Those findings come from a survey of 300 IT professionals--two-thirds of them working for businesses with 10,000 or more employees--recently conducted by Lieberman Software, which sells privileged identity management software.
When it comes to securing systems, experts recommend using long, random passwords that mix character types (uppercase and lowercase letters, symbols, and numbers), never reusing a password, and changing passwords with some frequency. But many end users fail to follow those recommendations unless faced with systems that automatically enforce password rules.
Interestingly, the survey found that the same holds true for many businesses' IT departments. In particular, 25% of survey respondents said that at least some of the superuser passwords that grant all-access rights to hardware, applications, or databases were less complex than the business' end-user password policies required. Furthermore, since many of these superuser passwords were shared freely between employees, spotting inappropriate, administrator-level access to sensitive data and tracing it back to the person responsible would be difficult.
[The feds are cracking down to force companies to disclose security breaches. Learn more: SEC Mandates Cyber Incident Reporting.]
Password sharing, however, arguably masks a bigger challenge, which is the sheer number of systems with which IT personnel must interact on a daily basis. Notably, the survey found that half of IT managers are asked to remember passwords to 10 or more systems. In such a scenario, aren't password management shortcuts inevitable?
"The issue has to do with the proliferation of systems, and the IT groups not having the resources to manage what's on their plate," said Philip Lieberman, president and CEO of Lieberman Software, in an interview. "This is an issue involving lack of adoption of technology, but also a lack of awareness at a senior level as to how bad the problem has gotten."
Many IT departments also take shortcuts when it comes to handling hardware and software that ships with well-known, default passwords. "Let's say you buy 20 switches from Hewlett-Packard, these switches come with a default account and password, and IT might install all of them and leave them with the factory defaults," he said. "Or say you buy Cisco switches and change their password, but you change all the switches to have the same password. So when someone leaves the company, or a device ends up on eBay, someone has the password to every switch. Or if a hacker breaks into one machine, figures out the password by cracking one hash, they get the password to all of the machines."
A related challenge is that administrator-level passwords may be changed infrequently, if at all. For example, 48% of survey respondents reported that privileged account passwords at their business had remained unchanged for at least 90 days. As a result, former employees may still know the passwords to key systems.
Might a failure to change passwords put a business in violation of various regulations, such as Sarbanes-Oxley, or the Payment Card Industry Data Security Standard? In general, regulations leave password policy specifics up to the business. That said, many auditors will advocate meeting regulatory requirements via an IT governance framework, such as COBIT (for control objectives for information and related technology), which recommends a number of password-related security measures, including changing initial passwords immediately upon first access.
"Some organizations take the auditor's report seriously," said Lieberman. "Others play shadow puppets and say we've done the best we can do. Others view it simply as a cost, and say, we'll take the risk."