In something that feels like the 1980’s, Gizmodo has published an article showing that Sony used spreadsheets to track their system passwords. Worse than that, the spreadsheets and folders clearly contained the word “password” within them. According to this article on The Register, Sony’s security team numbered only 11 people and the company had been through rounds of cost cutting their IT staff.
It’s hard to know where to begin in imagining how bad the idea of storing passwords in spreadsheets can be. A spreadsheet doesn’t represent a single point of truth – people copy and share spreadsheet files, so this assumes that those passwords rarely if ever changed. Without a sensible passwords and credentials policy (and without suitable tools), even exposing passwords to external users represents a serious risk of attack by disgruntled employees. Static passwords provide no audit trail and tempt administrators to hard code them into scripts, further aiding hackers who can easily sniff out embedded credentials.
Since I started to write this post, things have declined further for Sony. Now the organisation responsible for the hack attack and data theft, Guardians of Peace, have released details on celebrity aliases and it’s being reported that Sony is fighting back through their own DDoS attacks, allegedly using AWS, although that’s not confirmed.
The Architect’s View
Data and network security still seems to take a back seat in some organisations, with crazy approaches to system management. Look out for security-related articles from our own Rob Lyle (twitter @thebizarch) as we look in depth at some of the more technical aspects of protecting your network and data assets.
- Sony Kept Thousands of Passwords in a Folder Named “Password” (Gizmodo website, 4 December 2014)
Comments are always welcome; please read our Comments Policy first. If you have any related links of interest, please feel free to add them as a comment for consideration.
Subscribe to the newsletter! – simply follow this link and enter your basic details (email addresses not shared with any other site).
Copyright (c) 2009-2014 – Chris M Evans, first published on http://blog.architecting.it, do not reproduce without permission.