Categories Topics
Description
Password Management System

Overview
Passwords are intended to not be shared and should be carefully controlled by Password Management Systems to prevent unauthorized access to senstive information. Password Management systems can include a number of mechanisms to include Active Directory (or LDAP) systems, Password Vaults and Identity and Access Control solutions to name a few. The primary objective is to control password usage and enforce the organization's password policy and to ensure authorized user or system authentication to resources (to include systems, applications, databases, or data).

Guidelines
Password management systems should be configured to enforce the organization's password policy and secure usage of accounts. Password management systems should also be segregated from data and other systems and should be carefully monitored for unauthorized access or changes.

Roles should also be established to ensure segregation of duties. For example, security or access management role used to manage Password Management system (used to setup ID's and passwords used for access to systems or applications) should be segregated from roles used for system administration or data access. For devices that need to authenticate to Windows-based Active Directory (AD), most account and password settings can be configured via an AD Domain and Group Policy. AD or equivalent LDAP solution is the most efficient Password Management System to configure and enforce password quality across a large number of devices to meet the organization's policy. For example, users would be notified by the system when passwords need to change or if a password change does not meet the password policy.

Password Management systems should also ensure passwords are securely stored and encrypted. Passwords should use strong encryption algorithim to include minimum of SHA2 family hash algorithm to ensure confidentiality, integrity and proof of origin. System accounts (such as "Root" or "Administrator") should not be shared, carefully monitored and restricted to prevent interactive logins to sensitive systems. If such accounts need to be used, Password Management (or "Vault") systems should be used to ensure account usage will be limited and authorized by system owners and to provide audit trail for account usage.
 
News Articles
Clarksons says single user account to blame for data breachwww.zdnet.com7/31/2018
Password reset flaw at internet giant Frontier allowed account takeoverswww.zdnet.com6/9/2018
500 Million Breached Passwords Released by Researcher to Help Organizations Protect Their Systemswww.tripwire.com2/23/2018
Reddit rolls out 2FA to all its userswww.tripwire.com1/25/2018
Stupid, stupid MacOS security flaw grants admin access to anyonewww.zdnet.com11/28/2017
Deloitte: ‘Very Few Clients’ Impacted by Cyber Attackthreatpost.com9/25/2017
Scottish Parliament Targeted by Brute Force Attackerswww.tripwire.com8/16/2017
Shift in password strategy from NISTwww.scmagazine.com5/22/2017
LastPass now supports 2FA auth, completely undermines 2FA authwww.theregister.co.uk5/19/2017
Font sharing site DaFont has been hacked, exposing thousands of accountswww.zdnet.com5/19/2017
LastPass fixes serious password leak flawswww.computerworld.com3/22/2017
MySQL Databases Targeted in New Ransom Attackswww.securityweek.com2/24/2017
Facebook gets physical for safer loginswww.helpnetsecurity.com1/27/2017
Password-free security uses voice, user behavior to verify identitywww.computerworld.com1/26/2017
Researchers propose a way to use your heartbeat as a passwordwww.computerworld.com1/20/2017
KFC Urges Users to Change Passwords After Attack against Websitewww.tripwire.com12/13/2016
Sam's Club resets passwords after thousands of logins posted onlinewww.zdnet.com11/7/2016
An IoT Nightmare! Attackers Can Spoof Smart Webcam that Leaks Passwordswww.tripwire.com11/3/2016
LastPass brings free password management to all your deviceswww.zdnet.com11/2/2016
43+ million users affected by confirmed Weebly breachwww.helpnetsecurity.com10/21/2016
1.5M Dating Site Users’ Passwords Exposed by Misconfigured Databasewww.tripwire.com10/5/2016
Change your password! Yahoo confirms data breach of 500 million accountsnakedsecurity.sophos.com9/23/2016
Researchers Find ‘Severe’ Password Security Hole with iOS 10 Backupsthreatpost.com9/23/2016
Russian internet giant Rambler.ru hacked, leaking 98 million accountswww.zdnet.com9/5/2016
Dropbox commended for its handling of massive data breach involving 68M userswww.scmagazine.com8/31/2016
Sony enables two-factor authentication for PlayStationwww.scmagazine.com8/26/2016
Android users to be warned of suspect Google account activity in real-timewww.helpnetsecurity.com8/2/2016
Social Security Administration Now Requires Two-Factor Authenticationkrebsonsecurity.com8/1/2016
Zero-day hole can pwn millions of LastPass users, all that's needed is a malicious sitewww.theregister.co.uk7/27/2016
'Password attacks' continue; Citrix becomes latest victimwww.scmagazine.com6/20/2016
Twitter locks some accounts after passwords exposedwww.computerworld.com6/10/2016
uTorrent Forums Users Urged to Change Passwords After Breachwww.tripwire.com6/9/2016
Facebook, Netflix trigger password resets in wake of recent hackswww.zdnet.com6/7/2016
65M Tumblr account records are up for sale on the underground marketwww.computerworld.com5/31/2016
Google wants to kill off passwords for logging into your Android smartphonewww.zdnet.com5/24/2016
Info on 93 million Mexican voters found on an Amazon cloud serverwww.helpnetsecurity.com4/25/2016
Beware: the password testing tool that saved and shared your passwordsnakedsecurity.sophos.com3/31/2016
LastPass extensions can be made to cough up passwords, deliver malwarewww.helpnetsecurity.com3/22/2016
Twitter password recovery bug exposes 10,000 users' personal informationwww.computerworld.com2/18/2016
Attackers Leverage Duplicate Logins to Compromise 21M Alibaba Accountswww.tripwire.com2/5/2016
Trend Micro patched flaws would let hackers execute malicious codewww.scmagazine.com1/12/2016
Time Warner Cable says up to 320K customers' data may have been stolenwww.cnbc.com1/7/2016
LastPass 4.0 gives others access to your password vault in emergencieswww.zdnet.com1/5/2016
Google tries again to kill the password, tests new auth idea via your phonewww.computerworld.com12/23/2015
Amazon force-resets some account passwords, citing password leakwww.zdnet.com11/24/2015
Hackers put up for sale 13 million plaintext passwords stolen from 000webhostwww.net-security.org10/29/2015
Change this setting to stop Siri spilling your selfies!nakedsecurity.sophos.com9/24/2015
Required Group Policy Preference Actions for Microsoft Security Bulletin MS14-025www.us-cert.gov8/7/2015
Hacker steals Bitdefender customer info, blackmails companywww.net-security.org8/3/2015
PagerDuty hacked ... and finally comes clean 21 days later. Cheerswww.theregister.co.uk7/31/2015
Cisco leaves its Unified CDM software open to hackerswww.computerworld.com7/3/2015
Stolen US government passwords leaked across Webwww.zdnet.com6/25/2015
Password site ?LastPass warns of data breachwww.zdnet.com6/15/2015
This Hacked Kids’ Toy Opens Garage Doors in Secondswww.wired.com6/4/2015
Google, Samsung get closer to giving passwords the finger with FIDO certificationwww.zdnet.com5/22/2015
Puush urges users to change passwords after cyber attackwww.scmagazine.com3/30/2015
Microsoft wants to kill passwords with biometric authentication in Windows 10www.computerworld.com3/18/2015
A New, Simple Way to Log Inyahoo.tumblr.com3/15/2015
Windows 10 will work with FIDO specs for password-free access, says Microsoftnakedsecurity.sophos.com2/18/2015
