40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.

We use a spread sheet!

And damn proud off it.

but we do keep them on USB keys in our vault so i like to think that balances it out

Re:We use a spread sheet!

[hey!]

Well, let's hope your spreadsheet software isn't configured to run unsigned macros.

Dumb question, but where should we store them?

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

Re: Dumb question, but where should we store them?

PS: currently a whiteboard in the lab.

Re:Dumb question, but where should we store them?

[Joe_Dragon]

What about useing ldap linked to AD so each dev has there own logins.

Re:Dumb question, but where should we store them?

Yeah, I'm kind of confused about this. At some point, there's going to be a storage container for passwords, and that storage container is probably going to be a document of some sort. Now that doesn't mean the document isn't protected and encrypted, but it's still very likely going to be a simple text or doc file at the core of it.

Re:Dumb question, but where should we store them?

[ShanghaiBill]

Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc.

The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be correcthorsebatterystaple0916.

I always use "correcthorsebatterystaple" for the base of the PW because I have heard that is an extremely secure PW.

Re:Dumb question, but where should we store them?

[hcs_$reboot]

That's not a dumb question. Organizations where people go and leave, where hundreds of passwords have to be kept, need a safe access to a password database. Why not an excel or word doc, as long as it is in a safe place and encrypted with a strong master password.

Re:Dumb question, but where should we store them?

[flargleblarg]

The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be clownhorsepenisstaple0916.

FTFY

Re:Dumb question, but where should we store them?

My boss has me store the root passwords to 100's of servers in a spread sheet. We have to change the passwords every 60 days and we have to use randomly generated 15 character passwords. The spread sheet (Excel) uses the standard excel password and he has me put it on a share point server. No clue who has access to the share point server.

Every time we update them he also has me print out a copy and put it in an envelope which he keeps in his desk just in case something happens to me.

Re:Dumb question, but where should we store them?

Posting AC because I'm a potential victim of both AD and CyberArk. If AD or CyberArk is the question, then the answer is "no". Go with something that's purely Unix. Stop being beholden to Microsoft.

Re:Dumb question, but where should we store them?

[fahrbot-bot]

clownhorsepenisstaple0916.

Soooo close the the Trump / Pence signs I've seen. :-)

Re:Dumb question, but where should we store them?

If you aren't interested in paying for a license, check out KeePass. If you want to be legit (i.e.: you want to pay a for commercial license and you want a multi-user solution where everyone can share) you should use something like PasswordState. Both user and group controls, excellent audit trails and tons more features.

https://www.clickstudios.com.au/
https://www.youtube.com/watch?v=l98qPyTcbug

Re: Dumb question, but where should we store them?

[AJWM]

PS: currently a whiteboard in the lab.

Heh. Back in my college (mainframe!) days, one of the systems guys had a blackboard in his office, and up in one corner were a few innocuous characters (something like "&:*").

Now, I was just a student, but spent enough time hanging around the computer center to know most of these guys. I noticed this one day and said "Jay, is it really a good idea to have the system privcode [essentially, the root password on that OS] in plain sight like that?", and grinned as his face turned white, then red. At least it wasn't "1234".

I'd learned it from a 2-inch thick stack of printout of the OS source code I'd found in the dumpster, it had been hardcoded into a function call. (I couldn't believe it was that simple when I first found it, but checking the Espol manual -- which I'd been given by a guy in a Burroughs sales office; when I went in and just asked what manuals they had on the B6700 system, he was happy to help out a student with some old stuff from a back room -- and sure enough, that's what it was.)

(I'm not even sure the terms "social engineering" and "dumpster diving" had even been coined back then, it was in the mid-1970s. And I never did anything malicious with the knowledge.)

Re:Dumb question, but where should we store them?

I do the same thing, only instead of the date, it's just an index. So first password is correcthorsebatterystaple1, 60 days later correcthorsebatterystaple2, 3, 4, etc.

Re:Dumb question, but where should we store them?

[PrimaryConsult]

So the neat thing about the "no repeats" rule: when you are changing your password, the system only knows the true password of the most recent old one (since you have to type it in while resetting) and the new one you are trying - that is how it can say "new password too similar to previous one". But beyond that, all it has is a history of encrypted strings. So, simply alternate two passwords and increment a digit each time.

