14 DAY TRIAL // Nothing says incompetency like saving your passwords for admin and/or privileged accounts in an unencrypted Word or Excel file, which everyone can steal and open without any problems.
This is the finding of a recent survey carried out by CyberArk on 750 IT security engineers and which has discovered, once again, weak security protocols deployed at companies across the world.
The survey has uncovered that 40 percent of organizations store privileged and/or admin passwords in a Word document or spreadsheet on a company PC or laptop, and 28 percent use a shared server or USB stick.
Encryption is paramount
The problem is not where sysadmins store this data, or in what type of file, but if encryption protects this information. A sysadmin could save passwords in a text file called all-my-admin-passwords.txt and place the file on his desktop, as long as the file is encrypted and easy access to the data is prevented.
Furthermore, malware, such as remote access trojans (RATs), is known to carry out mass scans of entire compromised computers, looking most often for Office files. Storing passwords in such a manner is downright insane and looking for trouble.
CyberArk's survey also reveals that 71 percent of respondents also store privileged account information in dedicated security software. This means that many of these 750 sysadmins are using Word files as alternatives to more secure, dedicated solutions, probably because Word files are easier to carry around and access, defeating the purpose of deploying a dedicated privileged account security solution in the first place.
One in five companies stores passwords on paper
As if that weren't bad enough, 20 percent of respondents said their company also employs the super-advanced and super-tech practice of keeping passwords in a notebook or a filing cabinet.
This type of physical password storage procedure is what exposed the network of a Dutch mobile operator last year, as showed by security researcher Sijmen Ruwhof, who took a photo of a password written on a sticky note attached to a clerk's screen.
Weak password practices often help facilitate intrusions into sensitive systems, and companies should upgrade their operations to counter today's modern threats.