Sony has been in the news all week after its corporate servers were comprehensively hacked. But it’s hard to give the electronics giant a pass mark for security when it turns out that staff were storing passwords in unencrypted files with names like ‘Master Password List’.
Picture: sebi ryffel
Gawker reports that a folder of files called ‘Passwords’ that was distributed by whoever was behind the attack includes multiple files where password lists were stored without any kind of protection whatsoever. The passwords cover everything from YouTube logins to corporate credit card access.
So much of IT security is about the basics. Keeping an open list of passwords that anyone can access is simply bad practice. Encrypt your passwords. Change them regularly. Don’t make them predictable. Don’t reuse the same password everywhere else. Clearly, these things can’t be said often enough.
Sony’s Top-Secret Password Lists Have Names like Master_Password_Sheet [Gawker]
Comments
3 responses to “The Sony Lesson: Don’t Store Passwords In A Text File Called ‘Passwords’”
Amazingly lax! I’d have thought that the operating paradigm for any sensitive (commercial or otherwise) system is that the world can see it, so ensure that it is secure at every step. So, inside Sony, I’d have thought that access to master password lists would be via a two factor authentication process at least, so that even with a password, a hacker would get nowhere fast.
Why would a company open its reputation, and possibly its survival to the slack practices that we regularly hear of?
The answer to your question is quite simple: people are stupid and lazy.
You’d think so, but you’d be wrong.
I worked for a number of large corporations and they all stored passwords in an Excel spreadsheet on a shared drive.
One of them even have a whole business unit dedicated to IT security, still, Excel spreadsheet on a shared drive.