As a pentester, I love people that keep handy dandy spreadsheets with creds in them. Criminals love them, too. It speaks volumes that they don't even bother with a password manager, beyond deciding that storing end user credentials is a good idea, which it most definately is not.

I've worked in some janky-ass environments and have never come close to this level of fuckery.

This guy either has no idea what he is doing, or he’s very dodgy. Either way, this is extremely bad practise.

Yes, massive security risk. No one should know your password but you. Administrators do not require passwords to gain access to your account, they can simply use their admin privileges. There is no accountability with a spreadsheet like that, especially if multiple people have access to it. External guy sounds like someone's brother/uncle who 'knows computers' is managing shit.

I honestly thought I was in r/shittysysadmin for a brief moment

Yeah, no. Both M365 and G-office have administrator level accounts that provision and manage everything. There's no need at all for the whole password spreadsheet thing.

That's just sketchy as hell.

If they were using a password safe with multi factor authentication and local only storage, that would be only slightly less sketch. Still an improvement over whatever kind of bullshit infused dirt that guy is snorting.

Everyone should change their passwords and never tell anyone else what their new one is. Especially not that walking honeypot.

TL;DR

Isn't this a huge security risk?

Yah think!?! 😆

Whoever enforced this rule should no longer be in charge of password policy.

The dwarves in Snow White (who keep their key on the wall outside the door) have better operational security than this.

It must be a very isolated group of non technical people.

Even though I don't know them, it keeps me up at night to know that this environment exists :-(.

They deserve better.

On the plus side your wife has plausible deniability on anything that happens with her account...

Gonna take a different approach here. Yes, it is a terrible policy and practice. 

But. 

Unless you or your wife are in management and have the level of clout to change policy, the question seems moot. Plenty of people have jobs with stupid policies and it's just part of being in the workforce. 

Your choices are: comply and protect yourself  (aka no PII in email), try to push back and deal with the fallout (very low success rate and rarely good for the person making waves), or quit.

I don't see much productive coming from asking here. Plenty of people will tell you it is dumb, and showing reddit posts as prof to management will have all the weight of a helium balloon, and won't give you any peace of mind. Seems like a fruitless endeavor. 

[deleted]

You dont need passwords as an Azure admin.

This would be quite expensive in the EU region. The fines can range from 10 million euros or up to 2% of the annual turnover of an organization for less serious violations, and up to 20 million euros or 4% of the annual turnover for more serious violations.

Is the "education org" dealing directly with minors or information pertaining to minors?

I'd report the crap out of their setup to... someone.

What is your take on this?

That this is how a 12 year old would organize this.

What's the point in having a password if it's not private?

None.

Can't the admin do everything without direct knowledge of the users passwords?

Maybe. Depends on how the environment is setup. By the looks of it, that guy has maybe such limited knowledge that he doesn’t even know how to setup administrative access.

Isn't this a huge security risk?

Yes.

but

Not your problem. If your wife wants to work there, and that is their policy, so be it. Not your wife’s nor your problem.

Hmm they are on to something….. stupid. If someone would ask me this I would straight up say no. As an admin I do not WANT to know anyone’s password. It can only come back to bite me in the ass later. If the company would pressure me in doing so I would give a false password for their spreadsheet and wait how long it would take for them to test this. The request is clearly from a “IT department” that does not know how to dot this properly. Next they are going to ask for your PIN code and card for whatever reason.

This is bad practice on so many levels. Even if they didn't want to do anything "fancy" the usual onboarding process is to set up the user account with a temporary password, check everything works then hand it over to the user and force them to change it to something that IT doesn't know. If IT needs access after that they should have a separate local admin account on the laptop that they know the password to (stored in a password manager) so that they can reset the user's password for that account.

Reading between the lines it sounds like they've just set up one admin account on the computer and give the users access to that 🤦. They've probably not encrypted the hard drive as well so it would be trivial to use 3rd party tools to blank all passwords on the computer anyway.

