40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey (esecurityplanet.com) 116
While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.
Re: (Score:2)
Well, let's hope your spreadsheet software isn't configured to run unsigned macros.
Dumb question, but where should we store them? (Score:5, Insightful)
I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.
Re: Dumb question, but where should we store them? (Score:4, Interesting)
PS: currently a whiteboard in the lab.
Heh. Back in my college (mainframe!) days, one of the systems guys had a blackboard in his office, and up in one corner were a few innocuous characters (something like "&:*").
Now, I was just a student, but spent enough time hanging around the computer center to know most of these guys. I noticed this one day and said "Jay, is it really a good idea to have the system privcode [essentially, the root password on that OS] in plain sight like that?", and grinned as his face turned white, then red. At least it wasn't "1234".
I'd learned it from a 2-inch thick stack of printout of the OS source code I'd found in the dumpster, it had been hardcoded into a function call. (I couldn't believe it was that simple when I first found it, but checking the Espol manual -- which I'd been given by a guy in a Burroughs sales office; when I went in and just asked what manuals they had on the B6700 system, he was happy to help out a student with some old stuff from a back room -- and sure enough, that's what it was.)
(I'm not even sure the terms "social engineering" and "dumpster diving" had even been coined back then, it was in the mid-1970s. And I never did anything malicious with the knowledge.)
Re: (Score:3)
What about useing ldap linked to AD so each dev has there own logins.
Re: (Score:2, Insightful)
Yeah, I'm kind of confused about this. At some point, there's going to be a storage container for passwords, and that storage container is probably going to be a document of some sort. Now that doesn't mean the document isn't protected and encrypted, but it's still very likely going to be a simple text or doc file at the core of it.
Re: (Score:2)
Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc.
The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be correcthorsebatterystaple0916.
I always use "correcthorsebatterystaple" for the base of the PW because I have heard that is an extremely secure PW [xkcd.com].
Re: (Score:2)
The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be clownhorsepenisstaple0916.
FTFY
Re: (Score:2)
clownhorsepenisstaple0916.
Soooo close the the Trump / Pence signs I've seen. :-)
Re:Dumb question, but where should we store them? (Score:4, Informative)
Re: (Score:1)
My boss has me store the root passwords to 100's of servers in a spread sheet. We have to change the passwords every 60 days and we have to use randomly generated 15 character passwords. The spread sheet (Excel) uses the standard excel password and he has me put it on a share point server. No clue who has access to the share point server.
Every time we update them he also has me print out a copy and put it in an envelope which he keeps in his desk just in case something happens to me.
Re: (Score:1)
Re: (Score:3)
That actually does not sound too unreasonable of a process.
Except that it depends on
1: All PCs that open the file being uncompromised.
2: The distribution method for the file being uncompromised.
3: The printer used to create the hard copy being uncompromised.
4: If a network printer, no possibility of sniffing the unencrypted data going to the printer.
Modern printers and copiers are underrated as hacking subjects. There's no limit to what people print out, and they assume that it's a very safe thing to do. Yet if i have access to a modern printer or print server
Re: (Score:2)
The easiest printer exploit is to simply take the printout from the out-tray before the hapless user arrives to collect it. I'd wager that 100% of the time they'll simply assume "something went wrong" and just return to their desk to send the job again.
I know many printers have secure print features that don't release the job until the user arrives at the printer and enters a pin, but everywhere I've worked they have been disabled by IT for unknown reasons.
Re: (Score:2)
Re: (Score:2, Insightful)
If you aren't interested in paying for a license, check out KeePass. If you want to be legit (i.e.: you want to pay a for commercial license and you want a multi-user solution where everyone can share) you should use something like PasswordState. Both user and group controls, excellent audit trails and tons more features.
https://www.clickstudios.com.au/
https://www.youtube.com/watch?v=l98qPyTcbug
Re: (Score:2)
+1 for KeePas, and KeePassX (on OSX).
Remember one long pass phrase, never remember another password every again.
Re: (Score:2)
How do you backup the OSX keychain?
How can you restore the OSX keychain following a reinstall?
How can you share the keychain among multiple computers/user accounts?
The great thing about KeePass (or a text file in a TrueCrypt/VeraCrypt volume) is you get all of these features without any reduction in security. If a user has the master password then they can work on the password database. This is a much better match to real-world use cases than the assumptions OSX makes about its keychain.
Re: (Score:2)
You touched upon the very reasons why I like KeePass over OSX's keychain.
With KeePass I can use the same master password file across my Windows, OSX, and Linux computers.
Leave it to an AC to criticize without offering any solutions.
Re: (Score:2)
So the neat thing about the "no repeats" rule: when you are changing your password, the system only knows the true password of the most recent old one (since you have to type it in while resetting) and the new one you are trying - that is how it can say "new password too similar to previous one". But beyond that, all it has is a history of encrypted strings. So, simply alternate two passwords and increment a digit each time.
Re:Dumb question, but where should we store them? (Score:5, Insightful)
But beyond that, all it has is a history of encrypted strings.
And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.
What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.
Re: Dumb question, but where should we store them? (Score:1)
Holy crap; lightbulb! I've never thought of it that way. Strong restrictions always ticked me off but clearly they work opposite from their intentions.
Re: (Score:2)
Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.
I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.
If the attacker knows that 8 characters is the minimum, then that does mean that they "save" the resources of checking the N^7 possible passwords excluded by the rule
Re: (Score:2)
I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.
That depends on what the attacker is after. If finding the first password as quickly as possible, a dictionary attack against a list with no restrictions is the way to go. But more often these days, the attacker wants either one particular account, or all accounts. For one particular account, a dictionary attack is over and done with in seconds, after which it's back to brute forcing. For all accounts, you can do the same, but the yield is lower - getting a few percent of passwords early is not as tim
No admin. $5 organizer, or encrypted plain text (Score:2)
Ideally, there should be no "admin password". Individual people should have their own passwords, each with appropriate privileges, via groups if your organization has more than about a dozen people.
So then we have the question of the most secure way to store your individual passwords.
If you can still find an old-school "personal organizer" with no wifi, that provides security from network attacks. Then you need physical security to ensure the device doesn't get stolen - lock the door, lock at least one d
Re: (Score:2)
When dealing with vendors, you will always have some "Admin password" for the administration account.
> Ideally, there should be no "admin password
That situation is wholly irrelevant to the topic that asserts the practical problem.
Re: (Score:1)
Ideally, there should be no "admin password".
Wrong.
Somebody has the rights to replace system software (the admin job). Using an account with such privilege for everyday work is a security risk though. A good admin uses a plain user account for surfing the web and reading his email - so if his browser/mail reader gets compromised in a clever attack, the system itself is not compromized. The account with admin rights is only used for actual system administration - not for reading mail or writing reports.
It is a bad admin who uses a privileged account fo
Never log in as admin. People leave. sudo (Score:1)
You're right that you shouldn't log in using the admin password to read email. You also shouldn't log in to the admin account, using the admin password, in order to install aoftware.
People leave your organization. If you have groups of people logging to the admin account, using the admin password, the guy who got fired yesterday probably still has the admin password. It's stored on Joe Schmoe's mobile device too, which just got hacked.
Instead, Joe should log in as Joe. The logs will show that Joe logged
Re: (Score:2)
I'm curious. 18 manchines, user and admin for each, but only 32 passwords?
As to where to store them, I like PasswordSafe myself, but there are other password managers if passwordsafe isn't to your taste. Then I have to remember two passwords (the one for password safe & the login to one machine (the one I keep passwordsafe on).
By the by, any clue when the government is going to figure out that requiring passwords to be changes every X days is a bad idea, which encourages bad (easily remembered) pass
Complex password rules (Score:2)
Some of my passwords I easily remember. Some of the others are written down - some on a page in a diary, others in Sticky Notes in one of my Windows 10 logins.
Part of the reason for this is the disparate password rules that some organizations FORCE on us. Password must be 8 characters, password must contain mix of lower and upper case, password must include special characters, password must start w/ a letter or number but not a special character, and so on. As a result, some of the passwords I would ha
Re: (Score:2)
I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.
In one of my past jobs, we were required to update our passwords every 90 days. And we'd get warned about it on day 60, and we couldn't use any of our last 4 passwords or so
My way around it - pick a base password - since it was at work, which I might have to share w/ colleagues, depending on the situation, I picked the company name spelled out w/ special characters, odd capitalization and so on, and then appeneded to the end numbers from 0-9. After p@s$w0Rd9 was complete, I'd revert it to p@s$w0Rd0 and
Re: (Score:2)
Active directory, with PKI and kerberos (Theres PAM modules that'll do the heavy lifting here). Consider a proper password management system, like lastpass, or if compliance wont let you use the "cloud", I'm told Bruce Scheiners open source ones pretty good.
Couple that with a policy that enforces good password hygiene (Ie randomly generated lastpass passwords) and you might have a fighting chance of keeping your stuff safe-ish
Formatting (Score:3)
*puts on a pair of sunglasses*
Re: (Score:1)
mine is
*puts it on usb stick, deletes from ~/Docs*
this is a big hint to start using KeePassX
Re: (Score:2)
First:
-
-
Second:
I've seen a few of those documents entirely formatted in bold and/or italics. So, not "plain" text.
Coins in the hat, tomatoes in the face, please!
Just remember... (Score:5, Interesting)
Re: (Score:2)
Re: (Score:1)
Autocorrect is more of a pain than it's worth sometimes. I had similar issues with a spreadsheet where I was listing ports. It kept thinking I was making a number and removing my commas
e.g 80,443 would just become 80443
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
That's not autocorrect, that's cell format. Learn to use/change it, it's Excel 101
(And autocorrect can be turned off as well)
Re: (Score:1)
I'd assume that a text formatted cell shouldn't be doing that, yet it was.
Re: (Score:1)
I'd assume that a text formatted cell shouldn't be doing that, yet it was.
I see, then my first reply was premature, because I had not seen it doing this all my life. I tried it today with Excel 2003, 2007, 2010, 2013, 2016. In no instance did it do what your wrote, i.e., remove the comma in a text-formatted box, and the default autocorrect rules don't have any rule that looks like they would do this, either. So I guess maybe you experienced a bug that has been fixed, your had some weird custom autocorrect rule enabled, or it may have had something to do with unusual region settin
Re: (Score:2)
...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character. /It's so secure even YOU won't know your passwords!
Also, leaking of metadata, version tracking etc.
It can be done, if everyone touching the file exactly know what they are doing, but Murphy's Law applies. An office suite just is not the best tool for this job.
An other 30% ... (Score:2)
writes it on the wall.
Passwords (Score:1)
I store them in a txt file in Google drive.
gpg2 --symmetric passwords.txt.safe
gpg2 --decrypt passwords.txt
And memorise a crazy hard passoword which also assists me in solving a parity error on the rubics cube revenge with a small variation.
Re: (Score:2)
Don't forget to 'shred -u' your files after doing that. nothing is safe.
Yeah (Score:3)
Re: (Score:2)
Sticky notes on the monitor are for user passwords, the admin password has to be stored somewhere it can be accessed remotely...
That's why we use... (Score:2)
What word doc? Post it notes. (Score:4, Funny)
That's stupid and scary! (Score:2)
Re: (Score:2)
We don't .... (Score:3)
Hah! We are so much better. We don't use Word to store passwords.
We use LibreOffice!
Old School (Score:5, Interesting)
Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.
