Superstorm Sandy, the recent storm that pummeled the Eastern US, brought with it a lot of lessons for all affected. For those in the IT industry the most important lesson was that their disaster preparedness may not be as robust as they thought. Many businesses will react to this by wanting to be better prepared for major disasters. This is positive action but it is important to stress that there are also a million little issues that could pose a bigger threat to your organization. One of those is password management - who is in control of the important passwords.

Search for Terry Childs online and you'll find a number of articles about a former Network Administrator for the city of San Francisco who is currently in jail for supposedly doing his job. His job, as a network administrator, was to manage the city's network. When he was asked by his boss for the passwords to critical parts of the network, he refused on the grounds that the request went against the established network policy.

Issues like this: One employee or vendor in control of vital passwords, can pose a big problem to companies, especially during times of disaster. Imagine if you work with an administrator who is based in New York, and they lost power during Sandy. What could you do if your network crashed, or you needed access to your system and someone else has all the passwords?

The most crucial factor is you shouldn't trust one person or organization with passwords to vital systems. We don't mean personal passwords to systems, we mean passwords to vital systems, like servers or Internet connections. If one person has the passwords, there's just too much risk. If they are disgruntled, they have the power to do some serious damage, and if they are injured or are no longer alive, you'll face untold amounts in lost profit, and fees in recovering passwords and information.

There are a number of things you can do to mitigate problems like these.

• Keep a password list - It could be a good idea to keep a physical list of the more important passwords. This is an important document, so it's a good idea to not leave this one lying around. If you have a safety deposit box or safe in the office you can put the list here.
• Set passwords to the position, not the employee - Many companies will often give passwords to one person who will be in charge of these. When they advance, or if they switch roles, they will often take a password with them. Instead, look at organizing this a different way around: Assign a password to the position rather than an individual so that when they leave the person filling their role is given this password instead.
• Assign a person to be in charge of passwords - This is a good idea, especially if you work with Managed Service Providers. A person of authority within your organization should be the main contact person, and they should have copies of all passwords given to outside companies.
• Change passwords regularly - To avoid having employees steal things it's a good idea to change your passwords on a regular basis. If an employee leaves a position and is in charge of an important password, you should take steps to change this scenario even if you trust the person.
• Create the right policy - If you are going to share passwords, or have a limited number of people who know them, it's a good idea to create a policy that clearly defines: what position has access to what; what happens when someone leaves; how to recover passwords; how many backups will be kept; how and when the password is to be shared. Basically you want to ensure you aren't caught flat footed. With employees, confidentiality agreements that explicitly state what they can and can't share and the consequences of breaching the policy should also be clearly defined and followed.
• Pick who to trust - Important passwords shouldn't be shared with everyone, and you should take steps to vet the trustworthiness of the person or company you will be giving passwords to. If you have an established sharing process, and a vendor you're considering working with is pushing a policy that is different from yours, it may be a good idea to look for someone whose policies are closer to yours, or who can work around your policies.

If you are in the unfortunate position of not having the passwords to your system, it's a good idea to get in touch with IT professionals like us, as we are often able to recover systems and passwords, or at the very least, reset them. After you recover your systems, it's a good idea to test for vulnerabilities, especially if the last person in charge had a tendency to not share information. We can help with this and any other concerns with password management and recovery, so please contact us if you would like to learn more.