If your vendors have usernames/passwords on your systems "for support", then your attackers have usernames/passwords "for abuse". #sec101