Re:Dumb question, but where should we store them?

[UnknownSoldier]

+1 for KeePas, and KeePassX (on OSX).

Remember one long pass phrase, never remember another password every again.

Re:Dumb question, but where should we store them?

You know that a keychain is built into your operating system if you're using OSX right? Don't use another third party piece of shit.

Re:Dumb question, but where should we store them?

I hate to break it to you, but you're about to lose your security clearance.

Re:Dumb question, but where should we store them?

[omtinez]

That actually does not sound too unreasonable of a process.

Re:Dumb question, but where should we store them?

[CrimsonAvenger]

I'm curious. 18 manchines, user and admin for each, but only 32 passwords?

As to where to store them, I like PasswordSafe myself, but there are other password managers if passwordsafe isn't to your taste. Then I have to remember two passwords (the one for password safe & the login to one machine (the one I keep passwordsafe on).

By the by, any clue when the government is going to figure out that requiring passwords to be changes every X days is a bad idea, which encourages bad (easily remembered) passwords?

For that matter, I'm not all that impressed by rules requiring "at least one upper case letter, at least one number or punctuation, at least [this many] (which always turns into, for the user [this many} characters"....

Re:Dumb question, but where should we store them?

[arth1]

But beyond that, all it has is a history of encrypted strings.

And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.

What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

Re:Dumb question, but where should we store them?

[arth1]

That actually does not sound too unreasonable of a process.

Except that it depends on
1: All PCs that open the file being uncompromised.
2: The distribution method for the file being uncompromised.
3: The printer used to create the hard copy being uncompromised.
4: If a network printer, no possibility of sniffing the unencrypted data going to the printer.

Modern printers and copiers are underrated as hacking subjects. There's no limit to what people print out, and they assume that it's a very safe thing to do. Yet if i have access to a modern printer or print server, I can ask for a copy being mailed to me of every printed document. When was the last time the IT department eyeballed the configuration for each printer, looking for anomalies?

Re:Dumb question, but where should we store them?

DoD guidelines clearly state that passwords are not to be written down or stored in a file.

Re:Dumb question, but where should we store them?

[Sesostris+III]

I've never quite understood why an encrypted spreadsheet or document is frowned upon, while a custom password manager (like KeePass) is OK.

Re:Dumb question, but where should we store them?

[unixisc]

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

In one of my past jobs, we were required to update our passwords every 90 days. And we'd get warned about it on day 60, and we couldn't use any of our last 4 passwords or so

My way around it - pick a base password - since it was at work, which I might have to share w/ colleagues, depending on the situation, I picked the company name spelled out w/ special characters, odd capitalization and so on, and then appeneded to the end numbers from 0-9. After p@s$w0Rd9 was complete, I'd revert it to p@s$w0Rd0 and start again.

So for your thing, you could give them all separate names reflecting their functions, encode them into passwords you'd easily remember, and then index them so that you don't repeat any passwords within n number of changes or m number of months. There are also apps that let you store and retrieve your passwords.

Re: Dumb question, but where should we store them?

[RandomSkratch]

Holy crap; lightbulb! I've never thought of it that way. Strong restrictions always ticked me off but clearly they work opposite from their intentions.

Re:Dumb question, but where should we store them?

We keep all ours on a sticky note under our CIO's assistant's keyboard. If we need a password, we call him.

Re:Dumb question, but where should we store them?

[sg_oneill]

Active directory, with PKI and kerberos (Theres PAM modules that'll do the heavy lifting here). Consider a proper password management system, like lastpass, or if compliance wont let you use the "cloud", I'm told Bruce Scheiners open source ones pretty good.

Couple that with a policy that enforces good password hygiene (Ie randomly generated lastpass passwords) and you might have a fighting chance of keeping your stuff safe-ish

Re:Dumb question, but where should we store them?

[NotAPK]

The easiest printer exploit is to simply take the printout from the out-tray before the hapless user arrives to collect it. I'd wager that 100% of the time they'll simply assume "something went wrong" and just return to their desk to send the job again.

I know many printers have secure print features that don't release the job until the user arrives at the printer and enters a pin, but everywhere I've worked they have been disabled by IT for unknown reasons.

