The Most Common Credential Management Errors — And How To Solve Them

Every organization relies on credentials in order to unlock the proprietary tools, platforms, and data necessary to perform essential business operations. But despite their importance, credential management errors abound in many enterprises — primarily resulting from human errors.

According to Verizon’s 2021 Data Breach Investigations Report, 85% of breaches were caused by human error with 60% of these breaches targeting user credentials. By taking the right approach to privileged access management (PAM), enterprises can shrink the chances of credential management errors and thereby reduce the risk of cyberattacks.

However, guaranteeing error-free credential management is easier said than done. Between end-user practices like credential sharing, the use of default passwords or poor passwords, and overlooking critical credential management steps, there are many common credential management errors that could compromise your enterprise data security. 

In order to ensure the protection of important credentials, organizations must understand the challenges associated with credential management today. This article will explore why so many companies fall victim to these core credential management issues, and how to overcome them for stronger cybersecurity.

What You Should Know About Credential Management

What is Credential Management?

Credential management refers to the process of creating, storing, and managing digital identities and access permissions within an organization. This encompasses everything from user login details and personal access tokens to SSH keys and service account management.

Effective credential management ensures that only authenticated and authorized users can access the sensitive areas of an organization's digital environment, thereby protecting critical systems and data from unauthorized access.

Role of Credential Management in Today's IT Environment

In the current IT landscape, credential management plays a pivotal role in maintaining security and compliance. With the rise of remote work and cloud-based services, managing access rights has become more complex and vital than ever. Credential management ensures that proper user management and user recovery protocols are in place, enabling organizations to control who has access to what, and to monitor and audit that access effectively.

Why Is It Challenging to Manage Credentials Securely

Managing credentials securely is challenging due to the dynamic nature of modern IT environments. Factors such as high employee turnover, the proliferation of devices, and the complexity of multi-cloud and hybrid infrastructures contribute to the difficulty.

Human error, a primary cause of breaches, compounds the problem, as does the growing sophistication of cybercriminals who exploit weaknesses in credential management for their gain.

Top 9 Credential Management Errors

Error One: Credential Sharing

Credential sharing — the sharing of one’s business credentials with unauthorized users for task completion — contributes to the unnecessary and dangerous exposure of enterprise data. Every new person who gains access to an important file, system, or insight becomes another vulnerability in your attack surface.

According to Kaspersky, 90% of all cyberattacks are successfully executed using information stolen from employees who unwittingly give their credentials away. This often happens as a result of hackers impersonating staff members and requesting credential sharing. Sharing credentials also breaches the least privilege principle, yielding human errors like forgetting to revoke access after credential sharing.

If credential sharing is known to be so dangerous, why does it keep happening? Unfortunately, sharing credentials is often faster and easier than going through lengthy, manual PAM processes. When stakeholders don’t get the relevant credentials they need to do their work, productivity falters and critical business operations get put on hold. But when credentials are shared to improve productivity, security is sacrificed.

Error Two: Poor Passwords

Poor password and key security cause an estimated 81% of data breaches. The issues resulting from password mismanagement are usually two sides of the same coin: passwords are either too simple or too complex to effectively store and remember. 

In many work environments, employees leverage the same or similar credentials for multiple company accounts — whether it be reusing passwords, using the same “base” passwords with slight modifications, or using simple passwords throughout business environments. Using similar and consistent credentials increases the likelihood of cybersecurity compromise since it enables hackers to unlock all credentials by exposing just one — the “master” credential. 

On the other end of the spectrum are employees who utilize many complex passwords that are difficult to remember and store. When complicated credentials are not managed properly, it’s easy to forget them entirely. This forces organizations to undergo mountains of forgotten password resets, which greatly drains time and resources. According to Gartner, it costs roughly $14 to $25 USD for every call related to lost and forgotten passwords — and half of total calls to an organization’s help desk are related to password mismanagement.

Error Three: Using Special Characters, Resulting In Weaker Passwords

Companies often require passwords to have special characters, hoping to promote less compromisable passwords. However, this can actually lead to simpler passwords that are more easily uncovered by malicious attackers.

People tend to make their passwords easier to remember when they have to use special characters, even repeating the same password for their many credentials. In order to combat this common practice, many organizations are changing credential management practices.

For instance, Microsoft insists their end-users do not demand character composition requirements and avoid mandatory period credential resets. The White House also requires agents to remove password policies that force end-users to use special characters, plus remove any password rotation requirements. We will likely see many other corporations follow suit in the very near future. 

