Skip to content
Centrify Logo
  • Support
  • Community
  • Contact
  • Login
    • Create an Account
    • Centrify Cloud
    • Support
    • Community
    • Partner Portal
    • Online Training
  • Try it Now
  • Why Centrify
  • Products

    Platform

    • Centrify Identity Platform
    • Identity-as-a-Service
    • Privileged Identity Management
    • MFA Across Your Enterprise
    • Centrify Developer Program

    Products

    • Centrify Identity Service
    • Centrify Privilege Service
    • Centrify Server Suite
     

    Secure Apps

    • Single Sign-on
    • MFA for Apps, VPNs, Endpoints
    • Provisioning and Workflow
    • Enterprise Mobility Management
    • Mac Management
    • App Catalog
     

    Secure Infrastructure

    • Identity Consolidation
    • MFA for Servers
    • Secure Remote Access
    • Identity Broker
    • Shared Password Management
    • Privileged Access Request
    • Privilege Management
    • Auditing
  • Solutions

    Centrify Solutions

    • Cloud and On-Premises Apps
    • Multi-factor Authentication
    • Privileged Access Security
    • Secure Hybrid Cloud
    • Big Data Security
    • Mac and Mobile Management
    • Internal and External Users
    • Regulatory Compliance
    • Federal Compliance
    Get the Report
  • Customers
  • Partners

    Centrify Channel Partner Network

    • Overview
    • Register a Deal
    • Become a Channel Partner
    • Find a Channel Partner
    • Login to Partner Portal
     

    Centrify Alliance Partner Program

    • Overview
    • Refer an Opportunity
    • Become an Alliance Partner
    • View all Alliance Partners
    • OEM Opportunities
  • Company

    About Us

    • Overview
    • Management
    • Customers
    • Investors
    • Blogs
    • Careers
    • Contact Centrify
     

    News and Events

    • Overview
    • Press Releases
    • In the News
    • Events
    • Awards
    • Centrify Connect
    Learn More
  • Try it Now

Hot Topics

September 21, 2017, by Bill Mann

A Lesson in Secure Password Management from the Equifax Data Breach

Last week, Krebs on Security published an article “Ayuda! (Help!) Equifax Has My Data!” which reported “that an online portal designed to let Equifax employees in Argentina manage credit report disputes from consumers in that country was wide open, protected by perhaps the most easy-to-guess password combination ever: ‘admin/admin.’”

 Yes, you read that correctly. This is equivalent to making the password to your bank account “password.”

However, that is not all. According to the article, once the researchers were inside the portal, they could view the names of more than 100 Argentinian Equifax employees, their employee ID and email address. And, in order to view an employee’s password, all someone had to do was “right-click on the employee’s profile page and select ‘view source,’ a function that displays the raw HTML code which makes up the website. Buried in that HTML code was the employee’s password in plain text.”

I wish at this moment I could say “No, you read that wrong,” but unfortunately, you read that correctly. All hackers would have to do is guess “admin” for the admin account’s password and they would have the “keys to the kingdom”—the credentials of all employees located in Equifax’s Argentinian office.

Passwords are the keys to the kingdom and cyber criminals know it and exploit it. In fact, according the Verizon Data Breach Report, 81% of breaches involve weak, default or stolen passwords. Identity IS the top attack vector.

So, what can companies, like Equifax, implement in terms of password management to protect against compromised credentials for IT users?

Change Their Operating Model

IT users should login as themselves with role-based privileges, minimizing the use of shared accounts (in other words, don’t treat everything as an emergency). Getting IT users to login as themselves has many advantages — we can attribute activity to the individual, which means there is no more “I did not do this,” and they are only allowed to run commands that their role is assigned to. Most organizations don’t do this, and they instead use shared accounts with a shared password like “admin” !

Implement Shared Account Password Management for Emergency Situations

There are situations when getting users to login as themselves is not optimal, and a shared account is necessary.  The best way to control this scenario is … and wait for it, don’t let anyone know the password in the first place.  And every time they use it, it’s rotated, so even if they have it, they don’t really have it, because it’s changed again.  That’s what shared account password management (SAPM) does.  Each time an authorized internal user, outsourced IT and third-party vendor needs access they go through an approval process. And, once approved, a password is auto generated for their specific session. Moreover, for even better security, they don’t even know the password because they are auto logged into the system so they can perform their admin tasks — once done, it will be reset.

MFA Everywhere: Reinforce the Above with MFA

When users login as themselves, they should always use MFA. This way, if their password is compromised, a second factor of authentication is required (eg mobile phone), and access is denied to the hacker. Additionally, when users login as themselves and need to run a privileged command, enterprises should enforce re-authentication using MFA at this point – thus, another check is performed using MFA before the command is executed.

For shared accounts (as in above), do the same. When users request access to a shared account they are authenticated using MFA as part of the approval process – this again helps ensure that a compromised password in the hands of the hacker will deny access to the shared account.

Yes, “admin” as a password for your admin account opens the door to hackers, but the solution is not to just replace it with a “more difficult-to-guess password.” Companies need to rethink security and move away from a password approach to one that implements MFA across the enterprise and enforces privileged access policies – if they do not, then they are at risk of becoming the next breach headline.

Learn how to rethink your security without relying on passwords with our e-book, “Rethink Security: A Massive Paradigm Shift in the Age of Access.”

  • Facebook
  • Twitter
  • Linked In
  • Google+
  • Email

Post navigation

← Gartner Privileged Access Management Market Overview 2017
How to Protect Against Insider Threats: 3 Tips from HBO’s Game of Thrones’ “LittleFinger” →

Centrify Blog

Keep up to date with Centrify and with current IT Security best practices by subscribing to our blogs. Topics include:

  • All Centrify Blogs
  • Centrify Perspective
  • From the Cloud
  • Hot Topics
  • I AM Centrify
  • It's All About Identity
  • Mobile Frontier
  • Partner Corner
  • Twitter
  • Linked In
  • Blog Feed



Tom Kemp Secure Thinking by Tom Kemp

Centrify CEO Tom Kemp, an industry expert in security and infrastructure software, discusses market and technology issues around the disruption occurring in the Identity and Access Management market due to the cloud, mobile and consumerization of IT trends occurring in today's IT environment.

TwitterFollow Tom on Twitter

Recent Posts


barryscott
Supply Chain Risk: Time to Focus on Partners Ahead of GDPR Deadline

By Barry Scott , April 25, 2018
in “Hot Topics”


Introducing Centrify Identity Services for HashiCorp Vault

By David McNeely , April 17, 2018
in “Centrify Perspective”


Secure the Vote with Zero Trust

By Tom Kemp , April 16, 2018
in “Secure Thinking by Tom Kemp”


Trends to look for next week at RSA Conference 2018

By Corey Williams , April 12, 2018
in “Centrify Perspective”


benrice
Centrify Zero Trust Security Partners in the Spotlight at RSA Booth 501

By Ben Rice , April 11, 2018
in “Hot Topics”

