Monday, February 15, 2021

Sharing isn't caring when it comes to passwords

from here

If I had to guess what the one key failure in the recent water treatment plant intrusion was, it would be that there was just one password shared by everyone. It wasn't the out of date operating system that let them remotely access the system, nor the lack of a firewall. There was and is a legitimate need to be able to monitor and control the system remotely and by all indications the perpetrator simply logged in with the same password as a legitimate user, which means it could be an actual employee or ex-employee, but the shared password makes it difficult to determine who and also difficult to revoke access when people leave because you have to inform everyone of the new shared password.