40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.

Just remember...

[xlsior]

...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character.

/It's so secure even YOU won't know your passwords!

Old School

[rtb61]

Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.

The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo..., https://www.theguardian.com/wo.... Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.

They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).

Re: Dumb question, but where should we store them?

[AJWM]

PS: currently a whiteboard in the lab.

Heh. Back in my college (mainframe!) days, one of the systems guys had a blackboard in his office, and up in one corner were a few innocuous characters (something like "&:*").

Now, I was just a student, but spent enough time hanging around the computer center to know most of these guys. I noticed this one day and said "Jay, is it really a good idea to have the system privcode [essentially, the root password on that OS] in plain sight like that?", and grinned as his face turned white, then red. At least it wasn't "1234".

I'd learned it from a 2-inch thick stack of printout of the OS source code I'd found in the dumpster, it had been hardcoded into a function call. (I couldn't believe it was that simple when I first found it, but checking the Espol manual -- which I'd been given by a guy in a Burroughs sales office; when I went in and just asked what manuals they had on the B6700 system, he was happy to help out a student with some old stuff from a back room -- and sure enough, that's what it was.)

(I'm not even sure the terms "social engineering" and "dumpster diving" had even been coined back then, it was in the mid-1970s. And I never did anything malicious with the knowledge.)