Educause Security Discussion mailing list archives
Re: "Sharing" Passwords
From: Ozzie Paez <ozpaez () SPRYNET COM>
Date: Wed, 25 Nov 2009 00:26:51 -0700
Dean, Sharing passwords is a really bad idea for a number of reasons, the most important of which being that if a security violation occurs, you have no way of tracing it back to a given user account, i.e. there is not granularity. In addition, if you share a single password among many users, then security practices would have you change that password every time one of those users no longer needs access. Beyond the technical drivers is probably the most important reason not to do so: It leaves the organization defenseless against charges that it either is not serious about security or is not cognizant of critical security standards. So, it leaves the organization both technically and legally/politically exposed, and with little recourse if anything goes wrong. Actually, managing large numbers of accounts is not as difficult as it once was, given that you can rely on systems to force users to manage their own log-ins, i.e. change their passwords per policy (once a month, once a quarter.) and have whatever level of strong password the organization requires. What the above leaves you with, however, is the need to manage accounts that are inactive or should be made inactive because the user is no longer a trusted user, has no need for access, etc. This last issue will likely be your most time-consuming and demanding task and will need to be integrated with other organizational systems to ensure that IT is notified once a user should no longer have access to the system, i.e. a student, professor, administrator, etc. leaves the university. My guess is that there are already notification processes and procedures in place, so it may not be such a big deal. On a final note, a shared password policy will just about guarantee that the organization will flunk almost any security audit of the IT systems - I know of no auditor who would be willing to pass a system secured with shared credentials. With regards to having passwords shared across databases, there are many single-sign-on methods available to allow administrators to manage access to one or more resources and even domains from a common user security system. My guess is that such systems are already in place, so you should be able to leverage them. As always, you will need to analyze your user base and determine which user/groups will need access to which resources. Without such an analysis, you may not have a basis for your security policies and yet another weakness likely reported by an auditor. Hope it helps, Ozzie Paez SSE/SAIC 303-332-5363 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McMinn, Dean Sent: Tuesday, November 24, 2009 2:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] "Sharing" Passwords We have a major initiative here to go through and change ALL passwords for system and "service" accounts. Now (and maybe I'm being a bit too anal about this) but, between BANNER and ORACLE accounts, this accounts for about 80 accounts PER DATABASE...so a couple thoughts come to mind that I would like to get some input on. 1. What are thoughts/practices on having all service accounts within a database having the same password (example: saturn, faismgr, baninst1, fimsmgr, etc)? 2. What are thoughts/practices on having the password "shared" across databases (ex: saturn has the same password across all banner instances)? Obviously, I want to do things as securely as possible, but don't want to managed 400+ passwords if I don't have to. Thanks, Dean McMinn Eastern Washington University
Current thread:
- "Sharing" Passwords McMinn, Dean (Nov 24)
- <Possible follow-ups>
- Re: "Sharing" Passwords Eric Case (Nov 24)
- Re: "Sharing" Passwords Ozzie Paez (Nov 24)