The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo... [theguardian.com], https://www.theguardian.com/wo... [theguardian.com]. Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.
They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).
Re: (Score:2)
Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, ...
Typewriter? Um, the passwords can be recovered from the ink ribbon. Why not just use a pen?
Re: (Score:2)
Re: (Score:2)
Computers are shit at security because you can not see what is going on...
Uh, what? Yes you can. I very regularly punch the button that says "add this asshat's IP to the firewall drop rules" because I can see the pathetic script kiddie attempting to brute force the password on the SSH server for the Administrator account and it annoys me. Are they going to get in? No, my system is not at risk. There is no Administrator account. So do I really need to start dropping all packets from this assclown? Not really, no. But my monitoring systems are lit up, and that's just obnoxi
Re: (Score:3)
Dude you can not see what is going on at all, all you see is the mud monkey output and when it comes to shifting those bits and bytes and words (not words words but words)https://en.wikipedia.org/wiki/Word_(computer_architecture), you have not idea at all what is going on, no one does, you just 'assume' it is doing what the screen claims it is doing and the computer is doing way, way more, than just output to a video screen. Once you dabble in computer security, you really start to understand what a mindles
Re: (Score:2)
After you've put all your passwords in the 1 ton safe, where do you put the combination for the safe?
Re: (Score:2)
It's safes all the way down.
Sounds about right. (Score:2, Informative)
Remember that 40% counts IT admins that ask Reddit for advice. Every deadbeat coworker that has survived by kissing ass or nepotism.
And that's nothing unique to IT. It's like that in everywhere I've worked.
Re: (Score:2)
Oh come on. People are idiots. 90% of people pick one username and use it everywhere. Same username on Slashdot as well and with only 3 posts matches up with Paul's personal history.
Re: (Score:2)
no need (Score:2)
Just like the ancient old days, my admin passwords are 'password'. Why change them we get new systems, makes it harder for the vendor to correct issues.
And 100%... (Score:2)
We have 1Password, LastPass, and Password Safe (Score:2)
It's not like we haven't had 1Password, LastPass, and Password Safe for at least the past decade.
What year is this? Seriously, man, what decade is this?
Re: (Score:1)
My firm prohibits the use of password manager software, presumably because they're worried someone might crack the encrypted database and get all my passwords, and think storing stuff in plain site on post-its is more secure. And I suppose in one sense that's true: no one can remotely access that post=it.But suborn the housekeeping staff and I guarantee you would harvest quite a few passwords.
You have to (Score:2)
You have to keep passwords written somewhere because stupid sysadmins have such insane password rules and retention times that no-one could possibly remember them. In theory word documents are at lest better than post-its because they COULD have some access control.
The tighter you squeeze, sysadmins, the more systems will slip through your fingers.
Re: (Score:2)
I might possibly remember a password with insane password rules and retention times. But, I can't remember 100 such passwords.
sudo? (Score:2)
I thought that was the problem it was supposed to solve, namely there were no 'root' accounts but a list of trusted users.
Again: Passwords are becoming obsolete (Score:2)
This type of article gets posted on slashdot every few months and the answer is the same: password security is lame.
With the password security requirements evolving due to things like sophisticated distributed computing brute force cracking, it has arrived at the point where people literally cannot remember passwords anymore. Therefore, because they are mandated to use passwords that are in compliance they do the only reasonable thing they can to comply to get their jobs done, they write the passwords down
It's not hard to keep credentials secure (Score:2)
There's a plethora of off-the-shelf password managers out there that support encryption but you can also create an easy, DIY distributed/encrypted solution with GPG, git and vim [hobo.house].
There's really no excuse to be storing sensitive credentials in office documents or spreadsheets.
Utilize KeePass with a shared database (Score:1)
Another 40%... (Score:2)
Ridiculous! (Score:2)
False confidence (Score:2)
Three out of four IT decision makers now incorrectly believe they can prevent attackers from breaking into their internal network
There, fixed that for them.