No default (e.g. vendor), old, or test accounts should exist. Each user should have their own individual account, and accounts should only be issued and active for those people/systems that have been permitted access for the required need of their job/role. Put automatic time limits on temporary accounts. Review accounts periodically to check whether any need to be de-activated or deleted. Utilize strong passwords/phrases and/or implement multi-factor authentication, especially for accounts with more privileged access.