Re:Dumb question, but where should we store them?

[NotAPK]

How do you backup the OSX keychain?

How can you restore the OSX keychain following a reinstall?

How can you share the keychain among multiple computers/user accounts?

The great thing about KeePass (or a text file in a TrueCrypt/VeraCrypt volume) is you get all of these features without any reduction in security. If a user has the master password then they can work on the password database. This is a much better match to real-world use cases than the assumptions OSX makes about its keychain.

Re:Dumb question, but where should we store them?

The last major hack at my establishment was extended because the hacker infected our printers as a backup infection point. Once the infection was cleaned off the servers and the system was "clean" they would enable print services and in no time at all the system was infected again. Took them over week to figure this out.

Re:Dumb question, but where should we store them?

[UnknownSoldier]

You touched upon the very reasons why I like KeePass over OSX's keychain.

With KeePass I can use the same master password file across my Windows, OSX, and Linux computers.

Leave it to an AC to criticize without offering any solutions.

Re:Dumb question, but where should we store them?

ever heard of LDAP or Active directory? If you use Active Directory and need the Linux machines to join the domain there check out the Likewise Client for AD. It's as easy to use as joining a Win box to the domain. With that 6 developers 12 passwords. You are right in having your developers with two accounts. One for everyday stuff and one for admin work only. RedHat also has a nice LDAP service too much like AD that Win machines will join also. Really save yourself some headaches and set up everything in a domain. But be sure and really hardened your Domain Controllers!! The draw back here is if your DCs get pwned well then game over.

Re:Dumb question, but where should we store them?

[j-beda]

Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.

If the attacker knows that 8 characters is the minimum, then that does mean that they "save" the resources of checking the N^7 possible passwords excluded by the rule, but searching through (N^8-N^7) is much harder then cracking those passwords that likely would have resulted if people were allowed to have less than 8 characters. Requiring upper/lower/dig/symbols means that the search space has a value for "N" which is around 80 rather than just 24 for people who just like lower case. Yes the attacker knows that there is "at least one" of each type, but that knowledge isn't as useful as the fact that without such restrictions, many of the users would use passwords that contain "exactly zero" of any type beyond the lower case letters (and some probably only use the digits zero to nine). Letting the attacker know that these "small" search spaces are unused would save them a bit of time, but saving 24^8 choices out of 80^8 choices is not such a big deal, and ensuring that all the users are in the (80^8-24^8) world is not such a bad thing.

I do agree that allowing (or even insisting) on longer passwords is the best way to increase the search volume. What pisses ME off is some of my financial places that STILL do not allow me to chose passwords that are longer than eight characters. I can protect my stupid facebook account with a fifty character string, but my bank account is limited to eight?

Re:Dumb question, but where should we store them?

[arth1]

I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.

That depends on what the attacker is after. If finding the first password as quickly as possible, a dictionary attack against a list with no restrictions is the way to go. But more often these days, the attacker wants either one particular account, or all accounts. For one particular account, a dictionary attack is over and done with in seconds, after which it's back to brute forcing. For all accounts, you can do the same, but the yield is lower - getting a few percent of passwords early is not as time saving as making the search space a fraction of what it was.

The way good cracking apps work these days is that there's a generator that generate all possible passwords, using lemma frequency order from existing cracks to determine the order, and filtering out any passwords that fail the criteria for that site. Then the resulting passwords are distributed to multiple crackers.
The start of the brute force list can even be generated ahead of the actual cracking.

The filtering out part is important. It can easily reduce the amount of hashing needed by orders of magnitude(!). A crack that would take years can be done in weeks, because of an IT manager who came up with very complex password rules.

If really complex, it allows for rainbow tables for much longer character lengths than what would otherwise be feasible, and if a hash table has been obtained, that near instantly catches a lot more passwords than dictionary attacks do.

In effect, the IT manager gambles on the hashes never getting out, to gain a small advantage against a type of attack that never occurs these days - brute force against normal logins - for which there are far superior protection methods.
Chances are that he or she doesn't even know the real world effects, and believes that if it frustrates the employees, it will frustrate hackers even more. Not so.

