The Infamous Excel Password File - WST

If you’ve been in the IT world as long as we have, you will remember a time when storing passwords in an Excel spreadsheet was not only the norm, but also considered relatively safe when combined with NTFS permissions or a password on the Excel file itself. Those days are long gone, but I’m afraid we still occasionally find these legacy (or active!) Excel files containing the keys to the kingdom during our audits .

I would typically dive into associated risks, but in this case the risks are quite apparent. So instead, let’s focus on remediation. The first step is to identify these rogue files, which often appear in orphaned file server shares. One cost-effective option in a Microsoft environment is to simply search for the culprits. If this task was on my plate, I would start with wildcard searches across the file server(s) including keywords *password*, *.xls, and *.xlsx. These searches should be performed with a user account granted the most permissions (e.g., Domain Admin group membership) to effectively cover the entire server and all associated shares. Repeat this process across all known repositories from the past through the present.

Now that you have identified the targets for deletion, you may want to hold back on deleting the files right away. By right-clicking them and selecting Properties-->Details, you can see who the original author was, the person who last saved the file, and associated dates and times. If the file is older than the cotton gin without recent usage, then you can likely purge without repercussion. If not, it’s always best to check with department leaders on usage and begin immediate discussions on transitioning to a more sophisticated solution.

Alternative solutions are plentiful these days, and typically range from freeware to sophisticated enterprise-grade software. A quick Internet search for password managers should be a helpful start. A password manager is an encrypted digital vault that stores secure login information you use to access websites, applications, and other services requiring a password. They can be used for both personal and professional account storage, with even different accounts set up to avoid overlap and confusion.

Here are some benefits of using a password manager:

Though I will refrain from choosing favorites, considerations should include a thorough vendor review, strength of authentication method (e.g., multi-factor authentication capabilities), and whether the solution is cloud-based or not. Proper due diligence and the ability to demo many of these solutions should help you determine the best fit for your environment.

Authored by: Benjamin Caruso, CBISO