Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet Communications Network Privacy Software News Technology

40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey (esecurityplanet.com) 116

While the IT industry is making progress in securing information and communications systems from cyberattacks, a new survey from cybersecurity company CyberArk says several critical areas, such as privileged account security, third-party vendor access and cloud platforms are undermining them. An anonymous Slashdot reader shares with us the details of the report via eSecurity Planet: According to the results of a recent survey of 750 IT security decision makers worldwide, 40 percent of organizations store privileged and administrative passwords in a Word document or spreadsheet, while 28 percent use a shared server or USB stick. Still, the survey, sponsored by CyberArk and conducted by Vanson Bourne, also found that 55 percent of respondents said they have evolved processes for managing privileged accounts. Fully 79 percent of respondents said they have learned lessons from major cyberattacks and have taken appropriate action to improve security. Sixty-seven percent now believe their CEO and board of directors provide sound cybersecurity leadership, up from 57 percent in 2015. Three out of four IT decision makers now believe they can prevent attackers from breaking into their internal network, a huge increase from 44 percent in 2015 -- and 82 percent believe the security industry in general is making progress against cyberattackers. Still, 36 percent believe a cyberattacker is currently on their network or has been within the past 12 months, and 46 percent believe their organization was a victim of a ransomware attack over the past two years. And while 95 percent of organizations now have a cybersecurity emergency response plan, only 45 percent communicate and regularly test that plan with all IT staff. Sixty-eight percent of organizations cite losing customer data as one of their biggest concerns following a cyberattack, and 57 percent of organizations that store information in the cloud are not completely confident in their cloud provider's ability to protect their data.
This discussion has been archived. No new comments can be posted.

40 Percent of Organizations Store Admin Passwords In Word Documents, Says Survey

Comments Filter:
  • by Anonymous Coward on Friday September 23, 2016 @07:51PM (#52950701)

    I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

    • What about useing ldap linked to AD so each dev has there own logins.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Yeah, I'm kind of confused about this. At some point, there's going to be a storage container for passwords, and that storage container is probably going to be a document of some sort. Now that doesn't mean the document isn't protected and encrypted, but it's still very likely going to be a simple text or doc file at the core of it.

    • Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc.

      The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be correcthorsebatterystaple0916.

      I always use "correcthorsebatterystaple" for the base of the PW because I have heard that is an extremely secure PW [xkcd.com].

      • The way that I deal with idiotic requirements like this is to append a four digit date in MMYY format to the end of the PW, and just update to the current date. So if I am required to update a PW this month, the new PW will be clownhorsepenisstaple0916.

        FTFY

    • by hcs_$reboot ( 1536101 ) on Friday September 23, 2016 @08:38PM (#52950947)
      That's not a dumb question. Organizations where people go and leave, where hundreds of passwords have to be kept, need a safe access to a password database. Why not an excel or word doc, as long as it is in a safe place and encrypted with a strong master password.
      • by Anonymous Coward

        My boss has me store the root passwords to 100's of servers in a spread sheet. We have to change the passwords every 60 days and we have to use randomly generated 15 character passwords. The spread sheet (Excel) uses the standard excel password and he has me put it on a share point server. No clue who has access to the share point server.

        Every time we update them he also has me print out a copy and put it in an envelope which he keeps in his desk just in case something happens to me.

        • That actually does not sound too unreasonable of a process.
          • by arth1 ( 260657 )

            That actually does not sound too unreasonable of a process.

            Except that it depends on
            1: All PCs that open the file being uncompromised.
            2: The distribution method for the file being uncompromised.
            3: The printer used to create the hard copy being uncompromised.
            4: If a network printer, no possibility of sniffing the unencrypted data going to the printer.

            Modern printers and copiers are underrated as hacking subjects. There's no limit to what people print out, and they assume that it's a very safe thing to do. Yet if i have access to a modern printer or print server

            • by NotAPK ( 4529127 )

              The easiest printer exploit is to simply take the printout from the out-tray before the hapless user arrives to collect it. I'd wager that 100% of the time they'll simply assume "something went wrong" and just return to their desk to send the job again.

              I know many printers have secure print features that don't release the job until the user arrives at the printer and enters a pin, but everywhere I've worked they have been disabled by IT for unknown reasons.

      • I've never quite understood why an encrypted spreadsheet or document is frowned upon, while a custom password manager (like KeePass) is OK.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      If you aren't interested in paying for a license, check out KeePass. If you want to be legit (i.e.: you want to pay a for commercial license and you want a multi-user solution where everyone can share) you should use something like PasswordState. Both user and group controls, excellent audit trails and tons more features.

      https://www.clickstudios.com.au/
      https://www.youtube.com/watch?v=l98qPyTcbug

      • +1 for KeePas, and KeePassX (on OSX).

        Remember one long pass phrase, never remember another password every again.

    • So the neat thing about the "no repeats" rule: when you are changing your password, the system only knows the true password of the most recent old one (since you have to type it in while resetting) and the new one you are trying - that is how it can say "new password too similar to previous one". But beyond that, all it has is a history of encrypted strings. So, simply alternate two passwords and increment a digit each time.

      • by arth1 ( 260657 ) on Saturday September 24, 2016 @06:55AM (#52952677) Homepage Journal

        But beyond that, all it has is a history of encrypted strings.

        And if they reject the password you used before the last one, it's a strong indication that they either don't salt, or use the same salt over again.

        What gets me is the systems that have intricate requirements for the password, like it having to consist of both upper and lower case letters, and at least one digit, but no more than two, and at least one character that's not neither a letter or a digit. Don't those who create those rules know that each rule reduces the amount of valid passwords for a given password length, making the hacker's life much easier? Requiring a password that doesn't fall for a single-pass crack is far superior to a password of the same length with plenty of restrictions.
        Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

        • Holy crap; lightbulb! I've never thought of it that way. Strong restrictions always ticked me off but clearly they work opposite from their intentions.

        • by j-beda ( 85386 )

          Requiring an extra letter in the password is a much better way of ensuring strength than deliberately reducing the strength.

          I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.

          If the attacker knows that 8 characters is the minimum, then that does mean that they "save" the resources of checking the N^7 possible passwords excluded by the rule

          • by arth1 ( 260657 )

            I don't think that it is quite that simple. Requiring use of all possible characters (up/low/digits/symbols) does ensure that the search space is the largest possible, at the cost (as you point out) of giving the attacker extra knowledge of the parameters of that space - but for most cases, this results in increased difficulty for the attacker.

            That depends on what the attacker is after. If finding the first password as quickly as possible, a dictionary attack against a list with no restrictions is the way to go. But more often these days, the attacker wants either one particular account, or all accounts. For one particular account, a dictionary attack is over and done with in seconds, after which it's back to brute forcing. For all accounts, you can do the same, but the yield is lower - getting a few percent of passwords early is not as tim

    • Ideally, there should be no "admin password". Individual people should have their own passwords, each with appropriate privileges, via groups if your organization has more than about a dozen people.

      So then we have the question of the most secure way to store your individual passwords.

      If you can still find an old-school "personal organizer" with no wifi, that provides security from network attacks. Then you need physical security to ensure the device doesn't get stolen - lock the door, lock at least one d

      • by Jack9 ( 11421 )

        When dealing with vendors, you will always have some "Admin password" for the administration account.

        > Ideally, there should be no "admin password

        That situation is wholly irrelevant to the topic that asserts the practical problem.

      • by Anonymous Coward

        Ideally, there should be no "admin password".

        Wrong.

        Somebody has the rights to replace system software (the admin job). Using an account with such privilege for everyday work is a security risk though. A good admin uses a plain user account for surfing the web and reading his email - so if his browser/mail reader gets compromised in a clever attack, the system itself is not compromized. The account with admin rights is only used for actual system administration - not for reading mail or writing reports.

        It is a bad admin who uses a privileged account fo

        • You're right that you shouldn't log in using the admin password to read email. You also shouldn't log in to the admin account, using the admin password, in order to install aoftware.

          People leave your organization. If you have groups of people logging to the admin account, using the admin password, the guy who got fired yesterday probably still has the admin password. It's stored on Joe Schmoe's mobile device too, which just got hacked.

          Instead, Joe should log in as Joe. The logs will show that Joe logged

    • I'm curious. 18 manchines, user and admin for each, but only 32 passwords?

      As to where to store them, I like PasswordSafe myself, but there are other password managers if passwordsafe isn't to your taste. Then I have to remember two passwords (the one for password safe & the login to one machine (the one I keep passwordsafe on).

      By the by, any clue when the government is going to figure out that requiring passwords to be changes every X days is a bad idea, which encourages bad (easily remembered) pass

    • Some of my passwords I easily remember. Some of the others are written down - some on a page in a diary, others in Sticky Notes in one of my Windows 10 logins.

      Part of the reason for this is the disparate password rules that some organizations FORCE on us. Password must be 8 characters, password must contain mix of lower and upper case, password must include special characters, password must start w/ a letter or number but not a special character, and so on. As a result, some of the passwords I would ha

    • I have a closed system that has 2 Windows servers, sql server, 14 red hat servers and a win 7 laptop. Each has a user and admin account. Each has strict DoD based password criteria including expiring every 60 days, no repeats, etc. that's 32 passwords to manage with 6 developers working on the system.

