It's certainly no secret to security professionals that passwords have their weaknesses: They're often forgotten, lost, and can be easily hacked with tools readily downloadable from the Internet. Consider the incident at Lincoln National Corp., where the financial services firm notified state authorities of a vulnerability uncovered within its portfolio management system: Users were sharing passwords and thereby jeopardizing the personal information of about 1.2 million customers.
Shared passwords violated security policy
The shared password troubles came to Lincoln National's attention when one of its broker-dealer subsidiaries, Lincoln Financial Securities Corp. (LFS), was notified by the Financial Industry Regulatory Authority (FINRA) that an unidentified source had sent the agency a username and password that made it possible to access the portfolio management system. That system is used by both LFS and another subsidiary, Lincoln Financial Advisors Corp. (LFA), to analyze customer accounts, and contains customer personally identifiable information such as names, Social Security numbers and account numbers.
Fortunately, in a letter to the New Hampshire state attorney general's office, Lincoln National said it found no evidence that customer information had been stolen or abused. However, the investigation did find that password and username credentials had been shared -- in violation of company policy -- by a number of LFS and LFA employees and affiliate companies. The investigation revealed that some of the shared passwords dated back to 2002.
In the heat of the workday, it's understandable why employees would want to share passwords. It makes it easy, convenient and quick for workers to see customer files when they need to make decisions -- without going through all of the red tape to get a legitimate account. But it obviously can't be tolerated by enterprises. Once a password is shared, it loses its value as a security control, and becomes much more difficult to hold users accountable for their actions: Anyone with the username and password can snoop, destroy and steal data.
Controlling user access
"It's terrible to see shared passwords being used for any application of significance, but especially worrisome to see it happened at a financial services firm, and for so long," said Scott Crawford, managing research director at Boulder, Colo.-based research firm Enterprise Management Associates Inc. Beyond financial systems, shared passwords are also especially troubling for other critical systems such as IT management tools and administrative consoles, added Crawford.
Enterprises don't need look far to find ways to stop password sharing, said Shawn Moyer, principal security consultant on the penetration testing team at Kansas City, Mo.-based FishNet Security Inc.. Central authentication systems widely used today, such as Active Directory, LDAP (Lightweight Directory Access Protocol) and RADIUS (Remote Authentication Dial In User Service), have the ability to ban multiple logons from the same credential, Moyer said. "It's relatively straightforward to enable this. Any enterprise that hasn't gone through the trouble of enabling this sort of functionality is simply not bothering to identify cases where multiple logins are in use, and electing to lumber on in ignorance rather than face the problem," Moyer said.
It's also good practice to monitor systems for username and password anomalies, using common security monitoring systems, Moyer added. "Most of the typical log and security event management systems should be able to detect, alert and even better, prevent, the presence of multiple login events from disparate workstations, based on any number of criteria like IP address, system name and others," he said.
Safely sharing passwords
There are times when it's necessary to share username and password credentials, such as for administrative access to management and security consoles, explained Crawford.
"Those are the types of accounts that are legitimately shared. However, there are ways to manage fine-grained access for privileged accounts," said Crawford. But that granular control over shared access requires the use of privileged account management tools designed specifically for managing shared-account passwords, such as those made by BeyondTrust Software Inc., Cyber-Ark Software Ltd. and Lieberman Software Corp., which enable organizations to safely share and monitor the use of privileged passwords.
"Ultimately, common sense system administration and good user and access management practices are the real fix for these types of challenges," Moyer said.
About the author
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota.