Skip to main content

Admin passwords are rarely changed, and that's an issue

Double standards, double standards everywhere.

Our IT bosses might force us to change our passwords every so often, but they rarely change their own credentials, even though theirs offer administrative privileges.

Those are the results of a new survey conducted by cyber security vendor Lieberman Software. The company had asked 200 IT professionals at RSA Conference 2016 about their password changing habits.

More than half (55 per cent) of IT pros force their users to change their passwords more often than they do, and 10 per cent of them never change their administrative credentials at all.

Seventy-four per cent change admin passwords on a monthly or less frequent basis.

“Administrative passwords are the most powerful credentials in an organisation – the keys to the IT kingdom,” said Philip Lieberman, President and CEO of Lieberman Software. “The fact that 10% of IT professionals admitted that they never change these credentials is astounding. It’s almost like an open invitation to hackers to come in and stay a while. In the meantime, the intruders are nosing their way around the network. They can anonymously help themselves to information and remain undetected until it’s too late.”

But that’s not all – in 36 per cent of cases, passwords are shared among the IT staff, and 15 per cent of IT pros said that if they are to leave their company now, they would still be able to remotely access it with the same credentials later on.

“Given that insider threats are one of the biggest concerns for CISOs, knowing that more than a third of IT professionals share privileged passwords is ludicrous,” Lieberman continued. “The same can be said about so many ex-employees who can still access administrative credentials. Automated privileged access management solutions can prevent these types of cyber threats related to unsecure credentials.”