      In one of my past jobs, we were required to update our passwords every 90 days. And we'd get warned about it on day 60, and we couldn't use any of our last 4 passwords or so

      My way around it - pick a base password - since it was at work, which I might have to share w/ colleagues, depending on the situation, I picked the company name spelled out w/ special characters, odd capitalization and so on, and then appeneded to the end numbers from 0-9. After p@s$w0Rd9 was complete, I'd revert it to p@s$w0Rd0 and

    • Active directory, with PKI and kerberos (Theres PAM modules that'll do the heavy lifting here). Consider a proper password management system, like lastpass, or if compliance wont let you use the "cloud", I'm told Bruce Scheiners open source ones pretty good.

      Couple that with a policy that enforces good password hygiene (Ie randomly generated lastpass passwords) and you might have a fighting chance of keeping your stuff safe-ish

  • by jargonburn ( 1950578 ) on Friday September 23, 2016 @07:52PM (#52950713)
    Well, at least they're not stored in plain text.
    *puts on a pair of sunglasses*
    • mine is
      *puts it on usb stick, deletes from ~/Docs*
      this is a big hint to start using KeePassX

    • That was intended as a two-part joke about how Word files are saved.
      First:
      - .doc: a binary output file, read somewhere it was some kind of memory dump from within Word. Definitely not "plain-text"
      - .docx: a zipped collection of XML files describing the document and contents. Not quite plain-text.

      Second:
      I've seen a few of those documents entirely formatted in bold and/or italics. So, not "plain" text.

      Coins in the hat, tomatoes in the face, please!
  • Just remember... (Score:5, Interesting)

    by xlsior ( 524145 ) on Friday September 23, 2016 @07:56PM (#52950737)
    ...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character.

    /It's so secure even YOU won't know your passwords!
    • It tells you what your passwords should be.
    • by phorm ( 591458 )

      Autocorrect is more of a pain than it's worth sometimes. I had similar issues with a spreadsheet where I was listing ports. It kept thinking I was making a number and removing my commas

      e.g 80,443 would just become 80443

      • by Knuckles ( 8964 )

        That's not autocorrect, that's cell format. Learn to use/change it, it's Excel 101
        (And autocorrect can be turned off as well)

        • by phorm ( 591458 )

          I'd assume that a text formatted cell shouldn't be doing that, yet it was.

          • by Knuckles ( 8964 )

            I'd assume that a text formatted cell shouldn't be doing that, yet it was.

            I see, then my first reply was premature, because I had not seen it doing this all my life. I tried it today with Excel 2003, 2007, 2010, 2013, 2016. In no instance did it do what your wrote, i.e., remove the comma in a text-formatted box, and the default autocorrect rules don't have any rule that looks like they would do this, either. So I guess maybe you experienced a bug that has been fixed, your had some weird custom autocorrect rule enabled, or it may have had something to do with unusual region settin

    • by 4im ( 181450 )

      ...Word and excel will 'auto-correct' anything that starts with two capital letters and de-capitalize the second character. /It's so secure even YOU won't know your passwords!

      Also, leaking of metadata, version tracking etc.

      It can be done, if everyone touching the file exactly know what they are doing, but Murphy's Law applies. An office suite just is not the best tool for this job.

  • writes it on the wall.

  • by Anonymous Coward

    I store them in a txt file in Google drive.
    gpg2 --symmetric passwords.txt.safe
    gpg2 --decrypt passwords.txt

    And memorise a crazy hard passoword which also assists me in solving a parity error on the rubics cube revenge with a small variation.

    • In highschool I had some variation of this [wikimedia.org] (from here [wikipedia.org]) memorized as a number and would convert it to binary before every damn physics/math/trigonometry test.
      Don't forget to 'shred -u' your files after doing that. nothing is safe.
  • by hcs_$reboot ( 1536101 ) on Friday September 23, 2016 @08:05PM (#52950791)
    but the word doc is securely protected with a password.
  • LibreOffice! Or are Post-It_Notes better? LOL!!!
  • by 140Mandak262Jamuna ( 970587 ) on Friday September 23, 2016 @08:25PM (#52950897) Journal
    We had the most incompetent sys admin I had seen when our company was in infancy. Slacked off most of the time. So he convinced the receptionist to step and fix urgent things like printer queue issues and restarting print server etc. How? Below the large monthly planner she had on the front desk, was a whole bunch of post-it notes. Each note started with su password and then some commands. About 10 or 15 of them. Worst. Sysadmin. Ever.
  • Excel is much better for storing passwords.
    • That reminds of an older office version where the password algorithm was so dumb a Linux tool just needed a '-p' option to decode it instantly.
  • by whoever57 ( 658626 ) on Friday September 23, 2016 @08:31PM (#52950915) Journal

    Hah! We are so much better. We don't use Word to store passwords.

    We use LibreOffice!

