I have spent alot of time recently talking about passwords and I think the reason that I can’t seem to get off the subject is that there is so much that has to change about the way passwords are actually handled by companies.  Most recently I had a discussion that caused me to poll several clients about how they tracked who knew each of the myriad passwords in their organization.  The resounding and unanimous answer was, “oh maybe we should do that”.

If you know who knows each password (even if you don’t document the passwords) then you have a much better chance of getting access to the system you need, when access is needed most.  Also by tracking the names of everyone who has ever been told the password to your Cisco Router for instance then when Joe leaves the company at least you have some justification for deciding not to change that password aside from it being too hard to bother.

You will find that people get much less freaked out then you might think when you start maintaining a document that shows who knows each of the passwords you care about.  You will be surprised at just how big the list becomes if you put any effort at all into it. This practice not only serves the purposes I have already pointed to, but it also helps you avoid that really scary situation when you have to call an ex-employee and ask them if they remember the password to a critical system.

Expect more food for thought on passwords as I am becoming convinced that it is a bottomless pit of best practices that noone seems to be practicing.

I am seeing the signs that the Security business is going through a consolidation as some of the bigger names buy up smaller firms to cover their bases.  Most recently, VeriSign bought iDefense for $40 Million.  I don’t think this is THE consolidation as there are many, many more security plays yet to occur (we aren’t quite done with security as it hasn’t become a solution yet), but it is interesting to see the giants scramble.  Let the bidding begin…