[quanticle]

I think the author is missing the real problem. Why is there a single "admin" account at all? Why don't users log in with their "normal" user accounts, and then use some kind of authenticated, audited privilege escalation (like sudo, for example) to perform tasks that require administrative privileges?

[emingo]

Seriously. I almost stopped reading after this bit...

'specially for infrastructure accounts (if your company uses SSH, chances are you have one Unix Login that all your admins/employees share). Which makes non-repudiation harder.'

Chances are???? What credible sys admin would ever do something like that...?

[antitrust]

Oftentimes, the decisions admins make are determined by the needs of management of fellow employees.

I have on frequent occasions mouthed words along these lines: "It's a bad idea to do it that way, but I can see how it would be much cheaper, efficient or easier to teach employees, so I will tell you the best way to do this bad thing."

You can carefully set up the best security possible, but the instant that a client or bigwig is waiting on something because of it, credentials will be shared and you or other employees may be ordered to share them.

It's just how it is.

[w0rd-driven]

A lovely anecdote: When I worked for Bellsouth.net, the ISP, our router credentials started with a shared admin/(password) pair. The change happened, according to speculation, because of a breach that couldn't be tracked back to a specific user.

If a company's smart, it'll only take one such complication to change that behavior. That behavior barely made sense in 1999 though and any company using shared super-user privileges in 2013 is just asking for a world of hurt...

[badman_ting]

Right, even in the worst shops I've worked in I never saw that. It's madness.