Linked by Eugenia Loli on Wed 7th Dec 2005 22:55 UTC, submitted by LogError
Privacy, Security, Encryption Every security savvy professional lives with the daily fear of the "never expiring password" being exposed. It's the unspoken taboo, the wide open back door in every corporate network. But no-one ever acknowledges it or discusses it. All applications have got pre-defined passwords that never change. Which means developers, privileged users and hosting third party service providers will all have access to these passwords.
Thread beginning with comment 69854
To read all comments associated with this story, please click here.
Unconvinced
by flypig on Thu 8th Dec 2005 02:18 UTC
flypig
Member since:
2005-07-13

I have no doubt that the problem of "never changing passwords" is a genuine concern, but I have difficulty believing that there are really that many applications with *hard coded* passwords. Can it really be the case that "It is virtually certain that there is not a single business critical application in your company that isn't wide open"?

It's also not clear to me how digital vaulting can eliminate the problem, without all of those badly written applications having to be re-implemeneted at the very least.

Sorry for being so very cynical! But the article would be more convincing if it hadn't been written by the European Director of Cyber-Ark ( http://www.net-security.org/article.php?id=844 ), who are the "networking company behind vaulting technology" ( http://www.cyber-ark.com/cyber-ark/index.asp ) .

Edited 2005-12-08 02:20

Reply Score: 2

RE: Unconvinced
by AdamW on Thu 8th Dec 2005 02:28 in reply to "Unconvinced"
AdamW Member since:
2005-07-06

I agree entirely. Writing alarmist articles along the lines of "your entire network is going to collapse tomorrow because of this virus / worm / other threat that only WE can protect you from!" then trying to get them published on independent-looking sites appears to be the official pastime of the security industry.

Reply Parent Score: 0

RE: Unconvinced
by on Thu 8th Dec 2005 09:13 in reply to "Unconvinced"
Member since:

I don't agree that it would be more convincing if it wasn't written by someone who actually deals with these kind of problems.

If you need advice on biometric solutions, are you going to ask for information someone who actually works with biometric products and knows the good and the bad points or a security consultant/blogger that just happens to write something on the subject?

Reply Parent Score: 0

RE[2]: Unconvinced
by AdamW on Thu 8th Dec 2005 09:18 in reply to "RE: Unconvinced"
AdamW Member since:
2005-07-06

That's not a fair comparison. This article doesn't purport to be written about digital vaults for the benefit of someone who's already decided they want a digital vault. It purports to be about a general security threat. It's like a biometric security salesperson writing an article about keeping your wine cellar safe but with the ultimate goal of selling you biometric security. It's not the same as a biometric security salesperson writing an article that is avowedly about biometric security.

And besides, even if they _know_ the bad points, do you really think a salesperson is going to _tell_ you about them? Only if they know you'll find out some other way anyway. Otherwise, not a chance. Do you see the drawbacks of digital vaults mentioned in this 'article'?

Edited 2005-12-08 09:19

Reply Parent Score: 1