It's hard for you to change any of this but your wife should work under the assumption that anything she does on that computer will get hacked so don't ever store any personal information there. That said HR is probably just as at risk 🤷

There’s no excuse for this, so dumb

Had to double check. Thought I was in r/shittysysadmin

This is a major risk and your wife should refuse. I'm an admin and I always tell our user to NOT give me their password because I don't want it. We do have some passwords to shared accounts but they're stored in an encrypted database and only admins can access it.

Storing passwords in a spreadsheet is a huge security risk, something like MyGlue and ITGlue are better alternatives, These tools are specifically designed for storing passwords securely. They use encryption and access controls to restrict access.

Yes, huge security risk. This admin has no actual admin level control lf the network since all a user has to do is change their local account passwords and they're locked out.

Either domain join everything and get AD set up; or just build on the existing MS O365 accounts and upgrade to Business premium and enroll devices in entra and Intune.

Don't give this admin your actual password. They will compromise the network with how they are doing this.

Run. Run very far away.

Nope. If some internal abuse happens your wife has no way to prove it was not her. The logs will show her account.

That's a very scary practice. I suspect "the IT guy" knows slightly more than the average Joe which is why he's the IT guy. He's not the right guy...

Standard small org activities to be honest.

Yes, it's a huge security risk. No, the admin does not need to know the user's password to do admin tasks.

I work in the MSP space for tiny businesses. This shit is so hilariously common. It’s because users save files to their desktops so when Jill’s on holiday and they need something they just log in to her pc as her. No amount of telling them about the existence of sharepoint or servers will change their mind.

Bonus points to the company I support who insists all user passwords are the same. They have AD and all PCs are domain joined, they just login once with a new user and it becomes “Steve’s pc”. They keep the password the same so anyone can log in to anyone’s PC. I’ve told them they can just press other user and sign in as themselves but they won’t have it.

I would require that the business provide me with a binding indemnity agreement stating that since my user credentials are not private, I cannot be held accountable for any actions taken under those credentials. Get the lawyers involved, and you may find that the company changes its tone real quick.

We worked with a small town that gave IT oversight to a guy who had no IT experience. The first thing he did was send an email to all employees instructing them to email him all of their passwords.

Several of the employees did a REPLY ALL to the request so every employee in the town had those user passwords.

Someone of some significance should fire or terminate the relationship with the admin.

that is not an sys admin at all

If a user resigns or die, and you can't get in their account without their password - you can't call yourself an admin. Especially if you are using Microsoft365 which has tons of options for admin to use without the need of user's password.

I always tell my users not to give me their passwords. And if they still do, I tell them to change it ASAP.

Oh, and storing user passwords in a spreadsheet? You can't be serious with this ...

Users in that company should just say NO to that.

and while onboarding new users he requests they share their password with him for onboarding purposes, and to "test if everything works"

The person that onboarded the new account can set the initial password and therefore knows it.

At that point they can do their testing if they really wish, then force the user to change the password.

What is your take on this?

It's a brilliant way for users to have plausible deniability of when they're caught in wrongdoing. "It wasn't me that was logged in at that time! The external guy knows my password and clearly he did it!"

Apparently this is a requirement by the management, and there are other non-admin users with access to this spreadsheet.

There's nothing that forbids you from changing your password after giving it to the person...

Also, whatever password you give make sure it's NOT used anywhere else nor is similar to anything used for your own personal accounts.

Nope, Nope, Nope.

This is bait, right? Rage bait? Click bait?

I've been in IT for a hot minute and the mantra has always been, "IT does not need your password and will never ask for it".

And we don't. I can't think of a legitimate reason why this person needs to know all the staff passwords.

I'm sure their cyberinsurance people would love this.

Ive had a user manage password in basically the same way. "But the excel sheet is password protected!" Yeah sure, thats gonna stop em ....

This is a major red flag and i would RUN from such a company. If he wants to know the O365 passwords, then he is just plain stupid. As a O365 admin you can reset any users password at will (you shouldnt, but you can). The admin logging in with just the password means, that MFA is also not a thing, since he would then need the MFA codes as well. There is no point in passwords, if they are stored accessible somewhere. Passwords by themselfes are not really secure, this is why Passwordless is becoming such a big thing.

The times I dealt with this were definitely not due to the it admin. It was due to the company owner being a control freak and micromanager. If you are smart you will just bail and find something else. This is just the tip of the iceberg. Being what sounds like a non profit it also could be there are some shady things going on and forcing this setup is to scapegoat others if they get exposed for embezzling.

User does something bad with their account. Police come to investigate. User blames admin, who has all passwords, as an alibi. Does admin have an an alibi?

An admin should never need to know a user's password to effectively administrate users. AD(GPO), Intune/AzureAD, or some kind MDM can configure or modify any machine needed.

Does the admin not know about changing the password of an account? That is what they should be doing when they need to login as a user that quit or passed away.

A company I used to work for was an M.S.P. We took over I.T. operations for a police station. The I.T. director was let go and we took over. The director required everyone to give him their passwords. He had everyones passwds on an app on his personal phone. There was no way for me delete that. So I had dispatch send a message out over the radio to all the officers that soon there will be a requirement to reset their passwds to something new and to never for any reason give out their passwd again. I then wrote a quick powershell thingy to comb A.D. and require a passwd reset at the next log on for everyone. Once that was done another message went out over the radio asking everyone to reboot.

There is NO reason for ANYONE in I.T. to have a list of peoples passwds. Maybe, MAYBE give the I.T. guy your passwd if you are having account issues and he is actively working with you to resolve it.... Maybe. But once the issues are resolved change your passwd.

If they require your password, make it “N!ST_800-53”.

No. Admins do not require user passwords to become users and test permissions. Storing that data unencrypted at rest is a major security failure. There is no technical reasons to do this.

This just seems like a guy who wants a list of all the passwords people definitely reuse for all their important accounts. He's either wildly incompetent or an obvious criminal

a quick chat with the company's insurance will fix this

In small environments, this usually means some big fish in a little pond wants the ability to randomly sift through a user's data. Usually to feel in control.

Personally, I'm not willing to work with that, even if it's not a security risk. It indicates either nobody is trusted, or that there's massive micromanaging going on. Also makes it very easy to set someone up for firing with cause by using their account for "purposes".

If someone called asking for this I'd assume they're phishing and hang up. Admins can reset your password, disable MFA, etc. No real reason to share your password with them.

Lmfao wow. Just… wow.

What the....
I always tell my Users: "Please, never tell me your Passwords, i do not want to know".

To be Fair , i work in a big industry and in the past, the police did asked me for passwords, wich i was happy to deny any knowlege of.

Treat your Passwords like your underwear.

Change them regularly, dont leave them on the Desk, and dont Share with others.

This is the most insane thing I've ever heard.

As a Sysadmin myself, I would never NEVER EVER, EVER ask for anyone's password for ANY reason. I've had customers offer me their passwords and I tell them flat out no, I don't want it. And any self respecting sysadmin would do the same.

There are DOZENS of tools to get into a system as the user in an emergency situation without the user's password, PARTICULARLY for local accounts.

Anyone collecting passwords from users for WHATEVER purpose is up to nefarious things.

For example:

And this is just something I'm making up off the top of my head

Tiffany joins, gives DumbAdmin her password. He waits a few days/weeks for Britney to get settled and log into something important like... her bank. Once a week, DumbAdmin logs into Britney's (and probably other people's) computer, pops open the browser, checks browser history, looks at autofill stuff, maybe checks some email, and BOOM, now he has her username for a few sites. AND MOST LIKELY those accounts use the password he gathered from Britney when she started.

That's just one of a hundred scenarios I could probably think of.

Just the concept of the kind of data that these people (as someone else mentioned) is STAGGERING. And as another person said, there is ZERO accountability if he has everyone's password because he accesses the system as the user and there's no proof that user didn't.

Those people need to make EVERYONE change their passwords, then IMMEDIATELY terminate that relationship ASAP, IN THAT ORDER, or he can do MAJOR damage in an act of rage for being let go.

