Nothing says incompetency like saving your passwords for admin and/or privileged accounts in an unencrypted Word or Excel file, which everyone can steal and open without any problems.
This is the finding of a recent survey of 750 IT security engineers carried out by CyberArk, that has discovered, once again, weak security protocols deployed at companies across the world.
The survey has uncovered that 40 percent of organizations store privileged and/or admin passwords in a Word document or spreadsheet on a company PC or laptop, and 28 percent use a shared server or USB stick.
The problem is not where sysadmins store this data, or in what type of file, but if encryption protects this information. A sysadmin could save passwords in a text file called all-my-admin-passwords.txt and place the file on his desktop, as long as the file is encrypted and easy access to the data is prevented.
Furthermore, malware, such as remote access trojans (RATs), is known to carry out mass scans of entire compromised computers, looking most often for files Office files. Storing passwords in such a manner is downright insane and looking for trouble.
CyberArk’s survey also reveals that 71 percent of respondents also store privileged account information in dedicated security software. This means that many of these 750 sysadmins are using Word files as alternatives to more secure, dedicated solutions, probably because Word files are easier to carry around and access, defeating the purpose of deploying a dedicated privileged account security solution in the first place.
If that wasn’t bad enough, 20 percent of respondents said their company also employs the super-advanced and super-tech practice of keeping passwords in a notebook or a filing cabinet.
These type of physical password storage procedures is what exposed the network of a Dutch mobile operator last year, as showed by security researcher Sijmen Ruwhof, who took a photo of a password written on a sticky note, attached to a clerk’s screen.
Weak password practices often help facilitate intrusions into sensitive systems, and companies should upgrade their operations to counter today’s modern threats.