Super user passwords leave hacker vulnerability wide open

Survey uncovers that approximately Half of all enterprises have more administrative passwords than individual ones, and 42% of these super passwords are never changed. That’s among the worrying findings of a survey by information security software firm Cyber-Ark, which develops digital vaults for sensitive information. Its 2006 ‘Privileged Password Survey’ of non-personal passwords on virtually every device and application – root on a Unix server, Administrator on Windows, Cisco Enable and so on – shows that these are far more common than previously thought and widely unprotected. Cyber-Ark’s study finds fully half of the IT professionals surveyed to be concerned about audits, and six out of 10 admitting that their organisations have been hacked. The obvious question: why are privileged passwords so rarely updated? Because most companies still manually change key passwords and, as one IT exec, reportedly from a Fortune 500-size company says: “Manually changing thousands of passwords across hundreds of databases is simply impractical.” Yet at Adam Bosnian, vice president at Cyber-Ark, points out: “Simply put, these super-user passwords are the keys to your kingdom, and yet they are often left unguarded. Often organisations believe that because they have a small number of IT administrators, they can’t have many privileged passwords. But the truth is [they] come pre-loaded onto virtually every piece of hardware and software and are extremely common.” In detail, respondents report that 99% of individual passwords are updated in throughout their companies, yet the figures for never changed privileged passwords are: 13% of router passwords; 21% of local workstation passwords; 13% of server passwords; and 42%of software passwords.