Error Four: Using Default Passwords for Critical Components Like Servers

It’s no secret that critical enterprise data needs to be highly secure. Standard PAM tools may work perfectly fine for common communications, but confidentiality requires robust security. Not only is classified information particularly valuable to hackers, but much of this data also needs to meet compliance and other industry-specific regulations.

Many organizations use default passwords for critical components like servers, trusting them because they are randomized (meaning they boast a series of random letters, integers, and sometimes symbols). However, these “randomized” passwords are actually pre-installed onto these systems, making it easy for intelligent hackers to access default passwords and break into these critical systems.

Unfortunately, the randomness of default passwords causes them to seem more complex and foolproof than they actually are. This often gives end-users a false sense of security. 

Error Five: Overlooking SSH Keys

Like default passwords, SSH keys give many end-users a false sense of security when it comes to credential management. SSH keys feature lengthy strings of code with a default key length of 1024 bits, which means they are significantly more secure than your average eight-character password. But sadly nothing is 100% resistant to cybersecurity attacks.

The complexity of SSH keys has led many to believe that these credentials don’t require proper, consistent management. But just like any potential vulnerability, SSH keys need to be monitored — arguably even more so than other credentials, since SSH keys often protect valuable information. The sensitive nature of SSH keys also makes mismanaged or misplaced keys a very serious cybersecurity threat.

It is also notoriously difficult to spot compromised SSH keys within an organization. When SSH keys are compromised by malicious attackers due to human error and mismanagement, the hacker appears legitimate because the key itself is legitimate — it’s just the end-user who is malicious. In fact, 80% of SSH keys go undetected by traditional solutions, making it even more difficult to detect malicious SSH key activity.

Error Six: Onboarding and Offboarding Issues

One of the most error-ridden elements of credential management is the onboarding and offboarding of authorized users.

The primary issue associated with onboarding is credential sharing. In large organizations with complicated PAM processes, getting the right credentials to the relevant people can take days or even weeks. This forces employees to share their credentials with colleagues. According to ID Agent, 42% of people share their work login credentials with coworkers for collaborative purposes.

In addition to increasing the enterprise’s vulnerability to cyberattacks, shared credentials during the onboarding and offboarding process may yield inaccurate or inappropriate access rights. This could lead to unintentional human errors, such as a new user being granted editing access to data instead of viewing only, causing them to delete important information with the slip of a finger. It may also result in malicious attacks, such as a fired employee maintaining access to critical data after they have left the organization and selling it to a hacker for a large sum. This is the primary concern associated with employee offboarding.

Forgetting to remove collaborators during the offboarding process can yield many cybersecurity issues, but this critical step is often neglected. Offboarding users usually takes a backseat to onboarding new users, which is already a slow and cumbersome process. Organizations must be diligent in both their onboarding and offboarding practices and should take the time and effort necessary to ensure that privileges are granted and revoked as appropriate. 

Error Seven: Not Complying with the Principle of Least Privilege

The principle of least privilege enforces the restriction of access rights to the minimal levels of privilege necessary for each end-user to work productively. The least privilege principle is well-known by many involved in cybersecurity, and yet it is rarely followed.

Enforcing the principle of least privilege helps organizations minimize the negative impact of stolen and misused credentials. Since all credentials can be copied or shared, too many people having access to certain credentials multiplies the likelihood that these credentials will be found, copied, and shared with malicious intent. 

Controlling the impact radius matters, if the number of admin-level credentials is limited to a bare minimum, the likelihood of bad actors getting hold of them decreases dramatically. But with all the issues associated with onboarding and offboarding users, many organizations find it difficult to effectively follow this principle. 

Companies that don’t follow the least privilege principle often suffer from other complications besides increased cybersecurity threats — this might include a lack of credential management visibility and accountability. When no one is formally responsible for ensuring that the least privilege principle is being upheld, stakeholders don’t know how much or little privileges they need to work productively. As a result, credentials aren’t properly safeguarded and cybersecurity threats expand rapidly.

Error Eight: Poor Password Storage

According to an HYPR study, 35% of people store all their passwords using manual methods: written down in notebooks or on sticky notes, or filed away in Excel spreadsheets. These manual password storage approaches may work for some, but they’re extremely outdated and vulnerable to exploitation.

When employees don’t store their passwords well, they can easily become lost or compromised. Poor password storage also makes it easy for end-users to repeat passwords, or use very similar credentials for multiple business accounts. Manual password storage also makes it more difficult for users to update passwords regularly, remember their changes, and delete irrelevant credentials. All these habits turn credentials into attack vectors that a malicious attacker could easily take advantage of.

