, or until they check it back in. Once checked back in, the password is changed, and other systems that require it are updated automatically.
While password management systems are easy to use, they are complex applications under the hood – and many are capable of handling millions of user accounts . For that reason, these applications tend to be targeted at larger enterprises, with a price tag to match.
AccessMatrix Universal Credential Manager
Enterprise Password Vault
Enterprise Random Password Manager
Password Manager Pro
Privileged Access Manager
Privileged Account Access
Culled from http://www.esecurityplanet.com/
THISWEEK on Gadget
Virtual Laser Keyboard
Imagine the world where physical keyboard is obsolete, you have to type via a laser projected light from a small device. Well think no more because the technology has arrived. This small device has a laser-projected keyboard that doubles as a keyboard also as a mouse, its two revolutionary input devices that act as one.
How it works:
A laser light project a full size keyboard onto any flat, opaque surface this requires a small space to operate. The motion sensors detect when a user makes the action of pressing a key on the virtual keyboard. The motion is then transferred to the connected device, initiating in the text characters displaying on the connected device’s screen. The communication that occurs uses the Bluetooth wireless technology. It compatible with the latest mobile devices, iPhone, iPad, iPod, Laptop and many more mobile devices that supports Bluetooth with out the need for a software installation. The device is small, light and easy to carry. It comes with a long lasting, rechargeable battery. It has a power saving mode that allows you to turn off the laser projector to extend battery life and easily turn it back on with a simple gesture. Cellon virtual laser keyboard has a built in optical sensor, infrared layer emitter and keyboard pattern projector light, helps to determine the exact 3D position of your finger to make typing ease. It can perform common mouse operation, you can navigate using simple gestures. Typing: At first this might be a little difficult but with regular practice you can get by comfortably
The Magic Cube Virtual Laser Keyboard, by Cellon is compatible with most Operating Systems:
Apple iOS 4 or Later, Apple Mac OS 10.4 or Later, Google Android 2 OS or Later, Windows XP/Vista/7. It can also operate via USB.
Pros: One of the advantage is that the keyboard can be used with a large number of devices. iPad, iPod, iPhone and any smartphone or PDA can connect to the keyboard, as well as laptop and desktop computers. Another using the device is the increased productivity can be reached due to not being required to use the small tiny keyboards that are found on most smartphones and handheld devices.
Cons: one of the disadvantages is the scenario where a smartphone is the best device for a user. it will be difficult to use and operate in motion (moving car or while in the airplane). Accidental keystrokes will often occur.