orphan account

What is an orphan account?

An orphan account, also known as an orphaned account, is a user account that can provide access to corporate systems, services and applications but does not have a valid owner. It is the opposite of an active user account, which is an account owned by an active employee.

Types of accounts susceptible to becoming orphaned include Active Directory and OpenLDAP accounts.

How are orphan accounts created?

Orphan accounts often occur due to an employee leaving a company, transitioning into a new role or no longer needing a specific account. Organizations should have a process in place to properly deactivate accounts in these scenarios. Companies should preserve accounts that are no longer necessary for a brief, predetermined period in case of a status change. Once this grace period is over, delete the account and remove all its information -- a process called deprovisioning. If deprovisioning doesn't happen, those accounts become orphan accounts that are unused but continue to exist.

Orphaned accounts are security risks and should never exist within a company. For example, if a bank employee quits but retains access to employee credentials, they could potentially retain unauthorized access to customer accounts. If attackers discover orphan accounts, they can potentially use them to exploit an entire system.

Orphaned accounts and security

Orphaned accounts can pose the following security risks:

• They act as an attack surface for unauthorized users. Unused accounts can still offer access to information such as email, credentials, sensitive data or intellectual property. Former account owners or attackers could gain access to private information and valuable resources even though the account is no longer associated with legitimate permissions.
• They could allow applications to continue running. Application accounts not properly deprovisioned could continue to operate as well as consume bandwidth and other resources. This is especially frequent with service accounts because other applications continue to use the account due to error or misconfiguration.
• They become weaker and more vulnerable over time. When a user no longer logs into an account, the account itself does not evolve with security or password best practices. Password updates and security policy modifications could not be applied to orphan accounts, causing them to be retain weak and guessable credentials.
• They raise the probability of illegitimate access. Even if the original account owner does not try to access the account again, credential sharing or hacking could let illegitimate users access a system.

How to avoid orphan accounts

Due to the vulnerability and security threats associated with orphaned accounts, organizations should be sure to discover them quickly. The most efficient way to identify orphan accounts and cut off inappropriate access is to conduct an audit of user accounts. Audits should determine the resources that legitimate accounts need to access and the business purpose of each Authorization as well as detect accounts not being used regularly and accounts that do not follow security protocols. Identifying these factors ensures only authorized users have uninterrupted access to required information while orphaned accounts are removed.

This article was written by a TechTarget Contributor in 2019. TechTarget editors revised it in 2023 to improve the reader experience.