  • Old School (Score:5, Interesting)

    by rtb61 ( 674572 ) on Friday September 23, 2016 @08:32PM (#52950917) Homepage

    Keep passwords safe. Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, buy a 1 ton safe, stick piece of paper in safe, lock safe. Whilst they and I mean they, plural (a 1 ton safe is a 1 ton safe for a reason), can drive to your offices and steal that safe, it is kind of hard to not notice it missing and to be able to re secure you system again.

    The problem with securing computers with computers is you can no longer see them breaking in successfully, sure you can see the lame failures, but not the skilled success until it is way too late. https://www.theguardian.com/wo... [theguardian.com], https://www.theguardian.com/wo... [theguardian.com]. Computers are shit at security because you can not see what is going on and there are just so, so many ways to hack it and all from safe remote locations, hacking a safe, up close and personal and extreme risk, it is just the way it is.

    They used to produce computers with hard wired switchs to prevent firmware being overwritten, no direct access phsyically impossible to hack remotely, hard wired switches to shut down wireless network cards, switch off no power to that card what so ever. So your core data server should have a hard wired switch to prevent writing to it, except when authorised and with direct personal access (to hack you have to write to read).

    • Buy a typewriter, get a sheet of paper from your networked printer, insert in typewriter, type out passwords, ...

      Typewriter? Um, the passwords can be recovered from the ink ribbon. Why not just use a pen?

      • by Cyberax ( 705495 )
        Perhaps grandparent can't write? (I thought that it's impossible but there are people out there who can't handwrite but can type easily)
    • Computers are shit at security because you can not see what is going on...

      Uh, what? Yes you can. I very regularly punch the button that says "add this asshat's IP to the firewall drop rules" because I can see the pathetic script kiddie attempting to brute force the password on the SSH server for the Administrator account and it annoys me. Are they going to get in? No, my system is not at risk. There is no Administrator account. So do I really need to start dropping all packets from this assclown? Not really, no. But my monitoring systems are lit up, and that's just obnoxi

      • by rtb61 ( 674572 )

        Dude you can not see what is going on at all, all you see is the mud monkey output and when it comes to shifting those bits and bytes and words (not words words but words)https://en.wikipedia.org/wiki/Word_(computer_architecture), you have not idea at all what is going on, no one does, you just 'assume' it is doing what the screen claims it is doing and the computer is doing way, way more, than just output to a video screen. Once you dabble in computer security, you really start to understand what a mindles

    • After you've put all your passwords in the 1 ton safe, where do you put the combination for the safe?

  • Remember that 40% counts IT admins that ask Reddit for advice. Every deadbeat coworker that has survived by kissing ass or nepotism.

    And that's nothing unique to IT. It's like that in everywhere I've worked.

  • Just like the ancient old days, my admin passwords are 'password'. Why change them we get new systems, makes it harder for the vendor to correct issues.

  • Every office stores passwords on Post-It(tm) notes stuck to the bottom of their keyboards. Completely hacker-proof!
  • It's not like we haven't had 1Password, LastPass, and Password Safe for at least the past decade.

    What year is this? Seriously, man, what decade is this?

    • by Anonymous Coward

      My firm prohibits the use of password manager software, presumably because they're worried someone might crack the encrypted database and get all my passwords, and think storing stuff in plain site on post-its is more secure. And I suppose in one sense that's true: no one can remotely access that post=it.But suborn the housekeeping staff and I guarantee you would harvest quite a few passwords.

  • You have to keep passwords written somewhere because stupid sysadmins have such insane password rules and retention times that no-one could possibly remember them. In theory word documents are at lest better than post-its because they COULD have some access control.

    The tighter you squeeze, sysadmins, the more systems will slip through your fingers.

    • I might possibly remember a password with insane password rules and retention times. But, I can't remember 100 such passwords.

  • I thought that was the problem it was supposed to solve, namely there were no 'root' accounts but a list of trusted users.

  • This type of article gets posted on slashdot every few months and the answer is the same: password security is lame.

    With the password security requirements evolving due to things like sophisticated distributed computing brute force cracking, it has arrived at the point where people literally cannot remember passwords anymore. Therefore, because they are mandated to use passwords that are in compliance they do the only reasonable thing they can to comply to get their jobs done, they write the passwords down

  • There's a plethora of off-the-shelf password managers out there that support encryption but you can also create an easy, DIY distributed/encrypted solution with GPG, git and vim [hobo.house].

    There's really no excuse to be storing sensitive credentials in office documents or spreadsheets.

  • Another 40% store them on Google docs.
  • Word documents? What kind of loser sysadmin uses Word? Everyone knows that machine databases get maintained in an Excel file on a network share.
  • Three out of four IT decision makers now incorrectly believe they can prevent attackers from breaking into their internal network

    There, fixed that for them.

If it wasn't for Newton, we wouldn't have to eat bruised apples.

Working...