Then get a real admin that will get them set up properly.

Sorry for the rant, I just really hate predatory IT tactics like this, even if he's doing it for the "right reasons," for now, one day he'll abuse that information. Plus i'm high, and reddit makes me ranty

Does not compute. Admins can always change a user’s password to gain entry. The only reason to keep a user’s password is to log in without the user knowing. Probably some dumb HR requirement put on the provider.

The guy is utterly clueless and should not be given any passwords by anyone.

A spreadsheet? This guy is a total idiot.

This is a significant security risk. The admin needs to utilize a password manager, and those who require access to specific passwords can only see what they need. Something like Securden Password Vault - there is a free version for small teams.

fire everyone.

I'd tell them I object, if they insist, just change it immediately. There's zero reason for them to know a password and I'd never allow someone to have a password to a device that's mine.

Well, I've been in this boat before.

Yes, it is a terrible idea and you should push back. But understand that a small org like this is probably literally owned by an individual or small group. If they want to drive their org into the ground or take undue risks, it is mostly their prerogative.

You can try to mitigate by training them on how to reset passwords and providing them a separate admin account, frame it as being helpful. You can try to push for a better password management system. You can quietly encourage people to reset their passwords and not let management know. Secret Server is a pricey but useful password manager with robust business continuity features (like letting management declare an emergency and read other people's passwords, with audit trails).

You can also consider framing the situation as, "If Suzy in accounting does something illegal, it will be legally difficult to prove it was her if the entire management team has access to her password."

We have a spreadsheet with everyone’s passwords and they’re handmade passwords, not even randomly generated. Once I came into the org, I’ve been pushing for us to have a password manager and self service for the staff, but it’s a slow slow process.

Sounds to me like the org doesn't want to pay for it to be done properly. "Why pay money to change it when the way it is already works?"

This is so dumb that I would believe something criminal is going on.

I spent years traveling my county assisting business owners deal with the mess this causes. technical, financial or legal. Most of these business owners are still climbing Mount stupid (dun keugger effect anyone?) ... and they didn't seem to learn until it hits them hard in the pockets. :(

Edit: spelling

Tell her to not use the same password she uses for anything personal. And never touch a non work related website or anything on the work laptop. 

It amazes me the dumb shit that IT teams do in the education world. I'm in education myself and I see some dumb shit on a daily basis from conworkers

This is a silly and insecure requirement. If you were truly an administrator, he'd have access to anything. Anyway. It's not the like administrators test every use case imaginable a user can run through n every functionality. In small shops like this they operate on the squeaky wheel principal.

Can you post where this is so we can all go to this educational institution and steal all their good ideas? Naturally, I'm hoping that they have better ideas in their domain than keeping credentials in a spreadsheet

Good time to take a long leisurely walk.

Look up non repudiation in cyber security. That's the goal and cannot be achieved without single identity sign on. Security is a way of life not a convenience.

Janky as hell. It’s either lazy or malicious.

However…

Given you said there are only local accounts, I could maybe see the logic in a recovery situation. User gets hit by a bus. Critical files to the org in their account. In a normal org, you get someone with domain admin rights to reset their PW on Active Directory and then do whatever you need to do. More complicated to recover in a local accounts only scenario.

What is your take on this? 

Holy shit that's terrible!

What's the point in having a password if it's not private? 

No clue. I can usually devils advocate most things, at least in some vaguely plausible way, but this next level stupid.

Can't the admin do everything without direct knowledge of the users passwords? 

They certainly should be able to.

Isn't this a huge security risk?

Yes. It's also a liability risk. You can't plausibly track down who did anything.

Hell to the nah. Management and the external guy need rodding from the rear with a wire brush.

Huge security risk. Solves almost zero of the problems mentioned. It's a crutch for lazy people. I hate it.

The answer is no, never. End of discussion.

Passwords are personal and the accounts normally are user account. Not Company account 😁

There are a small selection of password types that we do fix and keep a record of (VPN passwords for instance) but we've recently moved away from spreadsheets to bitwarden

At the bare minimum they need to not be using a spreadsheet

There's no reason for them to have those though. If someone dies or quits then you go into your admin portal and reset the password

I had a CFO do this before. I showed him the vulnerabilities of using a spreadsheet. Shared proof of concepts and case studies of other businesses with data breaches using spreadsheets to store logins. I discussed the lack of encryption, how easy it is to share, access control methods, lack of audit trails, and backup risks like storing it in a network share or cloud storage. We made it very clear that everyone must use our paid Password Manager solution or face consequences.

100% against this no matter what excuses they come up with. As someone else mentioned a while back on a similar post, if someone views illegal content such as child sexual abuse material ie photos and more than one person has the password? Well good luck proving who it was.

Similar vein, what if a highly confidential document or slide deck was sent to a competitor? How can they prove it was end user John and not admin Steve who sent it?

This is common....20 years ago.

i hate spreasheets with passwords

u cant even find anything

Someone's going to Mitnick that spreadsheet, then it's game over. Guessing they don't practice least privilege access, if non-admin users have access to that sheet. They need to use Active Directory. And your wife should consider finding a different place to work.

No. Just no.

You should never be storing passwords in a spreadsheet. No. Absolutely not.

I have worked in places before were we asked for User Passwords to do things,. mostly because what ever configuration we were trying to change was a User-profile based change, so there was on other way to do it other than being logged in as the User.

Although we did eventually move away from that habit,. and any time a User-specific change needed to be made, we just forced the User to physically be there to type in their own Password.

In most modern workplaces,. you should have:

• automated configuration tools.. so that whatever needs to be installed or configured can be push (silently, remotely) down to a Users machine.

• or if it's a User Profile configuration of some kind.. have KB articles or instructions you can send a User so they can do it themselves.

None of that should require anyone to share passwords.

This is beyond idiotic. However, if it's policy to give them the password, do so. If you "forget" to update them after you change the password, oops. You'll know they tried to access it when they reach out.

Solution is "simple"

• Log on with provided password.
  
• Give password to this 'admin'
  
• change password

And, if you get hit by the bus - HR/Legal and IT can reset the users password if they really need access to that account, so honestly, that argument is bogus, and that setup is totally asking to be abused.

<facepalm>

you dont need the user password for any of that. NONE OF IT!

Reset it - TAPS in, setup, test, send them a reset link.

The only reason to have everyones passwords is if you want freedom from oversight to be nefarious.

That's fucking unacceptable.

Admins absolutely do not need your password to access accounts, or to test if everything works...

r/ShittySysadmin

Every security muscle in my body just twinged.

Local admin accounts exist for a reason. Their it dept is shit

For me I don't want the passwords, I can change them, remove them, block people from login, I don't want the risk and can do all the above in less than a minute.

The only person that knows the password is each user, and many users do not even know their passwords, we set it to log in automatically and forget it.

RED FLAG!

 An external guy is managing this environment

No he is not....

time for her to find a new job. that would be completely unacceptable.

even their reasoning isn't sound if the person managing the password has the slightest bit of competence, as it's trivial to reset a user's password if necessary. i'd "accidentally" write the wrong password on the paper for the short term.

i explicitly tell people NOT to give me their passwords. don't tell me, don't write them down, i don't want to know them. if i need access to an account, i'll reset it and then give them the new pass while setting a "change on next log on" flag.

As long as a local admin is set up and that pw documented, there is no reason for him to have their passwords other than the convenience of signing in to work on them if they are AFK and it's locked.

I worked somewhere like this in the past, briefly. Changing your password and not giving it to IT was a write-up. It was solely for the purpose of IT being able to work on your computer when you weren't at your desk. Same place also used cracked licenses for software that had to be re-cracked every 30 days. I looked for another job the minute I realized what kind of op they were running. Outskees.

At the end of the day your workplace owns your data, you have no right to privacy on your work PC. But there are good practices and bad ones and this is definitely a bad practice.

Think of a legal case.

A user did $BAD_THING_COST_MONEY. How do you prove it was actually the person who owned the user account that performed the action? It could be literally anyone on any team, to say nothing of other persons that managed to get hold of the excel.

Maybe you could use this analogy to explain how bad this idea is:

Require all the employees to give a spare car key to the front office. These keys will be hung on a pegboard in the office somewhere, just in case anyone needs to get something from another employee's car while that employee might be in a class, meeting, etc. Or if someone wants to go rob a liquor store during lunch without using their own car.

Ask how that policy would go over.

Yes, it's a huge security risk - spreadsheets are no place to store passwords. Moreover, if someone leaves or passes away, an admin can reset that password anyway. From my experience, that's not even necessary, the account is usually converted to a (free) shared mailbox, and the license is removed, while a forward to another person is set up to catch any e-mails that still come in.

In some cases, the account is assigned read-and-manage rights to someone in management so they can still access past e-mails, if necessary. Like others have mentioned, if non-admins can consult this spreadsheet, there's really no control of who is doing what. In the worst-case scenario, everyone with access to those passwords could be liable. It's terrible practice.

Adm1nI5anA$$hol3##7

What the actual F ?!?!

That would be a big f*** no.

Let me be clear. As a datasec guy for 15 years.

YOUR ORG WILL BE COMPROMISED with this mindset. Not if, when.

This is so far below best practices, I am honestly gobsmacked.

Whoever made this up should be sent for mandatory cyber sec training, and should change their ways, or be fired.

Tell your wife to RUN. And FAST!

My take on it is either the admin or management (Probably both) are not qualified to do their jobs.

 Isn't this a huge security risk?

Yes.

This is stupid from any perspective. There is a reason Admins can change passwords, but not see them. Assign 2 admins, either can change passwords, move on.

His mgmt should try this horse shit in healthcare and see how far it gets them. smh.

What's the point in having a password if it's not private?

I don't know if you're being rhetorical or not so I'll just say it: there is no point in having a password if it's not private.

Apparently this is a requirement by the management

I can see how that can make someone feel they have no choice but to do it, but on the other hand I feel stopping management when they're about to do something colossally unethical and unsafe is something that should at least be attempted.

This admin is a poor idiot and should be arrested

When I started my current job I was told by management to do this.

I bet it’s way more common than people think.

I told them it was fucking stupid and wrong but they had some bs “we need access just in case!!” and were fucking deaf when it came to pw resets etc.

Whatever, I store the passwords.

But they’re the random initial ones and they are forced to pick a new password upon first log in.

I don’t ask about those passwords ever.

Security risk 12/10 And privacy breach 86/10 on a level of "you would be fcked anywhere in EU" with a fancy fines.

Why bother wrecking your brain? Management sucks

It's a compromise waiting to happen, I'm a pentester and always test for password cred information in 365 after gaining creds. It's also a compliance issue as the accounts are effectively shared. Then there is the incompetence to consider that they are unaware of correctly managing user accounts.

Woah. Major breach of trust here.

What should happen, is that all computers have a separate admin account with a password known to the admin group, only. Store it in a vault (both physical and digital).

Nobody but the admin group should have access, including the owners.

To quote Ollivander, "Nope! No! Definitely not!". Huge red-flag. In all my years in IT, if I ever need to test that everything is set up correctly, I just set a generic password for the user and then reset the password to one of 365's auto generated passwords with the "require user to reset password" option ticked. That way, the user signs in, has to reset their password, and everything is already tested and working.

If you are going to store user passwords, it should at least be in something secure like ITGlue or similar. But ideally, you should never be storing user passwords. If they forget it, you reset it for them.

Any time I have ever needed a user's password for troubleshooting etc, I usually reset their password and let them know that they'll need to reset their password again afterward. It's a win win, as it allows me to use an easy password I'll remember and it forces them to update their password.

This was fairly common 20+ years ago. Users liked the convenience of people being able to adjust things on their profile. Remote access tools weren’t nearly as good as they are now. neither were the tools. I’d be willing to bet this IT guy is really old and just hasn’t kept up.