Chipotle Website & Twitter Account Hackedwww.tripwire.com2/7/2015
Military Signs Deal For 'Next Gen Passwords'uk.finance.yahoo.com1/28/2015
EU to demand 2-factor for online payments by August 2015?nakedsecurity.sophos.com12/22/2014
Security group plans for a future without passwordswww.computerworld.com12/9/2014
Strengthening 2-Step Verification with Security Keygoogleonlinesecurity.blogspot.com10/21/2014
Apple implements two-factor authenticationwww.scmagazine.com9/17/2014
Gmail users urged to change passwords after apparent attackwww.computerworld.com9/10/2014
Who needs hackers? 'Password1' opens a third of all biz doorswww.theregister.co.uk8/15/2014
Survey: 53 percent change privileged logins quarterlywww.scmagazine.com7/25/2014
Bank of Montreal ATM hacked with weak passwordwww.zdnet.com6/10/2014
AOL confirms security breach from spam attackwww.theregister.co.uk4/28/2014
Obamacare enrollees urged to change passwords over Heartbleed bugwww.cnbc.com4/21/2014
5 biometric alternatives to the passwordwww.cnn.com4/4/2014
Google acquires password sounds startup SlickLoginnews.cnet.com2/17/2014
THOUSANDS of Tesco.com logins and passwords leaked onlinewww.theregister.co.uk2/14/2014
PayPal 'n' Google's FIDO drops 'simpler, stronger' secure login specwww.theregister.co.uk2/12/2014
Multifactor authentication extended to all Office 365 usersnews.cnet.com2/10/2014
Report: Target Hackers Used Default Vendor Credentials; Justice Dept. Investigatingthreatpost.com1/30/2014
OpenSUSE forums hacked in ANOTHER vBulletin attackwww.theregister.co.uk1/8/2014
CES 2014: A Technological Assault on the Passwordwww.technologyreview.com1/8/2014
Narrative-Based Authentication Latest Proposed Alternative to Passwordsthreatpost.com1/6/2014
OpenSSL Hackers Used Weak Password at Web Host to Deface Sitethreatpost.com1/3/2014
Two million stolen Facebook, Twitter, Yahoo, ADP passwords found on Pony Botnet serverwww.zdnet.com12/4/2013
Buffer launches two-factor authentication after breachwww.zdnet.com11/26/2013
Racing Post p0wned, accounts accessed and passwords pinchedwww.theregister.co.uk11/25/2013
GitHub accounts with feeble passwords fall to brute force attackwww.zdnet.com11/20/2013
Data of 42 MILLION seekers for love plundered from Aussie dating sitewww.theregister.co.uk11/20/2013
Microsoft Warns Customers Away From SHA-1 and RC4threatpost.com11/13/2013
MacRumors Forums Hacker Says Passwords Won’t Be Leakedthreatpost.com11/13/2013
Just how bad are the top 100 passwords from the Adobe hack? (Hint: think really, really bad)www.zdnet.com11/4/2013
iPhone fingerprint scanner sparks privacy worriesnews.cnet.com9/17/2013
Microsoft's swipe'n'swirl pic passwords LESS secure than PINs, warn researcherswww.theregister.co.uk9/13/2013
Google security exec: 'Passwords are dead'news.cnet.com9/10/2013
Google yanks its token-eating iOS authentication app from App Storewww.zdnet.com9/4/2013
Password breaker successfully tackles 55 character sequenceswww.zdnet.com8/27/2013
Anatomy of a brute force attack - how important is password complexity?nakedsecurity.sophos.com8/16/2013
Critical IE, Exchange Updates on Tap in August Patch Tuesday Releasethreatpost.com8/8/2013
Chrome password security issue stirs debatenews.cnet.com8/7/2013
Remotely Exploitable Bug Affects Wide Range of Cisco TelePresence Systemsthreatpost.com8/7/2013
Sony to pay £250,000 fine for PlayStation Network breachnakedsecurity.sophos.com7/16/2013
U.S. Emergency Alert System open to more 'zombie' hackers after accidental SSH key disclosurewww.zdnet.com7/9/2013
Researchers able to predict Apple iOS-generated hotspot passwordswww.zdnet.com6/18/2013
Web Services Finding Religion with Two-Factor Authenticationthreatpost.com6/3/2013
Drupal resets account passwords after detecting unauthorized accesswww.computerworld.com5/29/2013
