The work of changing these passwords doesn't have to be onerous. Lots of corporate software is available for automating the process of changing admin passwords, even creating temporary one-time passwords. Still, even in companies using this software, I find a ton of unchanged passwords.
What's the rationale behind this lackadaisical password practice? Consider the first mistake mentioned at the beginning of this article: interrupting critical business functionality. A software system can easily change passwords for admin accounts, but what happens when those same accounts and passwords are used within other applications and systems across the corporate network? If you change one, but not the other, you will often get a service disruption for as long as the two stay out of sync. Even if you change the password in both the account and the application, it may take a restart or reboot for the change to take place.
This operational complexity ends up pressuring admins and application owners to exempt their accounts from forced password changes. Fear of interrupting critical business systems begets foolhardy password practice.
Worse, admin passwords are often shared around the network, known by many people. These passwords should not be shared in the first place, but if they are, they need to be changed immediately anytime someone who knows the password leaves the company. Failure to follow this policy is the first step in enabling a fired, disgruntled employee to get back into the network to cause great harm.
Lessons learned: Periodically change all passwords, especially admin and service accounts. And always change passwords immediately upon separation of employment. Plus, don't use admin accounts and passwords to power your applications.
Colossal security mistake No. 10: Treating every vulnerability like "the big one"
One of the worst things you can do for your career is to cry wolf too often. Every year, a few of the thousands of newly discovered vulnerabilities become "the big one." This year, Heartbleed and Shellshock fit the bill, rightly deserving your attention and remediation.
But there will always be a significant number of vulnerabilities that colleagues and the media tout as the critical hole that will cripple your network and systems. It takes experience and skill to recognize what you really need to be worried about. If you run around panicking at every last "big" vulnerability, you risk being seen as someone who doesn't know their job, can't discern the real threats to your business, and shouldn't be taken seriously, even when your alarm coincides with a vulnerability your company should definitely pay attention to. Granted, crying wolf likely won't get you fired, but it can certainly cause roadblocks to your long-term upward mobility.
Lesson learned: Correctly prioritize vulnerabilities, and be careful not to undermine your credibility with colleagues by wasting their time with false alarms.
Sign up for Computerworld eNewsletters.