IT's Secret: Shared Privileged Passwords
Key Points
- IT staff routinely warn users not to write down or share passwords, yet many organizations secretly share privileged account credentials among administrators to simplify management.
- Sharing a single password across dozens of privileged accounts creates a security risk, as it bypasses the very advice given to regular users.
- The underlying problem is the impracticality of maintaining unique passwords for many privileged users across numerous systems.
- A more secure approach is to implement a Privileged Access Management (PAM) solution that authenticates admins via strong multifactor methods (e.g., tokens, biometrics) instead of direct password logins.
- PAM dynamically generates, stores, and rotates unique passwords for each system, allowing admins to work without ever knowing the credentials and ensuring passwords are changed immediately after use.
Sections
- IT's Privileged Password Sharing Secret - The speaker reveals that many IT teams bypass password best practices by using a single shared password for privileged accounts across numerous systems, despite advising users never to write down or share passwords.
- Enhanced PAM with Monitoring Layer - The speaker describes how integrating a surveillance and oversight component—offering session‑recording, playback, and multifactor authentication—into a privileged access management system creates a stronger, more user‑friendly security solution.
Full Transcript
# IT's Secret: Shared Privileged Passwords **Source:** [https://www.youtube.com/watch?v=hVLaRQ3TjGk](https://www.youtube.com/watch?v=hVLaRQ3TjGk) **Duration:** 00:04:18 ## Summary - IT staff routinely warn users not to write down or share passwords, yet many organizations secretly share privileged account credentials among administrators to simplify management. - Sharing a single password across dozens of privileged accounts creates a security risk, as it bypasses the very advice given to regular users. - The underlying problem is the impracticality of maintaining unique passwords for many privileged users across numerous systems. - A more secure approach is to implement a Privileged Access Management (PAM) solution that authenticates admins via strong multifactor methods (e.g., tokens, biometrics) instead of direct password logins. - PAM dynamically generates, stores, and rotates unique passwords for each system, allowing admins to work without ever knowing the credentials and ensuring passwords are changed immediately after use. ## Sections - [00:00:00](https://www.youtube.com/watch?v=hVLaRQ3TjGk&t=0s) **IT's Privileged Password Sharing Secret** - The speaker reveals that many IT teams bypass password best practices by using a single shared password for privileged accounts across numerous systems, despite advising users never to write down or share passwords. - [00:03:21](https://www.youtube.com/watch?v=hVLaRQ3TjGk&t=201s) **Enhanced PAM with Monitoring Layer** - The speaker describes how integrating a surveillance and oversight component—offering session‑recording, playback, and multifactor authentication—into a privileged access management system creates a stronger, more user‑friendly security solution. ## Full Transcript
The IT department has a dirty little secret I'm going to let you
in on. But first, let me ask you: What did they always tell you never to do with your password?
I'm going to bet the first thing they say is "Don't write it down."
And number two "Don't share it." Because if you share it, well then we don't know who's
actually logged in. Now, the dirty little secret: What do you think they do with their
most sensitive accounts? The thing we call privileged accounts like root, and sysadmin,
and database administrators, and things like that. Here's the dirty little secret --
They share them. Not every organization, but a lot do. They have a different use case that
they're trying to deal with. So in your case, you're one person here and you are logging in
to maybe a couple of different systems. And so you have your password and you should
keep that in your head and you should not share it. And you log in and that's that.
Well, in their case, they've got lots of users. Maybe they've got, in this fictitious example,
five privileged users that need to log in to maybe 100 of these different servers.
So now if they have unique passwords, that would be 500 passwords that they have to keep up with
and manage. That's a problem. So instead of having this where they log in separately with separate,
unique passwords, they set one password to all of them. They share it amongst the privileged users and
they tell them "Don't tell it to anybody." But the fact is, they're sharing. Well, now we know
intuitively that that is the wrong thing to do. This advice they gave you is the right advice.
They're just not following it. And the reason they're not following it is because of this. Now,
what could they do that would be better? I'll suggest to you a better solution would
be to have your administrators logging in, not directly to these systems with their passwords,
but in fact, will insert a layer in between. We'll call it PAM -- privileged access management
system. And what the PAM system does is it says these users up here log directly into the PAM
system and they'll use something like, that I talked about in a previous video, multifactor
authentication. So not just a password. In fact, maybe not a password at all, but we would use
something you have like a phone or something like that that's pre-registered, something you are like
a biometric looking at your face. So we'll use some form of strong multifactor authentication to
know that this privilege users who they claim to be, then this system will maintain the passwords
that are unique and constantly changing to all of the systems they need to log into. So they
check out the password, the credentials to log into a system. They don't even need to know what
they are. They do their work, and when they're done, they check the account back in. And once
that's done, the password is literally changed. So they can't even use that same password over
again. There's no reuse and therefore no sharing that's going on in this case. Now, we always know
which one of the five people was logged on to this system at a particular point in time.
And in a good PAM system, we'll also add a surveillance and oversight layer as well.
And in that, we'll actually see all the things that those users type during their session.
It's a digital monitoring and playback type system. And once we have that level of oversight,
now, we have a much stronger solution. So if the IT department will follow their own
advice and not share passwords and use a PAM system, they can get a much stronger security
solution that's actually easier for their end users, their privileged users,
because now they have a solution that gets multifactor, gets them in, it's more secure,
it's easier, and we have the monitoring and oversight to ensure that it's, in fact, a better
solution all the way around. Thanks for watching. Please remember to like this video and subscribe
to this channel so we can continue to bring you content that matters to you.