Educause Security Discussion mailing list archives
Re: "Sharing" Passwords
From: Eric Case <ecase () EMAIL ARIZONA EDU>
Date: Tue, 24 Nov 2009 15:10:55 -0700
Shared credentials are not a good idea. We had an incident where a service accounts in different AD domains had the same name and password. Once the attacker was in he was able to jump from domain to domain with one set of credentials. -Eric Eric Case, CISSP eric (at) ericcase (dot) com http://www.linkedin.com/in/ericcase From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of McMinn, Dean Sent: Tuesday, November 24, 2009 2:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] "Sharing" Passwords We have a major initiative here to go through and change ALL passwords for system and "service" accounts. Now (and maybe I'm being a bit too anal about this) but, between BANNER and ORACLE accounts, this accounts for about 80 accounts PER DATABASE...so a couple thoughts come to mind that I would like to get some input on. 1. What are thoughts/practices on having all service accounts within a database having the same password (example: saturn, faismgr, baninst1, fimsmgr, etc)? 2. What are thoughts/practices on having the password "shared" across databases (ex: saturn has the same password across all banner instances)? Obviously, I want to do things as securely as possible, but don't want to managed 400+ passwords if I don't have to. Thanks, Dean McMinn Eastern Washington University
Current thread:
- "Sharing" Passwords McMinn, Dean (Nov 24)
- <Possible follow-ups>
- Re: "Sharing" Passwords Eric Case (Nov 24)
- Re: "Sharing" Passwords Ozzie Paez (Nov 24)