Cyber-Ark Software – When I was in college, I worked in the server room. Whenever I had to upgrade a database or create a new user, I first had to search in a secret lock box for the envelope that contained the password (will it be this yellow one? this blue one?). You can imagine my disappointment when I entered the password stored in the envelope and got "Username and password do not match" or "The system could not log you on. Make sure your user name and domain are correct." Just because someone forgot to update the password in the envelope!
In another company where I worked, we didn't even have envelopes. Any employee who had worked there during the previous 4-5 years could come in and enter the "standard" password and be logged in with the most powerful permissions.
Managing administrative passwords is a must-do, but it doesn't have to be done manually. Here's what you should look for in a password management system.
Security - These are the most powerful passwords in the organization. You don't want them stored in an Excel file or in an Access database. Just imagine what could happen if someone accessed the local administrator password for the Active Directory or the Web server. Full integration with your organization - Sure, you can write a nice application to store passwords in an Access database, but you really need much more than this. You need backup integration (VERITAS, Backup exec), monitor integration (HP openview, Tivoli), and transparent user management (LDAP integration). You also want automatic synchronization that shows when machines are added to and removed from the network.
"2 clicks to a password" web interface - Your IT department will need to use these administrative passwords quite often; it should be easy for them to access them.
Full Audit - You, as a manager, want to know exactly who used the last root password, who used the administrative password of the CEO's laptop, and who took the emergency password of the mainframe. Disaster Recovery - You are storing the keys to your most sensitive and important data; you had better have a robust disaster recovery component. Automatic change of passwords - Regulations force you to change your passwords every 30 days. This means the end of the manual era.
High Availability - As I've said before, you are dealing with the most sensitive passwords in your organization. You want the password management system to provide maximum availability to the enterprise and assure business continuity.
Management dashboard - You should be able to see a real-time snapshot of administrative passwords and privileged account usage. The dashboard should display your compliance with policies, usage status and, of course, anomalous activity.
Hard Coded Passwords - Many scripts contain hard coded passwords that are not secured and contain the password in plain text. You need a component in the password management system that will solve this problem and will integrate easily with your application server. Distributed architecture - You probably have more than two network areas, so your password management system should have centralized management with the ability to change passwords on a distributed network.