No password reuse across services for admins
Demonstrate that administrative accounts employ unique passwords across all systems and services, with technical or procedural mechanisms preventing password reuse.
Description
What this control does
This control requires that administrative accounts use unique passwords that are not reused across multiple systems, applications, or services within the organization's IT environment. Password uniqueness is enforced through technical controls such as password history checks, identity governance platforms that detect duplicate hashes, or administrative policy paired with monitoring. This prevents lateral movement and privilege escalation when an attacker compromises one administrative credential, limiting breach scope to a single service rather than enabling domain-wide compromise.
Control objective
What auditing this proves
Demonstrate that administrative accounts employ unique passwords across all systems and services, with technical or procedural mechanisms preventing password reuse.
Associated risks
Risks this control addresses
- Compromise of a single administrative password grants an attacker access to multiple critical systems if passwords are reused
- Credential stuffing attacks successfully authenticate to multiple administrative interfaces using a single stolen password
- Phishing or malware-captured administrative credentials enable lateral movement across enterprise infrastructure without additional exploitation
- Insider threats or former administrators retain access to multiple systems after credential exposure on one platform
- Third-party breaches exposing administrative credentials compromise internal systems sharing the same passwords
- Insufficient audit trails obscure the scope of unauthorized administrative activity when reused credentials are exploited across services
- Compliance violations and regulatory penalties result from failure to implement privileged account protection requirements
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all administrative accounts across systems, applications, cloud platforms, databases, network devices, and security tools from identity management systems or access control records
- Review organizational password policies, privileged access management (PAM) documentation, and identity governance procedures to identify stated requirements for password uniqueness across services
- Select a representative sample of at least 20 administrative accounts spanning different user identities, roles, and system types for detailed examination
- Request password hash exports or one-way encrypted password representations from sampled systems where technically feasible and authorized by management
- Compare password hashes across systems for each sampled administrative identity to identify duplicate values indicating password reuse
- Interview IT administrators and privileged users from the sample to verify awareness of password uniqueness requirements and their compliance practices
- Review PAM system logs, password vault audit trails, or identity governance platform reports for evidence of unique password generation and rotation for administrative accounts
- Test technical enforcement mechanisms by attempting to set duplicate passwords for a test administrative account across two different systems to verify prevention controls
Where this control is tested