back to article Hmmm, where should I dump those unencrypted password files? I know - OneDrive

Enterprises are routinely storing corporate password files in the cloud through Microsoft’s OneDrive backup technology. OneDrive is the most common Office 365 application, with 79.1 per cent of organisations using it, according to a study by cloud control tech vendor Skyhigh Networks. The average corporate OneDrive service …

The Skyhigh guys again

"The amount of sensitive data being stored on OneDrive in general is increasing, Skyhigh reports. Around one in six (17.1 per cent) of stored files contain sensitive data, which consists of confidential data (9.4 per cent), personal (4.1 per cent), health (1.9 per cent) and payment (1.7 per cent) information."

How could you possibly know that? It's a random guess at best. I stopped reading there, but I'm assuming there's a sales pitch in the following paragraphs.

7
1
Anonymous Coward

Re: I'm assuming there's a sales pitch in the following paragraphs

That would never have happened if they've used DevOps! :-)

13
0
Silver badge

Re: The Skyhigh guys again

If their testing has come up with those figures then OneDrive is not fit for purpose.

If SkyHigh, as a third-third-party have been permitted access to this information then this breaks Data Protection regulations. (Microsoft is the third-party, and they should not be able to deduce this information either).

3
1
Silver badge

Re: The Skyhigh guys again

How could you possibly know that? It's a random guess at best.

It a guess and not even a SWAG at best unless they actually got into a lot/most of those servers. Comments like "144 file" sounds like either they are BSing or they know. If they know, and got in without permission, they should be charged and fed porridge for several years. Oh.. and the exec management team should be given more time since they probably directed this.

1
2

Re: The Skyhigh guys again

"If they know, and got in without permission, they should be charged and fed porridge for several years."

You are implying that Skyhigh is in the wrong here because they *did* obtain data that way.

You should be implying that the fact that Skyhigh got in, indicates the user in question are idiots for at least expecting security on a medium that doesn't promise it..

0
1

Re: The Skyhigh guys again

(Microsoft is the third-party, and they should not be able to deduce this information either).

Microsoft have control of the hardware. What does this mean? As every sysadmin knows it means you can get what you want if you are that way inclined. This is not only Microsoft but every cloud provider, your VM may be controlled by you but do you really know where it is? When that instance moves datacentre how did it happen so fast. What happened to the copies? Who has access to them.

These are questions I ask myself, Does anyone have the answers?

0
0

Re: The Skyhigh guys again

"These are questions I ask myself, Does anyone have the answers?"

Yes.

1
0

Re: The Skyhigh guys again

Please share I beg of you ;)

0
0
Bronze badge

Re: The Skyhigh guys again

If you RTFA you'll see that businesses buy Skyhigh to "monitor employee cloud use". Of course to do that you've got to grant Skyhigh admin access to your OneDrive. So there are no data protection rules broken, the crazy businesses who have bought in to Skyhigh have just given away access to all their confidential, medical and commercial information. It seems that they'll then use that access partly for your benefit and partly for their own benefit to run analysis like this.

If you trust your own employees less than you trust Skyhigh, you have got real problems.

1
0
Anonymous Coward

Use the password as the name of the file, problem solved.

4
0
Bronze badge

Yep, there will be plenty of false negatives from people doing minor obfuscation of their password file. There will also be false positives. There's nothing wrong with storing a "Password policy.doc" but it sounds like that would be flagged up as a password file.

0
0
Facepalm

BS!

I call BS. There isn't one word in their report about how they got their "estimate". Saying "is based on real life data from more than 600 enterprises and 27 million users" is meaningless. It's just throwing big numbers around as though that makes the result "better".

You're not doing your reputation as a news source any favours if all you do is reprint crap like this from advertising agencies without at least thinking about it.

8
1
Anonymous Coward

Re: BS!

There are a number of services which corporates can use to scan their cloud usage. It's not that hard to look for lists of names, numbers in credit card format, postcodes, etc.

I'm not saying that these have been hired by corporates but its not that far-fetched.

1
2
Silver badge

Re: BS!

Fiction or not, just don't use the word password in the file name. I doubt I would be using the password as the file name...

0
0
Silver badge

Re: BS!

But, what, why, why would I want some outside agency to scan my drives / storage for intersting stuff to help them out in their sales pitch?

2
1
Silver badge

Re: BS!

'I call BS. There isn't one word in their report about how they got their "estimate".'

Let's see now.... Google Skyhigh Networks.... Hmm, there's their web-site, click on it, scroll down till we find out what they do for a living... Hey, they act as security consultants for corporates, checking both shadow IT and official IT. You know something? They might just be in a position to discover what they say.

3
1
Gold badge

Re: BS!

You know something? They might just be in a position to benefit from what they say.

5
0
Silver badge

Re: BS!

And once again the root of the problem is free news is worth what you pay for it. Don't say but but the ads as ok the news then costs .000001 cents fine. I agree not having a subscription option means its take it or leave and it should be called out when this crap occurs but its easy to see why.

0
1
Silver badge

Re: BS!

"Fiction or not,"

Others have pointed out that they offer nothing to back up their assertions. However, there are people out there who do store simple password files in cloud services. I know of one, for example, who uses a Google Docs spreadsheet.

"just don't use the word password in the file name. I doubt I would be using the password as the file name..."

