40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.

Dumb question, but where should we store them?

I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

Re:Dumb question, but where should we store them?

[hcs_$reboot]

That's not a dumb question. Organizations where people go and leave, where hundreds of passwords have to be kept, need a safe access to a password database. Why not an excel or word doc, as long as it is in a safe place and encrypted with a strong master password.

Re: Dumb question, but where should we store them?

[AJWM]

PS: currently a whiteboard in the lab.

Heh. Back in my college (mainframe!) days, one of the systems guys had a blackboard in his office, and up in one corner were a few innocuous characters (something like "&:*").

Now, I was just a student, but spent enough time hanging around the computer center to know most of these guys. I noticed this one day and said "Jay, is it really a good idea to have the system privcode [essentially, the root password on that OS] in plain sight like that?", and grinned as his face turned white, then red. At least it wasn't "1234".

I'd learned it from a 2-inch thick stack of printout of the OS source code I'd found in the dumpster, it had been hardcoded into a function call. (I couldn't believe it was that simple when I first found it, but checking the Espol manual -- which I'd been given by a guy in a Burroughs sales office; when I went in and just asked what manuals they had on the B6700 system, he was happy to help out a student with some old stuff from a back room -- and sure enough, that's what it was.)

(I'm not even sure the terms "social engineering" and "dumpster diving" had even been coined back then, it was in the mid-1970s. And I never did anything malicious with the knowledge.)

Re:Dumb question, but where should we store them?

[arth1]

But beyond that, all it has is a history of encrypted strings.

And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.

What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

Just remember...

[xlsior]

...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character.

/It's so secure even YOU won't know your passwords!

What word doc? Post it notes.

[140Mandak262Jamuna]

We had the most incompetent sys admin I had seen when our company was in infancy. Slacked off most of the time. So he convinced the receptionist to step and fix urgent things like printer queue issues and restarting print server etc. How? Below the large monthly planner she had on the front desk, was a whole bunch of post-it notes. Each note started with su password and then some commands. About 10 or 15 of them. Worst. Sysadmin. Ever.

Old School

[rtb61]

Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.

The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo..., https://www.theguardian.com/wo.... Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.

They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).