Computer Security Tips: Don’t Share Passwords with Co-Workers

I had to laugh at the SANS security tip for the day, “Don’t share your password-even with an assistant or close coworker“. It brought back some interesting memories.

For about 17 years I have provided onsite technical support for financial companies, healthcare facilities, government offices, law enforcement, and technology companies.

Many times we would be involved with system upgrades, software upgrades or trouble shooting and needed access to a computer where the user was not there.

Countless times over the years, helpful co-workers who, seeing that I was stuck at a login prompt approached and offered me the missing user’s password. No questions asked about who I was, or what I was doing.

Just, “Oh, Fred is out today, he keeps his password taped to the bottom of his chair next to the gum”. Or, “Joan keeps her passwords in a notebook in her top right drawer, next to the payroll data, I’ll get the key”. (Names changed to protect the innocent)

Okay, those were hypothetical examples, but the funniest I can remember that actually happened was in an Engineering department of a large manufacturing company. The user was out on vacation, but that didn’t stop the helpful co-workers. “Oh he uses this name and then just adds random numbers at the end”, said the engineer that sat in the same office.

“No”, another engineer said as he was walking by, “He does use that name, but he uses an incremental number afterwards, starting with one and increments it each time he has to change his password. He is at 10 now”.

“No I think he is at 8 now, another Engineer said as he walked into the office.” “No, that was a few months ago”, the second engineer said. “Just ask Mark, he would know…” So another engineer comes in and says, “thirteen, he was definitely at thirteen.”

It seemed like everyone in the area knew something about the missing user’s password. I was also amazed at how well sound seemed to travel in this department, as there were now four engineers standing in the little office.

I asked the user about this the next day when he was back from vacation. “Oh, I let everyone use my computer.” I had a replacement hard drive for the machine and asked if he had any data on the drive he needed saved. “Oh, goodness yes, I have a lot of CAD drawings I saved locally, important e-mails and also personal files on there…”

Most corporate security policies and regulations nowadays require you to keep your password confidential. But many users don’t. In the SANS tip of the day, a disgruntled worker who knew the password of another user deleted data from the PC before she quit.

I have also heard of cases where people walked away from PC’s while they were logged in and another user came along and used the computer to access restricted information.

What can be done to avoid these kinds of issues? Verify the authenticity of support personal before giving them your password. Do not share your password with co-workers, or place your password in obvious places, like a sticky note on your monitor or under your keyboard. Also, lock your workstation before you walk away from it even if you think you will only be gone for a short while.

On most Windows systems you can lock the system by hitting the Windows key and the “L” key at the same time. This will bring up a login box, but keep your programs running in the background. If this does not work on your system, log out of any confidential systems or sign off the system completely. Whichever procedures your company security policy recommends.

Security Tips for Large Corporate Businesses

Security issues on large networks are different than on small office or home office businesses. The main reason is size.

The majority of hackers are looking for targets of opportunity. This is one area where large and small organizations face similar risk. A small company with a mis-configured web server is just as enticing to opportunity hackers as a large one.

Where large organizations are at greater risk is targeted hackers. These Hackers are determined to penetrate a certain company for several reasons including corporate espionage, intellectual property theft, or sabotage. A company with thousands of servers offers a huge attack surface. They are also more susceptible to social engineering attacks.

Some of the areas of attacks are:

Social Engineering

Problem: Large corporate employees many times will have LinkedIn pages and social networks profile pages, these offers a treasure trove for social engineering hackers.

Solution: It would be wise for executives to limit the amount of information that they give away on their profile pages.

Developmental Servers

Problem: Large corporations will use developmental servers to try out new software packages and programs. Many times they will have Domain Admin passwords on them, even though they are not as secure as production servers.

Solution:  Use different Admin passwords on these less secure development systems.

Security Updates

Problem: Automated security update systems don’t always update every server even though in the security system log it may say the updates were sent.

Solution: Once a server is set as a production server, in many companies rarely do admins go back and check individual servers to make sure the systems are really being updated. Nor do they have time to do so. Policy must be put in place to do some sort of verification check on servers.

Secure Accounts

Problem: Unbelievably, admins are still using simple passwords for administrator accounts on new systems that they are building.

Solution: Preach and enforce strong passwords for accounts with privileges and make it a policy to change the domain admin password on a constant schedule.

This is by no means a complete list, but it does cover some of the more common security mistakes made in large corporations. If server team managers enforce stricter security policy to employees deploying new systems, the company will be much more secure against penetration attempts.