Our Bloggers

  • barryscott

    Barry Scott

    CTO, EMEA
  • benrice

    Ben Rice

    Vice President, Worldwide Business Development
  • Bill Mann

    Chief Product Officer
  • Corey Williams

    Senior Director, Product Management and Marketing
  • Greg Cranley

    Vice President Federal & Public Sector Sales
  • Jonathan Bensen

    Director, Product Management
  • Michelle Plato

    Senior Product Marketing Manager.
  • Rhonda Shantz

    CMO
  • Teresa Chen

    Director, Product Marketing
  • tonygoulding

    Tony Goulding

    Director, Technical Marketing
→ See All Bloggers

Popular Tags

  • Active Directory (71)
  • Adaptive MFA (29)
  • Analytics (11)
  • App gateway (4)
  • Apple (6)
  • Application Security (8)
  • Application to Application Password Management (4)
  • Audit (8)
  • authentication (6)
  • AWS (21)
  • Big data (12)
  • byod (5)
  • CASB (2)
  • Centrify (6)
  • centrify connect (4)
  • Centrify Express (9)
  • centrify identity service (37)
  • Centrify Infrastructure Services (3)
  • Centrify Privilege Service (45)
  • Centrify Server Suite (24)
  • Certificate Management (4)
  • CIS (2)
  • Cloud (79)
  • Cloud Identity (40)
  • Compliance (14)
  • Compliance Audit (28)
  • contextual authentication (2)
  • Customer Success (7)
  • cyberconnect (3)
  • data breach (30)
  • Enterprise Mobility Management (EMM) (33)
  • Federal compliance (14)
  • Federation (5)
  • forrester (14)
  • Gartner (6)
  • GDPR (6)
  • google apps (5)
  • Governance (3)
  • Group Policy (10)
  • Hadoop (13)
  • HeartBleed (3)
  • HSPD-12 (2)
  • Hybrid IT (6)
  • IaaS (5)
  • identity (24)
  • Identity Analytics (4)
  • Identity and Access Management (IAM) (76)
  • Identity as a Service (IDaaS) (62)
  • Identity Broker (3)
  • Identity Management (92)
  • identity platform (35)
  • iOS (2)
  • IoT (4)
  • iPhone (2)
  • just enough privilege (3)
  • just in time privilege (2)
  • Least Privilege (48)
  • Mac (8)
  • Mac OS X (37)
  • macos (2)
  • MFA (137)
  • mobile (7)
  • Mobile Device Management (MDM) (36)
  • Mobile Security (72)
  • Mobile World Congress (3)
  • Multi-factor Authentication (161)
  • Next-Gen Access (5)
  • NIST (3)
  • NIST 800-171 (2)
  • NoSQL (2)
  • Office 365 (25)
  • Outsourced IT (3)
  • PAM (2)
  • Partners (45)
  • Password (91)
  • Password Management (81)
  • Password Reset (9)
  • PCI (2)
  • ponemon (16)
  • Privilege Elevation (3)
  • privileged access management (4)
  • Privileged Access Security (37)
  • Privileged Identity Management (163)
  • provisioning (4)
  • Risk-based Access Control (2)
  • Role-based Access Control (13)
  • RSA (3)
  • SaaS (70)
  • SAML (32)
  • Samsung KNOX (14)
  • SAP (3)
  • SAPM (9)
  • Secure remote access (2)
  • Security (35)
  • Security Breaches (47)
  • Security Insights (26)
  • ServiceNow (6)
  • Shadow IT (2)
  • Shared Account Password Management (19)
  • Single Sign-On (SSO) (155)
  • smart card (2)
  • Smart Card Authentication (8)
  • sso (2)
  • VPN (3)
  • Windows Privilege (2)
  • zero trust security (29)
1.669.444.5200
Contact Us
  • Twitter
  • Linked In
  • YouTube
  • Facebook

Products

  • Application Services
  • Endpoint Services
  • Infrastructure Services
  • Analytics Services
  • Federal CAC Reader
  • Pricing
  • Free Trials

Company

  • About Us
  • Blogs
  • Management
  • News and Events
  • Investors
  • Careers
  • Contact

Services

  • Overview
  • Professional Services
  • Training

Support

  • Support Portal Login
  • Support Plans
  • Centrify Trust
  • Cloud Status

Communities

  • Centrify
  • Developer
  • Express

Developers

  • Overview
  • APIs
  • Direct Audit SDK
  • Direct Manage SDK
  • SAML Toolkits

Resources

  • White Papers
  • Case Studies
  • Webinars
  • Solution Briefs
  • Documentation

©2018 Centrify Corporation. All rights reserved. Privacy Policy Terms of Use Site Map