Where are your default admin passwords - and who can get to them?

Every corporation nowadays is very concerned with account security. And the first thing that an auditor or security officer asks for are the treatment and storage of the default admin accounts (root, administrator, sa, DBO...).
We don't need to repeat the well known mantra of not using the default accounts for daily use.

But these accounts and passwords still need to be well secured, in order to achieve the following criteria

  • Security - the passwords for the default admin accounts need to be strong and complex, and should withstand most attempts at brute force or social engineering attacks
  • Confidentiality -no single person should know the default admin account password, since he/she can abuse this account for gain or to cause damage.
  • Availability - In times of crisis, the organization may still need to use these default admin accounts, so they cannot be lost
The following procedure can be applied by any organization, and it meets all three criteria.

Security and Confidentiality - the passwords should be constructed in two parts (each part entered by different person). Having two people create a password increases the complexity significantly, and reduces the possibility of using social knowledge of a single person to attack the password. Also, no single person knows the password.

Confidentiality and Availability - The parts of the password should be written on separate pieces of paper marked first and second part and stored in separate envelopes. These two envelopes should then be stored in a tamper evident envelope.

Placing the passwords in tamper evident envelope is a place where most attempts at secure storing fail. The basic reason is that tamper evident envelopes are not readily available, or even that they cannot be ordered through central procurement. This is rarely the case, since such envelopes are available in most office supplies stores.

But even if such envelopes are not available, you can easily create a DYI tamper evident envelope like this:

  1. Take an ordinary envelope.
  2. Ask your manager to sign his name at least 2 times on the edges of the envelope, from both sides.
  3. Cover the length of signed edges with a transparent adhesive tape (scotch tape) - make sure that you overlap the envelope with the adhesive tape.
  4. Put the password envelopes inside the tamper-evident envelope
  5. Seal the envelope, and have the manager sign the edge where the envelope is sealed
  6. Cover the length of the seal and the signatures with the adhesive tape - make sure that the tape touches both the flap and the envelope surface as well as the signatures
The end result can be seen on the following image.

Through this process you have created a crude tamper-evident envelope. If someone tries to open this envelope at any edge or through the sealed flap, he/she will damage the adhesive tape. This damage is easily visible. If someone tries to remove the adhesive tape prior to opening the envelope, the removed adhesive tape will remove the signature that it covers - thus showing that the envelope was tampered with.

Once this step is out of the way, the securing of password can be finished by storing the envelope in the department safe, where employees can still get to it if needed (a crisis situation)

This process is very simple to follow, and can be applied in one afternoon. All it takes is 3 people, some envelopes and the will to secure the default admin accounts. Just make sure that you reset the passwords of the default admin accounts in all places where they are used, like services/daemon accounts, and system jobs.

Talkback and comments are most welcome

Related posts
Cracking a TrueCrypt Container
Web Site that is not that easy to hack - Part 1 HOWTO - the bare necessities
5 Minute Security Assessment


Marry Smith said...

I want to make my password more secure from unwanted users. Please tell me what should i do for that ? Thanks in advance.

Getit said...

Lovely blog it is. Download Zapya for PC to share files and folders easily from PC to Mobile

Sunmugam Chidambaram said...

I Pleased to Read to Read
Download xender for pc
Very good for share FILES ,PICTURES PC To any Android

Unknown said...

After the grand success of Play Station 4 (PS 4), Sony has announced the next version of Play Station, the PS 5. It will obviously be more powerful and rigid than the

PS 4, for better and smooth gameplay experience. If you are a hardcore gamer and love console games, you must be interested in checking out the technical details of Playstation 5 release date.

zapya said...

Zapya for pc
Zapya download pc
Zapya app download
Zapya apk download
Zapya for Windows
mobdro for Windows
mobdro pc download
Shareit pc Download
Shareit download
Shareit download

Martin sam said...

GSEB 10th result 2017
GSEB hsc result 2017
UP Board high school result 2017
UP Board 12th Result 2017

Anonymous said...

This is very nice post. Thanks for this great post.
Visit Now

LaurieGBates said...

check it out

Designed by Posicionamiento Web