Reputation.com resets all user passwords following breachnakedsecurity.sophos.com5/2/2013
LivingSocial Ups Its Password Encryption Following Massive Breachthreatpost.com4/29/2013
McAfee intros single sign-on, one-time password controls for cloudwww.zdnet.com4/25/2013
WordPress attack highlights 30 million targetswww.zdnet.com4/19/2013
Microsoft Account Gets More Secureblogs.technet.com4/17/2013
Microsoft to add dual-factor sign-on security 'soon': reportnews.cnet.com4/9/2013
Up to 1 million Scribd user passwords may have been compromisedwww.zdnet.com4/5/2013
GCHQ attempts to downplay amazing plaintext password blunderwww.theregister.co.uk3/27/2013
UK intelligence agency stores passwords in plain textwww.zdnet.com3/26/2013
Is two-factor the savior for secure logins?www.zdnet.com3/11/2013
Plain text lesson from Evernote hackwww.zdnet.com3/8/2013
LinkedIn password hack sueball kicked to the kerb by judgewww.theregister.co.uk3/7/2013
Following hack, Evernote speeds move to two-factor authenticationwww.computerworld.com3/5/2013
Evernote Forces Password Reset for 50M Userskrebsonsecurity.com3/2/2013
Google squishes login-bypass bug that opened door to hijackerswww.theregister.co.uk2/27/2013
Brace for MORE ZOMBIE ATTACK ALERT pranks, warns security bodwww.theregister.co.uk2/18/2013
Twitter clients stay signed in with pre-breach passwordswww.theregister.co.uk2/4/2013
Twitter breach leaks emails, passwords of 250,000 userswww.theregister.co.uk2/2/2013
New York Times breach opens anti-virus, attribution debatewww.scmagazine.com1/31/2013
Crap security lands Sony £250k fine for PlayStation Network hackwww.theregister.co.uk1/24/2013
Mega responds to security concerns, implements password changeswww.zdnet.com1/23/2013
Attacker steals ‘old passwords’ from Oz defence academy sitewww.theregister.co.uk12/11/2012
GPU cluster can crack any NTLM 8-character hashed password in 5.5 hourswww.infosecurity-magazine.com12/10/2012
GPU-stuffed monster cracks Windows passwords in minuteswww.theregister.co.uk12/7/2012
Debunking RIM's BlackBerry 10 password 'blacklist'; enterprise security still a top prioritywww.zdnet.com12/7/2012
Researcher Owns Internal Network after Victim Opens Emailthreatpost.com11/28/2012
Adobe suffers database leak, user forum taken offlinenews.cnet.com11/15/2012
NullCrew pillages Sony servers?www.zdnet.com9/3/2012
DHS investigating Siemens 'flaw' in power plant securitywww.zdnet.com8/22/2012
Tesco web security 'flaw' probed by UK data watchdogwww.bbc.com8/20/2012
500K Credit Cards Stolen in Australian Point-of-Sale Hackwww.wired.com8/17/2012
Yahoo user sues over password leaknews.cnet.com8/3/2012
Oil Companies Spring a Leak, Courtesy of Anonymouswww.wired.com7/16/2012
Yahoo Says It Has Closed Security Hole Exploited in Breachwww.eweek.com7/14/2012
Nvidia suffers data breach; investigation under waywww.zdnet.com7/13/2012
Pennsylvania Man Indicted For Hack of Department of Energy Networkthreatpost.com6/15/2012
Pennsylvania Man Charged with Computer Hacking and Password Traffickingwww.justice.gov6/14/2012
Microsoft: Conficker Worm Continues to Plague Enterpriseswww.eweek.com4/25/2012
Report: Hackers Seized Control of Computers in NASA’s Jet Propulsion Labwww.wired.com3/1/2012
Microsoft Security Bulletin Summary for January 2012technet.microsoft.com1/10/2012
Report: Analysis of the Stratfor Password Listwww.thetechherald.com1/2/2012
Report details extent of Anonymous hack on Stratfornews.cnet.com12/27/2011
Siemens fixing cyber bugs in industrial control systemswww.reuters.com12/22/2011
DHS, FBI Give SCADA System Vulnerability Warningwww.theregister.co.uk12/14/2011
Telstra resets 60k passwords after privacy gaffewww.scmagazine.com.au12/12/2011
Four charged with hacking point-of-sale computerswww.computerworld.com12/8/2011
Hackers 'hit' US water treatment systemswww.bbc.co.uk11/21/2011
Policies
Password Management Policy