When considering Password Security and Password Policy, many Organizations only look at Active Directory Policy and ignore local administrator, device and root passwords for Infrastructure systems.
System and Device Passwords:
- All Windows systems have a local Administrator account and password
- Most Linux systems have (and require) a root account and password
- Storage devices, SANs, and NAS all have an administrator/manager account and password
- Network switches all have an administrator/manager account and password
- Firewalls all have an administrator/manager account and password
- VMware vSphere systems such as vCenter and ESXi have a root account and password
It should go without saying that system and device passwords should be at least as strong as the Active Directory domain requirement, and probably MUCH stronger. Why stronger? Because, within Active Directory, we can leverage additional security such as MFA while device passwords must stand on their own against Threat Actors.
Current recommendations indicate that system and device password should be at least 16 Characters long and require mixed: uppercase and lowercase letters, numbers and symbols.
EXAMPLE:
Acme Coyote and Safe Inc. has a strong AD Password policy and requires MFA to login to AD. Auditors have praised their compliance with password policy.
Unfortunately; they have a Firewall with a user ‘admin’ and a password ‘C0y0t3’. Worse yet, Acme Coyote and Safe Inc. admin’s have used the same password ‘C0y0t3’ for all other devices, local admin and root accounts.
Based on current estimates, it would take a Threat actor between 5 sec. and 6 min to brute-force breach the firewall and gain pervasive access to almost every system!
|
Managing Passwords
One effective way to implement strong and random passwords for systems and devices which are not (or should not be) part of Active Directory is by using an effective and secure network password manager.
When using a password manager, password length and complexity are not an issue due to the fact that users cut & paste passwords rather than memorizing and typing passwords. Therefore, it becomes possible to use very long and complex passwords securely and without typos and mistakes!
VMsources recommends Keepass. Keepass is both free and highly secure, often regarded as the best password manager available.
Keepass can be installed on a network drive and shared by multiple trusted users in an Organization. It is capable of generating random passwords (based on a user-defined policy) and storing those passwords, along with other credentials securely in an encrypted database.
When trusted users with access to the Keepass database seek to use a strong password, Keepass has the capability of copying the password to the windows clipboard (with automatic time-out) and allowing the user to paste that password directly, without ever revealing it in plain-text – this is great for support or training scenarios!
Please download our whitepaper on: Using Keepass