I've taken on the task of improving security in my organization, and I've noticed that while they had separate admin accounts, there are still significant issues with password reuse. During a recent penetration test, we discovered that many admin users are using the same passwords for both their admin and non-admin accounts. I'm already working on getting separate accounts for on-premises and cloud access, but I also want to ensure that no one on our IT staff uses the same password across their three main accounts: their daily user account, their on-prem admin account, and their cloud admin account. The on-prem accounts aren't synced with the cloud, so I need a way to prevent password reuse across these different types of accounts. I'm considering passwordless authentication for the cloud accounts, but I'm not sure if we're ready for that shift yet.
5 Answers
I run a tool called Specops Password Auditor every few months. It helps me compare user account hashes to catch any overlaps in passwords. I've found more than one case of privilege escalation due to reused passwords this way.
Passwordless authentication could be the way to go. I know it may be a significant change for some of the less tech-savvy staff, but it's definitely a direction worth contemplating for enhancing security.
You might want to build a hash of regular user account passwords and ensure that the hashes for the admin accounts don’t match any of those. This way, if someone tries to set a password that's already in use, they’ll have to change it.
A great solution to consider is using a password manager. These tools can create strong, complex passwords and make it easy for users to manage them without needing to remember or manually type them in. This can greatly reduce the temptation to reuse passwords across different accounts.
SpecOps Password Auditor is fantastic because it quickly shows which accounts share passwords. In the past, I've found users with the same password for their regular and privileged accounts using it.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures