40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.

Dumb question, but where should we store them?

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

Re:Dumb question, but where should we store them?

Yeah, I'm kind of confused about this. At some point, there's going to be a storage container for passwords, and that storage container is probably going to be a document of some sort. Now that doesn't mean the document isn't protected and encrypted, but it's still very likely going to be a simple text or doc file at the core of it.

Re:Dumb question, but where should we store them?

If you aren't interested in paying for a license, check out KeePass. If you want to be legit (i.e.: you want to pay a for commercial license and you want a multi-user solution where everyone can share) you should use something like PasswordState. Both user and group controls, excellent audit trails and tons more features.

https://www.clickstudios.com.au/
https://www.youtube.com/watch?v=l98qPyTcbug

Re:Dumb question, but where should we store them?

[arth1]

But beyond that, all it has is a history of encrypted strings.

And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.

What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.