Cyber-Ark Software, an information security software company that develops and markets digital vaults for securing and managing highly-sensitive information within and across global enterprise networks, announced the surprising results of its 2006 Privileged Password Survey.
Privileged passwords are the non-personal passwords that exist in virtually every device or software application in an enterprise, such as root on a UNIX server, Administrator on a Windows workstation, and Cisco Enable on a Cisco device.
A surprising set of statistics
Completed by more than 140 IT professionals, the 2006 Privileged Password Survey reveals that privileged passwords are far more common in enterprises than previously thought: approximately one-half of all enterprises contain more privileged passwords than individual ones.
Second, although these privileged passwords provide “super-user” system access, the survey exposes that up to 42% are never updated, a frightening prospect in today’s environment of increased audits and hacker attacks. In fact, half of the IT professionals surveyed reveal that they’re concerned about audits, and 6 out of 10 state that their organization has been hacked.
Often, the reason privileged passwords are rarely updated is a simple one: many enterprises still manually change these key passwords and as one IT Executive from a Fortune 500-sized company states: “manually changing thousands of passwords across hundreds of databases is simply impractical.”
Approximately half of all enterprises have more privileged passwords than personal ones
According to the 2006 Enterprise Privileged Password Survey, the typical enterprise contains:
- More than 500 employees, and each employee has an Administrator account associated with their workstation (72%)
- More than 500 servers with privileged password accounts (44%)
- More than 100 routers with privileged password accounts (41%)
- More than 100 software applications (71%), most of which connect with other applications (92%)
Privileged passwords are more powerful but less likely to be changed
Although privileged passwords provide “super-user” access to a target system, the survey shows they are far less likely to be updated. Respondents report that 99% of individual passwords are updated, however for privileged passwords:
13% of ROUTER privileged passwords are never changed
21% of LOCAL WORKSTATION privileged passwords are never changed
13% of SERVER privileged passwords are never changed
42%of SOFTWARE passwords are never changed
In many cases, these passwords are never changed because organizations still manually update them, a time-consuming process. As an IT Executive at one Fortune 500-sized company explained: “Virtually every server, router, and application in our enterprise has a number of Privileged Accounts. Of course, we have to regularly change the Privileged User Passwords for these powerful systems, however, manually changing thousands of passwords across hundreds of databases is simply impractical.”
The survey not only revealed that privileged passwords are rarely changed, it also supports that this is a dangerous practice in today’s environment of hacker attacks and increased audit pressure. For example, in survey results:
6 out of 10 enterprises report being hacked
9 out of 10 enterprises state they’re annually audited for IT practices
Half of all IT professionals are often or always concerned about passing audits