Re: "Sharing" Passwords

[Ozzie Paez <ozpaez () SPRYNET COM>]

Dean,

Sharing passwords is a really bad idea for a number of reasons, the most
important of which being that if a security violation occurs, you have no
way of tracing it back to a given user account, i.e. there is not
granularity.  In addition, if you share a single password among many users,
then security practices would have you change that password every time one
of those users no longer needs access.  Beyond the technical drivers is
probably the most important reason not to do so:  It leaves the organization
defenseless against charges that it either is not serious about security or
is not cognizant of critical security standards.  So, it leaves the
organization both technically and legally/politically exposed, and with
little recourse if anything goes wrong.  Actually, managing large numbers of
accounts is not as difficult as it once was, given that you can rely on
systems to force users to manage their own log-ins, i.e. change their
passwords per policy (once a month, once a quarter.) and have whatever level
of strong password the organization requires.



What the above leaves you with, however, is the need to manage accounts that
are inactive or should be made inactive because the user is no longer a
trusted user, has no need for access, etc.  This last issue will likely be
your most time-consuming and demanding task and will need to be integrated
with other organizational systems to ensure that IT is notified once a user
should no longer have access to the system, i.e. a student, professor,
administrator, etc. leaves the university.  My guess is that there are
already notification processes and procedures in place, so it may not be
such a big deal.



On a final note, a shared password policy will just about guarantee that the
organization will flunk almost any security audit of the IT systems - I know
of no auditor who would be willing to pass a system secured with shared
credentials.



With regards to having passwords shared across databases, there are many
single-sign-on methods available to allow administrators to manage access to
one or more resources and even domains from a common user security system.
My guess is that such systems are already in place, so you should be able to
leverage them.  As always, you will need to analyze your user base and
determine which user/groups will need access to which resources.  Without
such an analysis, you may not have a basis for your security policies and
yet another weakness likely reported by an auditor.



Hope it helps,



Ozzie Paez

SSE/SAIC

303-332-5363



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McMinn, Dean
Sent: Tuesday, November 24, 2009 2:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "Sharing" Passwords



We have a major initiative here to go through and change ALL passwords for
system and "service" accounts.



Now (and maybe I'm being a bit too anal about this) but, between BANNER and
ORACLE accounts, this accounts for about 80 accounts PER DATABASE...so a
couple thoughts come to mind that I would like to get some input on.



1.  What are thoughts/practices on having all service accounts within a
database having the same password (example: saturn, faismgr, baninst1,
fimsmgr, etc)?



2. What are thoughts/practices on having the password "shared" across
databases (ex: saturn has the same password across all banner instances)?



Obviously, I want to do things as securely as possible, but don't want to
managed 400+ passwords if I don't have to.



Thanks,

Dean McMinn

Eastern Washington University