Re: "Sharing" Passwords

[Eric Case <ecase () EMAIL ARIZONA EDU>]

Shared credentials are not a good idea.



We had an incident where a service accounts in different AD domains had the
same name and password.  Once the attacker was in he was able to jump from
domain to domain with one set of credentials.

-Eric





Eric Case, CISSP

eric (at) ericcase (dot) com

http://www.linkedin.com/in/ericcase



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McMinn, Dean
Sent: Tuesday, November 24, 2009 2:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] "Sharing" Passwords



We have a major initiative here to go through and change ALL passwords for
system and "service" accounts.



Now (and maybe I'm being a bit too anal about this) but, between BANNER and
ORACLE accounts, this accounts for about 80 accounts PER DATABASE...so a
couple thoughts come to mind that I would like to get some input on.



1.  What are thoughts/practices on having all service accounts within a
database having the same password (example: saturn, faismgr, baninst1,
fimsmgr, etc)?



2. What are thoughts/practices on having the password "shared" across
databases (ex: saturn has the same password across all banner instances)?



Obviously, I want to do things as securely as possible, but don't want to
managed 400+ passwords if I don't have to.



Thanks,

Dean McMinn

Eastern Washington University