January 5, 2023

The Infamous Excel Password File - WST

If you’ve been in the IT world as long as we have, you will remember a time when storing passwords in an Excel spreadsheet was not only the norm, but also considered relatively safe when combined with NTFS permissions or a password on the Excel file itself. Those days are long gone, but I’m afraid we still occasionally find these legacy (or active!) Excel files containing the keys to the kingdom during our audits.

I would typically dive into associated risks, but in this case the risks are quite apparent. So instead, let’s focus on remediation. The first step is to identify these rogue files, which often appear in orphaned file server shares. One cost-effective option in a Microsoft environment is to simply search for the culprits. If this task was on my plate, I would start with wildcard searches across the file server(s) including keywords *password*, *.xls, and *.xlsx. These searches should be performed with a user account granted the most permissions (e.g., Domain Admin group membership) to effectively cover the entire server and all associated shares. Repeat this process across all known repositories from the past through the present.

Now that you have identified the targets for deletion, you may want to hold back on deleting the files right away. By right-clicking them and selecting Properties-->Details, you can see who the original author was, the person who last saved the file, and associated dates and times. If the file is older than the cotton gin without recent usage, then you can likely purge without repercussion. If not, it’s always best to check with department leaders on usage and begin immediate discussions on transitioning to a more sophisticated solution.

Alternative solutions are plentiful these days, and typically range from freeware to sophisticated enterprise-grade software. A quick Internet search for password managers should be a helpful start. A password manager is an encrypted digital vault that stores secure login information you use to access websites, applications, and other services requiring a password. They can be used for both personal and professional account storage, with even different accounts set up to avoid overlap and confusion.

Here are some benefits of using a password manager:

  1. Ensure only authorized individuals have access to passwords/passphrases
  2. Ability to generate random passwords, using only one password per site; ability to easily change passwords
  3. Quick and simple access to multiple accounts; browser extension support
  4. Sharing passwords securely using joint accounts with trusted coworkers
  5. Encourages the use of stronger passwords/passphrases

Though I will refrain from choosing favorites, considerations should include a thorough vendor review, strength of authentication method (e.g., multi-factor authentication capabilities), and whether the solution is cloud-based or not. Proper due diligence and the ability to demo many of these solutions should help you determine the best fit for your environment.

Authored by: Benjamin Caruso, CBISO

You May Want to Read More:

The Scope of SARs - Something Old and Something New - WST

January 28th, 2021

Did you know that filing Suspicious Activity Reports...

In with the new year, out with the Flash - WST

January 21st, 2021

The writing has been on the wall for a while now ...

Back to Basics: Understanding Risk Concepts - WST

January 15th, 2021

People often make judgements and decisions about risk...

Keep your institution off the evening news.


Contact Us