40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.

Dumb question, but where should we store them?

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

Re:Dumb question, but where should we store them?

[Joe_Dragon]

What about useing ldap linked to AD so each dev has there own logins.

Re:Dumb question, but where should we store them?

Yeah, I'm kind of confused about this. At some point, there's going to be a storage container for passwords, and that storage container is probably going to be a document of some sort. Now that doesn't mean the document isn't protected and encrypted, but it's still very likely going to be a simple text or doc file at the core of it.

Re:Dumb question, but where should we store them?

[hcs_$reboot]

That's not a dumb question. Organizations where people go and leave, where hundreds of passwords have to be kept, need a safe access to a password database. Why not an excel or word doc, as long as it is in a safe place and encrypted with a strong master password.

Re:Dumb question, but where should we store them?

If you aren't interested in paying for a license, check out KeePass. If you want to be legit (i.e.: you want to pay a for commercial license and you want a multi-user solution where everyone can share) you should use something like PasswordState. Both user and group controls, excellent audit trails and tons more features.

https://www.clickstudios.com.au/
https://www.youtube.com/watch?v=l98qPyTcbug

Re: Dumb question, but where should we store them?

[AJWM]

PS: currently a whiteboard in the lab.

Heh. Back in my college (mainframe!) days, one of the systems guys had a blackboard in his office, and up in one corner were a few innocuous characters (something like "&:*").

Now, I was just a student, but spent enough time hanging around the computer center to know most of these guys. I noticed this one day and said "Jay, is it really a good idea to have the system privcode [essentially, the root password on that OS] in plain sight like that?", and grinned as his face turned white, then red. At least it wasn't "1234".

I'd learned it from a 2-inch thick stack of printout of the OS source code I'd found in the dumpster, it had been hardcoded into a function call. (I couldn't believe it was that simple when I first found it, but checking the Espol manual -- which I'd been given by a guy in a Burroughs sales office; when I went in and just asked what manuals they had on the B6700 system, he was happy to help out a student with some old stuff from a back room -- and sure enough, that's what it was.)

(I'm not even sure the terms "social engineering" and "dumpster diving" had even been coined back then, it was in the mid-1970s. And I never did anything malicious with the knowledge.)

Re:Dumb question, but where should we store them?

[arth1]

But beyond that, all it has is a history of encrypted strings.

And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.

What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

Re:Dumb question, but where should we store them?

[arth1]

That actually does not sound too unreasonable of a process.

Except that it depends on
1: All PCs that open the file being uncompromised.
2: The distribution method for the file being uncompromised.
3: The printer used to create the hard copy being uncompromised.
4: If a network printer, no possibility of sniffing the unencrypted data going to the printer.

Modern printers and copiers are underrated as hacking subjects. There's no limit to what people print out, and they assume that it's a very safe thing to do. Yet if i have access to a modern printer or print server, I can ask for a copy being mailed to me of every printed document. When was the last time the IT department eyeballed the configuration for each printer, looking for anomalies?

Formatting

[jargonburn]

Well, at least they're not stored in plain text.
*puts on a pair of sunglasses*

Just remember...

[xlsior]

...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character.

/It's so secure even YOU won't know your passwords!

Re:Just remember...

[Knuckles]

That's not autocorrect, that's cell format. Learn to use/change it, it's Excel 101
(And autocorrect can be turned off as well)

Yeah

[hcs_$reboot]

but the word doc is securely protected with a password.

That's why we use...

[I75BJC]

LibreOffice! Or are Post-It_Notes better? LOL!!!

What word doc? Post it notes.

[140Mandak262Jamuna]

We had the most incompetent sys admin I had seen when our company was in infancy. Slacked off most of the time. So he convinced the receptionist to step and fix urgent things like printer queue issues and restarting print server etc. How? Below the large monthly planner she had on the front desk, was a whole bunch of post-it notes. Each note started with su password and then some commands. About 10 or 15 of them. Worst. Sysadmin. Ever.

We don't ....

[whoever57]

Hah! We are so much better. We don't use Word to store passwords.

We use LibreOffice!

Old School

[rtb61]

Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.

The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo..., https://www.theguardian.com/wo.... Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.

They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).

Re:Old School

[rtb61]

Dude you can not see what is going on at all, all you see is the mud monkey output and when it comes to shifting those bits and bytes and words (not words words but words)https://en.wikipedia.org/wiki/Word_(computer_architecture), you have not idea at all what is going on, no one does, you just 'assume' it is doing what the screen claims it is doing and the computer is doing way, way more, than just output to a video screen. Once you dabble in computer security, you really start to understand what a mindless head fuck it really is, all your attempts at security are down to the assumption that the output reflects what is actually happening, whilst knowing full well, that it that what is being displayed could not be what is actually happening. Seriously dude why do you think it cost so much to de-hack secure networks, everything has to be checked, any suspicion what so ever about any component and that has to checked, even replaced and even then once finished, all very closely monitored for an extended period, just to make sure. Often easier to replace old box with new box with data restored from backups and than erase old box and sell (boxes are cheap compared to labour, especially extended overtime labour). Old safes should still be cheap on second hand market, the idea is the mass not so much security. Interesting side note, did you know, one of the core design requirements for office floors, way back when, for office floors was to be able to hold a one ton safe, here you go https://www.amazon.com/s/ref=s... and Amazon will even deliver. Often manual is far easier and more secure than electronic.