Formatting

[jargonburn]

Well, at least they're not stored in plain text.
*puts on a pair of sunglasses*

Re:Formatting

[bigtreeman]

mine is
*puts it on usb stick, deletes from ~/Docs*
this is a big hint to start using KeePassX

Re:Formatting

Mine is in plain text, but stored in a truecrypt volume.

Re:Formatting

[jargonburn]

That was intended as a two-part joke about how Word files are saved.
First:
- .doc: a binary output file, read somewhere it was some kind of memory dump from within Word. Definitely not "plain-text"
- .docx: a zipped collection of XML files describing the document and contents. Not quite plain-text.

Second:
I've seen a few of those documents entirely formatted in bold and/or italics. So, not "plain" text.

Coins in the hat, tomatoes in the face, please!

Just remember...

[xlsior]

...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character.

/It's so secure even YOU won't know your passwords!

Re:Just remember...

[hcs_$reboot]

It tells you what your passwords should be.

Re:Just remember...

[phorm]

Autocorrect is more of a pain than it's worth sometimes. I had similar issues with a spreadsheet where I was listing ports. It kept thinking I was making a number and removing my commas

e.g 80,443 would just become 80443

Re:Just remember...

If you're really putting commas in port numbers then your spreadsheet knows more than than you do.

Re:Just remember...

These kinds of things are apparently wrecking many statistical results in the soft sciences, where excel is still dominant.

Re:Just remember...

[Knuckles]

That's not autocorrect, that's cell format. Learn to use/change it, it's Excel 101
(And autocorrect can be turned off as well)

Re:Just remember...

[behrooz0az]

If you're port numbers go beyond 64Ki You should stop talking

Re:Just remember...

[behrooz0az]

s/you're/your/

Re:Just remember...

[4im]

...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character. /It's so secure even YOU won't know your passwords!

Also, leaking of metadata, version tracking etc.

It can be done, if everyone touching the file exactly know what they are doing, but Murphy's Law applies. An office suite just is not the best tool for this job.

Re:Just remember...

[phorm]

I'd assume that a text formatted cell shouldn't be doing that, yet it was.

Re:Just remember...

[Knuckles]

I'd assume that a text formatted cell shouldn't be doing that, yet it was.

I see, then my first reply was premature, because I had not seen it doing this all my life. I tried it today with Excel 2003, 2007, 2010, 2013, 2016. In no instance did it do what your wrote, i.e., remove the comma in a text-formatted box, and the default autocorrect rules don't have any rule that looks like they would do this, either. So I guess maybe you experienced a bug that has been fixed, your had some weird custom autocorrect rule enabled, or it may have had something to do with unusual region settings (which of course affect how Excel treats dot, comma, and semicolon - and over time I saw a bunch of bugs which only happen for some region settings).

An other 30% ...

[godrik]

writes it on the wall.

Passwords

I store them in a txt file in Google drive.
gpg2 --symmetric passwords.txt.safe
gpg2 --decrypt passwords.txt

And memorise a crazy hard passoword which also assists me in solving a parity error on the rubics cube revenge with a small variation.

Re:Passwords

[behrooz0az]

In highschool I had some variation of this (from here) memorized as a number and would convert it to binary before every damn physics/math/trigonometry test.
Don't forget to 'shred -u' your files after doing that. nothing is safe.

Re: Passwords

Nice.
Tbh I actually got slack and just store them normally but I do have 2 factor authentication and a strong password.

Bah

Postit note FTW!

Yeah

[hcs_$reboot]

but the word doc is securely protected with a password.

I'd argue that 40% figure...

...considering 75% of organizations use sticky notes on a monitor.

Re:I'd argue that 40% figure...

The remaining 25% use sticky notes under the keyboard.

Re:I'd argue that 40% figure...

[Imrik]

Sticky notes on the monitor are for user passwords, the admin password has to be stored somewhere it can be accessed remotely...

That's why we use...

[I75BJC]

LibreOffice! Or are Post-It_Notes better? LOL!!!

Not the problem

Not encrypted is the problem

What word doc? Post it notes.

[140Mandak262Jamuna]

We had the most incompetent sys admin I had seen when our company was in infancy. Slacked off most of the time. So he convinced the receptionist to step and fix urgent things like printer queue issues and restarting print server etc. How? Below the large monthly planner she had on the front desk, was a whole bunch of post-it notes. Each note started with su password and then some commands. About 10 or 15 of them. Worst. Sysadmin. Ever.

Re:What word doc? Post it notes.

We had the most incompetent sys admin I had seen when our company was in infancy. Slacked off most of the time. So he convinced the receptionist to step and fix urgent things like printer queue issues and restarting print server etc. How? Below the large monthly planner she had on the front desk, was a whole bunch of post-it notes. Each note started with su password and then some commands. About 10 or 15 of them. Worst. Sysadmin. Ever.

Sounds like he knew exactly what he was doing. Makes you wonder about the asshats that hired him and kept him around though.

That's stupid and scary!

[andrewa]

Excel is much better for storing passwords.

Re:That's stupid and scary!

[hcs_$reboot]

That reminds of an older office version where the password algorithm was so dumb a Linux tool just needed a '-p' option to decode it instantly.

We don't ....

[whoever57]

Hah! We are so much better. We don't use Word to store passwords.

We use LibreOffice!

Re:We don't ....

I was hoping for Notepad myself. You know, for interoperability.

Old School

[rtb61]

Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.

The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo..., https://www.theguardian.com/wo.... Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.

They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).

Re:Old School

[fahrbot-bot]

Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, ...

Typewriter? Um, the passwords can be recovered from the ink ribbon. Why not just use a pen?

Re:Old School

[Areyoukiddingme]

Computers are shit at security because you can not see what is going on...

Uh, what? Yes you can. I very regularly punch the button that says "add this asshat's IP to the firewall drop rules" because I can see the pathetic script kiddie attempting to brute force the password on the SSH server for the Administrator account and it annoys me. Are they going to get in? No, my system is not at risk. There is no Administrator account. So do I really need to start dropping all packets from this assclown? Not really, no. But my monitoring systems are lit up, and that's just obnoxious.

Having said that, I'm on board with the one ton safe idea. Now if only I could afford the umpty-thousand dollars to get one...

Re:Old School

[Cyberax]

Perhaps grandparent can't write? (I thought that it's impossible but there are people out there who can't handwrite but can type easily)

Re:Old School

Dunno about GP but I don't trust my handwriting to be easily legible even to me. O and 0, I and l. Heck most times I don't even trust a typewriter.
I see nothing wrong with using the office laser printer to do what he said though. Print off the list, stick it in the fire safe. That's our password recovery bucket list right there.
That said, we also have a bunch of passwords locked away in a .txt file that can only be located or opened by someone who holds the network administrator password (which is me and the boss). We figure that's good enough since anyone who has that password can own our entire network. The master password is never written down (except as said, to put in the fire safe), never sent as an email, never even discussed aloud except when we're sure no one's able to overhear.

Re:Old School

[rtb61]

Dude you can not see what is going on at all, all you see is the mud monkey output and when it comes to shifting those bits and bytes and words (not words words but words)https://en.wikipedia.org/wiki/Word_(computer_architecture), you have not idea at all what is going on, no one does, you just 'assume' it is doing what the screen claims it is doing and the computer is doing way, way more, than just output to a video screen. Once you dabble in computer security, you really start to understand what a mindless head fuck it really is, all your attempts at security are down to the assumption that the output reflects what is actually happening, whilst knowing full well, that it that what is being displayed could not be what is actually happening. Seriously dude why do you think it cost so much to de-hack secure networks, everything has to be checked, any suspicion what so ever about any component and that has to checked, even replaced and even then once finished, all very closely monitored for an extended period, just to make sure. Often easier to replace old box with new box with data restored from backups and than erase old box and sell (boxes are cheap compared to labour, especially extended overtime labour). Old safes should still be cheap on second hand market, the idea is the mass not so much security. Interesting side note, did you know, one of the core design requirements for office floors, way back when, for office floors was to be able to hold a one ton safe, here you go https://www.amazon.com/s/ref=s... and Amazon will even deliver. Often manual is far easier and more secure than electronic.

Re:Old School

My handwriting has always been terrible and if I'm trying to jot something down on an uneven surface (e.g. scrap of paper on my leg), it's really not worth even trying.

If I'm patient, though, I can at least write distinctly enough that I'll be able to decipher every letter later (even if someone else would have a hard time). Here are some tips.

- To differentiate capital O from 0, I use slashed zeroes.
- Capital I always has crossbars.
- The number 1 gets a serif at the top and horizontal line at the base whenever its use can be ambiguous.
- Lowercase L (l) I always write in cursive. Pipes (|) I really exaggerate much higher and lower than the other characters around.

And so on. So at least for myself if I need to quickly jot down a jumble of alphanumerics I have a system which works well. But in most cases technology kicks ass. Typing in general, laser printers, just using a phone to take a picture of that serial number you need and review the image later, etc.

Re:Old School

As a lock guy... don't buy gun safes. They are junk that run on marketing slogans instead of value. And don't buy any in that price range with electric locks (Kaba mas X series is top notch, but the lock alone costs nearly as much as those safes). Some can be bypassed. Most fail early and require an expensive opening to fix. All of them are easier to shoulder surf or dust.

Know that there is a difference between fire resistant and burglary resistant.

GSA containers are great. Get one of those.

Re:Old School

[Gavagai80]

After you've put all your passwords in the 1 ton safe, where do you put the combination for the safe?

Re:Old School

[RespekMyAthorati]

You write it down on another piece of paper, and put that in another safe, of course!
It's safes all the way down.

Sounds about right.

[0100010001010011]

Remember that 40% counts IT admins that ask Reddit for advice. Every deadbeat coworker that has survived by kissing ass or nepotism.

And that's nothing unique to IT. It's like that in everywhere I've worked.

Re:Sounds about right.

There's no proof Hillary's IT guy posted to reddit.

Re:Sounds about right.

[0100010001010011]

Oh come on. People are idiots. 90% of people pick one username and use it everywhere. Same username on Slashdot as well and with only 3 posts matches up with Paul's personal history.

Obfusication Is Best

I sore all my passwords in the Oxford English Dictionary and they are already written in the print with me doing a god damn thing.

Ha ha

Re:Obfusication Is Best

[behrooz0az]

Well, You should really use your password thingy before you start writing.

no need

[jmccue]

Just like the ancient old days, my admin passwords are 'password'. Why change them we get new systems, makes it harder for the vendor to correct issues.

And 100%...

[14erCleaner]

Every office stores passwords on Post-It(tm) notes stuck to the bottom of their keyboards. Completely hacker-proof!

We have 1Password, LastPass, and Password Safe

[kriston]

It's not like we haven't had 1Password, LastPass, and Password Safe for at least the past decade.

What year is this? Seriously, man, what decade is this?

Re:We have 1Password, LastPass, and Password Safe

My firm prohibits the use of password manager software, presumably because they're worried someone might crack the encrypted database and get all my passwords, and think storing stuff in plain site on post-its is more secure. And I suppose in one sense that's true: no one can remotely access that post=it.But suborn the housekeeping staff and I guarantee you would harvest quite a few passwords.

Re:We have 1Password, LastPass, and Password Safe

For a long time I used notepad and 7-Zip (or WinZip depending on the employer) because you can view and edit the passwords without special software.

I've gotten used to KeePass history, so if I were to try to go back to that method, I'd create a folder named with the date, one text file per system, 7-zip it with encryption then regular windows zip a folder containing portable 7-zip and the encrypted archive. To make a change, I'd just copy the folder and give it the current date, then re-zip. Since I typically install 7-zip, it'd be easy to use normally, and ascii files compress to practically nothing, but if I needed it on a computer where I didn't have zip with built in strong encryption, I could still use it.

Re:We have 1Password, LastPass, and Password Safe

Two minds about that. In a strictly technical sense it's secure. It also puts all your eggs in one basket that you don't control. It goes down and you're locked out of oretty much everything.

txt files are bad too....

so.... a plain txt file is bad i'm guessing

Re:txt files are bad too....

Those that "Really" know, Aren't talking !

No admin. $5 organizer, or encrypted plain text

[raymorris]

Ideally, there should be no "admin password". Individual people should have their own passwords, each with appropriate privileges, via groups if your organization has more than about a dozen people.

So then we have the question of the most secure way to store your individual passwords.

If you can still find an old-school "personal organizer" with no wifi, that provides security from network attacks. Then you need physical security to ensure the device doesn't get stolen - lock the door, lock at least one desk drawer, etc.

What I do personally is I use a very simple, non-networked, password vault script. The script uses AES or Twofish to encrypt a plain text file (notepad). A simple batch file can run GPG to do the encryption and decryption. The file is never opened in a feature-rich, macro-capable word processor like Microsoft Word, it's decrypted into simple text editor. Just to be sure I don't overwrite my access.gpg file with garbage by entering the master password incorrectly, my script checks the password entered against a SALTED SHA-2 hash before it does anything else.

Re:No admin. $5 organizer, or encrypted plain text

[Jack9]

When dealing with vendors, you will always have some "Admin password" for the administration account.

> Ideally, there should be no "admin password

That situation is wholly irrelevant to the topic that asserts the practical problem.

Re:No admin. $5 organizer, or encrypted plain text

Ideally, there should be no "admin password".

Wrong.

Somebody has the rights to replace system software (the admin job). Using an account with such privilege for everyday work is a security risk though. A good admin uses a plain user account for surfing the web and reading his email - so if his browser/mail reader gets compromised in a clever attack, the system itself is not compromized. The account with admin rights is only used for actual system administration - not for reading mail or writing reports.

It is a bad admin who uses a privileged account for "other work", especially "surfing the net" or "reading mail". Browsers & mail readers have to handle content created by outsiders - and hacks exists for many well-known browsers.

So of course we have separate admin accounts with their own passwords.

Re:No admin. $5 organizer, or encrypted plain text

Ideally, there should be no "admin password".

There is (almost) always a root password -probably several, between servers, switches, etc. I have always maintained these passwords by writing them on a piece of paper, kept in a sealed envelope, inside the fire-safe, in the server room. Change these passwords infrequently, as they should only be known to a few people in the entire organization.

Individual people should have their own passwords, each with appropriate privileges, via groups if your organization has more than about a dozen people.

Absolutely -individuals should use their own accounts to do their work. Keep logs, and maintain an audit trail of who did what and when.

You have to

[SuperKendall]

You have to keep passwords written somewhere because stupid sysadmins have such insane password rules and retention times that no-one could possibly remember them. In theory word documents are at lest better than post-its because they COULD have some access control.

The tighter you squeeze, sysadmins, the more systems will slip through your fingers.

Re:You have to

[Cro+Magnon]

I might possibly remember a password with insane password rules and retention times. But, I can't remember 100 such passwords.

hah! we're safe.

we use excel.

sudo?

[ChunderDownunder]

I thought that was the problem it was supposed to solve, namely there were no 'root' accounts but a list of trusted users.

Re:sudo?

What's the difference when that account you found on a piece of paper can sudo su?

Re:sudo?

Sudo isn't a solution for keeping people from writing down the root password. Sudo's a way to prevent people who *have* root authority from using it without conscious intent. They log in with a non-root account, do their everyday stuff, then deliberately sudo when they have the need. Microsoft basically copied the intent of this when implementing UAC.

My Boss insisted we do this and....

My Boss insisted we do this and it came back to bite his arse really hard. My boss a few years back was a grade A twat. He had IT experience on Sun Microsystems equipment but when it came to the last 20 years with PC's he was way out of his depth, but being the IT director he could cover his arse easily with the CEO by taking the credit who what we did. I ran the IT department of 10 people but he always wanted to have the last say in anything and over time he slowly fucked things up real bad. I kept all his hand written decisions plus the odd email instruction to cover my arse, well I had to as he was a Grade A twat (did I mention this already), anyway one of the daft things he insisted was to write all the system passwords in clear text in a Word document that was not password protected. Over time I finally left with most of the other IT staff (in approx 3 weeks) leaving him to take the running of the department full time and of course he quickly found out how out of his depth he was, the CEO was piling loads of pressure onto him and he could not do the simplest of things making look a Grade A twat to the CEO and other directors and more important to our customers. Then he decided to do a security audit and wiped the 2 of the main NT servers and thus shutting down the the company IT systems. And of course the password list document was on one of these servers. Then it came out he had stopped doing the backups for a few months so no backups!!!!!!! and the one remaining server was now locked out as he could not remember the admin password. The next day he was sacked and many people cheered

Biometric

Why is biometric authentication not completely standard by now? It's standard on personal phones, why is it not standard on all company computers? I mean, seriously, it's getting embarrassing now.