Error Nine: Not Rotating Passwords

Rotating passwords regularly plays an important role in preventing cyberattacks. The younger your password is, the less opportunity a cybercriminal has to exploit it before it has been updated. Similarly, the older a credential is, the higher the likelihood of it eventually being compromised. 

But without the right solution, password rotation can also be error-prone. When you implement a credential management system that requires password rotation, it requires additional changes to your environment. If your tool uses both password rotation and vaulting (password and key storage) you will need to modify configurations on both the client and server side. These complicated processes can lead to human errors that jeopardize the security of valuable credentials.

There are also major costs associated with changing and rotating passwords. Large organizations could spend $1 million USD annually on password change support according to Forrester, with most expenses related to infrastructure and staffing. Password rotation and password reset tickets are also costly — as we touched on earlier, Gartner found that 50% of all help desk calls are related to forgotten or lost passwords, with each one costing roughly $20 on average. 

Despite password rotation being of critical importance to enterprise security, many PAM systems that require organizations to rotate, change, and vault their passwords are difficult to use and may result in end-users neglecting their responsibility to rotate credentials regularly. Enterprises hoping to leave the burden of credential rotation behind them are turning to passwordless solutions to future-proof their cybersecurity. 

Reduce Credential Management Errors with SSH

These nine common credential management errors are all associated with the handling and maintenance of passwords and other permanent credentials. In fact, poor passwords and key security make up 81% of data breaches — meaning removing passwords alone can dramatically reduce a company’s vulnerability to cybersecurity threats.

With SSH Zero Trust Access Management, you can migrate to a passwordless and keyless environment at your own pace. With non-intrusive deployment, SSH enables you to begin going credentialless while continuing to manage existing passwords and keys in the meantime. This contributes to more secure, organized, and manageable credential management processes.

In our Zero Trust Suite, SSH keys boast unique just-in-time (JIT) tickets that are ephemeral, disappearing immediately after they have been used. This allows you to limit the amount of permanent passwords in your enterprise system, while entirely eliminating the need to store, vault, and rotate credentials. As a result, you can drastically reduce cybersecurity and compliance concerns while improving your credential management operations.

Many household names — including Gartner, Microsoft, Uber, Facebook, and Netflix — are now recognizing passwordless as the future of cybersecurity. It’s time to get on board. With a passwordless approach, you can safeguard your enterprise data using a more secure and less error-prone approach to credential management. 
Learn more about going passwordless with SSH >

Secure Your Critical Communications with PrivX Zero Trust Suite by SSH

SSH Zero Trust Suite is designed to revolutionize how your organization handles credential management. The implementation of a zero trust approach ensures that no one is trusted by default from inside or outside the network, and verification is required from everyone trying to gain access to resources within the network. To learn more about how to secure your high-impact assets, read the solution description here.

Ready to see SSH Zero Trust Suite in action? Book a demo today. Experience firsthand how your organization's security posture can be enhanced with an intuitive interface and powerful features. Don't wait for the next security breach—secure your credentials now.

FAQ

What are common credential management errors that lead to bad requests and internal server errors?

Common credential management errors include misconfigured request headers and invalid token management. These issues can lead to bad requests and internal server errors due to improper handling of user action signatures and x-dfns-nonce headers. Ensuring proper configuration and adherence to security protocols can mitigate these errors.

How does weak password hygiene contribute to credential management errors and unauthorized access?

Weak password hygiene, such as password reuse attacks and inadequate password aging, significantly increases credential management errors. These practices make it easier for attackers to exploit vulnerabilities and gain unauthorized access to authenticated endpoints, compromising infrastructure security.

What is the role of weakness enumeration in identifying and preventing common credential management errors?

Weakness enumeration, part of the common weakness enumeration (CWE) community-developed list, helps identify and categorize vulnerabilities in credential management. This process aids in pinpointing common weaknesses, such as poor token management and invalid user action signing, allowing for targeted improvements in security measures.

How can application management improve the handling of user login credentials and reduce forbidden access issues?

Effective application management includes implementing robust user registration processes and delegated authentication mechanisms. This approach ensures valid user actions and minimizes forbidden access issues by properly managing request headers and user action signatures within authenticated endpoints.

What best practices in API documentation can help mitigate common weaknesses and errors in credential management?

API documentation should emphasize the correct use of request headers and x-dfns-useraction headers. It should also highlight best practices for token management and user action signing. Following these guidelines helps mitigate common weaknesses and ensures secure interaction with authenticated endpoints.