When I worked in a large Operations team, we had various passwords for some systems that we stored in a password vault. This was on a network share that only the administrators had access to read. We used this for keeping a number of passwords for various services and systems that required sysadmins to access.
However, we tried not to use shared accounts whenever possible. We wanted to ensure an audit trail, for both compliance and understanding of what happened in our environments. All sysadmins had two accounts, which allowed them to access most services. We only had a user/password stored for certain systems that needed some sort of separate account, and we did change those passwords regularly.
Our customers didn’t always do this. In fact, I regularly found different groups using a single account, always logged in, for which everyone knew the user name and credentials. They never seemed to consider this a problem, despite regular security warnings from administrators.
I was reminded of this story about a water treatment facility in Florida that was hacked. They had a shared account, used by many people, the same password for everyone, and a lack of a firewall. An intruder caused a release of chemicals, but no one was injured.
Firewalls prevent a lot of issues, if they are configured to limit access. In addition, ensuring that each user has different passwords is important. This allows you to turn off access for certain people, which includes former employees. That’s basic security, and I’m surprised how often people forget about this, often because they worry about some system breaking.
The tools we have to enforce stronger security have improved over the years, but we need to take advantage of them, and we need to ensure that good, if not best, security practices are followed. It’s easy to become lax over time, but remember that there are lots of threats out there, from hackers to malware, to former employees.
Far too many people are attacked, more than are in the news, so don’t get complacent. We are all at risk.