Sitting next to me on the plane today was a member of Oracle’s Security Team. I asked what was the one single best bit of security advice Oracle could give to their customers. “Change your default passwords.” A few weeks ago, I met with a CEO who had lost half-a-million dollars (so far) because his IT pro had set a password in their main application to the exact name of his company. Of course, the CEO had no idea that the password was so basic.
Before it is too late, contact your IT Professionals, be they in-house or outsourced, and ask them to show you the administrative passwords to your network, the admin passwords to your databases, the password to all of your applications, and any other passwords that provide access to anything you wouldn’t want an attacker accessing. (It is often best “not to know” each user’s passwords – this is about the administrative passwords).
Remember IT Pros are very busy people and often juggling many projects. It is easy for something, like a default or guessable password, to “slip through the cracks.”
Just your asking will incentivize IT to be sure the passwords are all at least 14 characters long and make no sense at all. Even better if they use multi-factor authentication – more on that later.
Ask them now. And don’t let them email you the list.
Please post your comments below…