aa-2 Critical priority Account Security / Account Security

Unique credentials are used and shared accounts are eliminated

Shared accounts make it impossible to attribute actions to a specific person, prevent effective offboarding, and mean that one compromised credential gives access to everyone who shared it. Every person must have a unique account. Service accounts must be distinct from human accounts. Default vendor credentials must be changed immediately on deployment.

2h estimated effort

credentials shared-accounts password-management account-security

Implementation steps

1

Audit for shared and default accounts

Review all accounts across your systems for shared credentials: generic accounts like 'admin', 'service', 'test', team-shared email accounts, and any default vendor credentials that have not been changed. Disable or migrate shared accounts to individual accounts. Change all default credentials immediately.

okta aws-iam google-workspace
2

Provision individual accounts for every user

Ensure every person who accesses business systems has their own account tied to their identity. Use your SSO provider as the single source of truth. Service-to-service authentication should use dedicated service accounts or machine identities, not human account credentials.

okta google-workspace azure-ad
3

Deploy a password manager for credential hygiene

Provide all employees access to a company-managed password manager. This eliminates password reuse across services, ensures credentials are strong and unique, and prevents credentials from being stored insecurely in spreadsheets or notes. Enforce use for all work accounts.

1password bitwarden dashlane