And the person I speak of did just that. Until I expressed alarm at the very idea of storing an unencrypted password file in the cloud - at which point, he changed the file name. That'll make it perfectly safe, I'm sure. :/

1
1
Silver badge
Facepalm

based on real life data

They must have gone through their own account, found the amount of password related muppetry performed by their non-IT staff, and extrapolated from there.

As for why they don't mention this, would you take a security company seriously that admitted to it?

2
2

Re: BS!

Because some industries have regulations that require such things for servers and such, and the IT crowd likes it enough to extend it enterprise wide?

I've seen plenty of reports of scans of this nature.

1
0
Silver badge

Re: BS!

"They might just be in a position to benefit from what they say."

Of course.

0
0

Re: BS!

Hear Hear

0
0
Silver badge

I'm glad I'm not alone in querying how they know this

It's not as if they can do a Google Sitesearch on Onedrive: *password* and corporate surveys can't give that level of response either.

1
2
Anonymous Coward

Have an "intranet" site that people upload random junk too, no end of fun looking to see what kind of confidential stuff people have spaffed in there. Password sheets are pretty common.

0
0
Silver badge

My thoughts entirely...

How did they get this, ahem... data? Presumably all of the Microsoft cloud customers gave their permission for them to go snooping around?

2
2
Bronze badge

This study says what?

So, for some stupid reason... the number of files containing sensitive information is higher on one drive than it is on the typical corporate network? In this case.. a lot higher.

We didn't hit anywhere close to 18% on our first run through using DLP on: personal folders, personnel folders, application storage or databases. So these figures seem a bit high to me. I just called a few people and asked them what they think, and they're inline with me.

To provide a minimal fair sample, you'd need to study 100-200 companies using one drive for accurate figures. I'm thinking the companies who would allow this study to take place on their systems likely don't think security first; skewing the results. Please don't say people used some sort of survey. Surveys aren't accurate for technical information like this due to interpretation for one thing.

The blog you're getting this information from isn't even concentrating on security. It talks about the increased use of Office365. Even then it only provides figures, and doesn't provide any informative proof to back it up. Doesn't provide what type of study was done, how it was conducted and participants. Nothing for us to go... "hmmm".

0
0
Silver badge

Re: This study says what?

"I'm thinking the companies who would allow this study to take place on their systems likely don't think security first; skewing the results."

A minimal amount of research - if you could go as far as calling a quick Google and looking at their website research - shows that they're security consultants who do such scanning on clients' cloud use to look for this sort of thing. So companies who call them in are actually being security conscious* and the skew might be in the opposite direction to what you thought.

*Or maybe not if they're using someone else's computer.

1
0
Silver badge

I wish we could rip One Drive totally out of Windows or at least completely lock it down so that it's totally inaccessible. I don't want it on my PC because MS keep trying to set it to the default location to save files. Thought I'd somehow deleted a bunch of photos which I just uploaded onto my PC but they'd been 'synced' onto One Drive and deleted locally. Then I noticed it was doing the same thing to documents. Did everything thing I could including regedit but have only maimed rather than killed it.

4
1

If you must use Windows, do the sensible thing and upgrade to 7. No OneDrive integration there.

-A.

7
0
Silver badge

I have to say one drive for business is shite, and an administration nightmare.

3
1
Silver badge

My main machine is Windows 7 but it managed to commit suicide somehow, I suspect it was something to do with Windows 10. Had disabled all the Windows 10 download patches but I can't recover using my Windows 7 media because it detects a newer version of Windows and refuses to budge.

1
0
Gold badge

Surely if there is no Microsoft account then One Drive refuses to store anything? Certainly on my PCs, One Drive just sulks in a corner, complaining occasionally that it can't do anything because I haven't molly-coddled it enough.

5
0
Silver badge

@Ken Hagan

Hah. I like the idea of sulky software very much indeed. I'll have to see if I can't build some sulkiness into my software without annoying my users, too much...

1
0
Bronze badge

I can confirm it's the same (crap) from end user support angle (until they've just given up on it).

BTW, if someone shared their file with you you can share it with others. A gossip feature?

Also, while it's easy to see files shared with you, it's much more difficult to find/manage all files you've shared from one central point. Because this would make too much sense.

0
0

@ Ken Hagan

It gets better than that. When you shut down OneDrive, it gives a little gasp and throws up a little dialog saying "Are you SURE you want to shut me down? You won't be able to sync with your cloud data, or anything!"

The fact that I don't have a Microsoft account (well, an MSDN account, but don't tell Windows 10) doesn't seem to stop or even slow down its whining panic.

I love it

1
0
Silver badge

How did they get their data?

They have three clients, to the systems of which they have access. At "Idiots Are Us" it was discovered they were storing lots of text files called Passwords.txt on OneDrive. At "MEH.COM" only a couple of such files where found. At "Smarty-Pants Inc" no such files were found.

They averaged this sample data and extrapolated it to the whole of the Corporate universe.

Probably.

2
1
Anonymous Coward

You are all assuming all these password files are real and not decoys. I have fake passwords on sticky notes on my monitor just to annoy anyone who steals them. I assume fake password spreadsheets could serve a similar purpose.

0
0
Silver badge

I missed a fad obviously

To keep up with the fad I have saved a blank excel spread sheet called passwords.xlsx and saved it to OneDrive (Yay its actually being used for something now we are probably being overcharged for)

3
0

The solution is obvious.

There are characters which you can't have in a file name. Just add "p", "s", "w", "r" and "d" and

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017