Re: Biometric

Try getting a new set of fingerprints after anyone easily steals yours.

Passwords

Storing them in notepad is out of the question? :)

Again: Passwords are becoming obsolete

[zifn4b]

This type of article gets posted on slashdot every few months and the answer is the same: password security is lame.

With the password security requirements evolving due to things like sophisticated distributed computing brute force cracking, it has arrived at the point where people literally cannot remember passwords anymore. Therefore, because they are mandated to use passwords that are in compliance they do the only reasonable thing they can to comply to get their jobs done, they write the passwords down somewhere.

Try the 5 Why's technique on this one

Why are security breaches happening? Because people write their passwords down.

Why do people write their passwords down? So they can do their job.

The rest is an exercise for the IT and compliance administrators. Remember, use common sense. It's not hard

It's not hard to keep credentials secure

[Sadsfae]

There's a plethora of off-the-shelf password managers out there that support encryption but you can also create an easy, DIY distributed/encrypted solution with GPG, git and vim.

There's really no excuse to be storing sensitive credentials in office documents or spreadsheets.

Utilize KeePass with a shared database

[nanodec]

Simple really...

password stores (for sysadmins)

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

Take your pick:

* https://www.reddit.com/r/sysadmin/comments/24jb4e/how_do_you_guys_keep_track_of_passwords/
* https://www.reddit.com/r/sysadmin/comments/3f5ot6/password_manager/
* https://www.reddit.com/r/sysadmin/comments/41obgx/best_way_to_store_passwords_more/
* https://www.reddit.com/r/sysadmin/comments/2j9wo4/best_way_to_store_passwords_for_production_systems/

KeePass and SecretServer by Thycotic seem to be regularly recommended.

For the Unix folks reading:

* https://www.passwordstore.org

Another 40%...

[Zanadou]

Another 40% store them on Google docs.

Ridiculous!

[Chelloveck]

Word documents? What kind of loser sysadmin uses Word? Everyone knows that machine databases get maintained in an Excel file on a network share.

Complex password rules

[unixisc]

Some of my passwords I easily remember. Some of the others are written down - some on a page in a diary, others in Sticky Notes in one of my Windows 10 logins.

Part of the reason for this is the disparate password rules that some organizations FORCE on us. Password must be 8 characters, password must contain mix of lower and upper case, password must include special characters, password must start w/ a letter or number but not a special character, and so on. As a result, some of the passwords I would have used in some cases using my own mental password creating algorithm had to be tossed out, and then I had to record those exception passwords somewhere, and lost them when a computer dump happened.

My suggestion - just toss out all the rules, and let people make whatever they want. If I want my password to be pwd, let me. If I want it to be )%^, don't insist that I include at least 1 lowercase and 1 number or any of that. Or just have 2 factor authentication, and get rid of all the passwords.

Word, seriously?

Thankfully, our organization is not one of these. We store our passwords in a Notepad document.

Never log in as admin. People leave. sudo

[raymorris]

You're right that you shouldn't log in using the admin password to read email. You also shouldn't log in to the admin account, using the admin password, in order to install aoftware.

People leave your organization. If you have groups of people logging to the admin account, using the admin password, the guy who got fired yesterday probably still has the admin password. It's stored on Joe Schmoe's mobile device too, which just got hacked.

Instead, Joe should log in as Joe. The logs will show that Joe logged in, not "somebody logged in as admin", and when Joe gets fired you can simply disable Joe's account. Initially, he has just the standard permissions to do his daily work. For privileged tasks, he should use sudo or similar, not log out and then log in again as "admin", using a password shared amongst every body in the department.

Repeat after me "sharing passwords is bad." Sharing ADMINISTRATIVE passwords is extra bad. Switching ROLES from unprivileged to privileged should not mean changing IDENTITIES from "Bob" to "somebody who has the admin password, might be anyone in the department."

False confidence

[SoftwareArtist]

Three out of four IT decision makers now incorrectly believe they can prevent attackers from breaking into their internal network

There, fixed that for them.

Other 60%

The other 60% use Excel :)