Adam Bosnian, executive vice president of corporate development at Cyber-Ark, a vendor of software for managing administrative passwords, said the problem that companies face is complex. While it's one thing to require that administrators use complex passwords, it's another thing to manage those passwords, he said. What often happens is that multiple administrators might need access to one system, and it is easiest to use a default or easily remembered password to control access to it.
When a complex password is used, administrators need to have three processes: One for securely sharing that password with each other, another process for changing the password when needed, and a third for keeping everyone informed about the changes. These processes can get especially difficult in larger organizations where the number of privileged accounts can be staggering, he said.
"The truth is, anyone trying to protect non-trivial assets should be using multifactor authentication and/or complementary controls to protect themselves," said Peter Lindstrom, an analyst with Spire Security. "The password has too many weaknesses, including the obvious human ones," he said.
Most password schemes that aren't protected by another form of authentication or lockout controls are susceptible to brute-force compromise, where automated tools are used to guess passwords, he said. "At this stage of the IT game, there is really no excuse for using default passwords."
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His email address is email@example.com.