Password management, I hate it! After 25 years in the business, I still don't have a great way to handle a large amount of passwords. I recently upped he number of personal accounts that I directly manage. I now have 22 accounts that I get to remember a login and password for. This does not include any work-related accounts. There have been times where I have had 100 servers to remember a login and password for. I have tried many different ways to manage the password menagerie, including Excel spreadsheets, single sign-on, encrypted files, password management software, and random password generators.
It's not that I can't generate a creative password. The problem comes when I need to use them; I just cannot seem to remember them when I need them. Here is a typical scenario: You are a systems administrator and you manage 50 servers. You ae using a password generator and change passwords on the first of every month. You set your generator to create a password 12 characters in length and end up with X8uhN90JQQ1B. Good luck remembering this password. So, you have no choice but to write it down. You just violated more best practices than I care to document here.
Now we have to answer the age-old question, do we use the same password on every server? My recommendation is not to do it. What I have done in the past is to group servers by function: development, test/QA, and production. Creating separate passwords for all three will add another layer of protection and impress the auditors as well. The environment that I described is a fairly small one. Let's consider a shop where you are responsible for servers (UNIX and Windows), routers and firewalls. You can easily see how the problem compounds.
The password problem has spread out of the data center and to mobile devices. Many users, including IT professionals, do not even bother to secure their devices, or use poor passwords to protect them. Credant Technologies recently published a survey of 227 IT professionals asking how they protect their devices. Thirty-five percent of IT professionals surveyed said that they do not even bother to use a password to protect their device. This was marginally better than non-IT professionals, among which 40 percent admitted to not using a password. Who wants a password on their mobile device, anyhow? It's just another password to remember, right? (Of course, I am being facetious.)
The problem is not going to go away. In fact, it's just going to keep growing. Technologies such as virtualization make it very easy to configure new servers with little effort. I don't have an end-all be-all answer except to consolidate. Maybe we should go back to the monolithic model of centralized processing. There is a lot to be said for remembering just one password.