back to article Hmmm, where should I dump those unencrypted password files? I know - OneDrive

Enterprises are routinely storing corporate password files in the cloud through Microsoft’s OneDrive backup technology. OneDrive is the most common Office 365 application, with 79.1 per cent of organisations using it, according to a study by cloud control tech vendor Skyhigh Networks. The average corporate OneDrive service …

  1. sysconfig

    The Skyhigh guys again

    "The amount of sensitive data being stored on OneDrive in general is increasing, Skyhigh reports. Around one in six (17.1 per cent) of stored files contain sensitive data, which consists of confidential data (9.4 per cent), personal (4.1 per cent), health (1.9 per cent) and payment (1.7 per cent) information."

    How could you possibly know that? It's a random guess at best. I stopped reading there, but I'm assuming there's a sales pitch in the following paragraphs.

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm assuming there's a sales pitch in the following paragraphs

      That would never have happened if they've used DevOps! :-)

    2. Ken Moorhouse Silver badge

      Re: The Skyhigh guys again

      If their testing has come up with those figures then OneDrive is not fit for purpose.

      If SkyHigh, as a third-third-party have been permitted access to this information then this breaks Data Protection regulations. (Microsoft is the third-party, and they should not be able to deduce this information either).

      1. Ragarath

        Re: The Skyhigh guys again

        (Microsoft is the third-party, and they should not be able to deduce this information either).

        Microsoft have control of the hardware. What does this mean? As every sysadmin knows it means you can get what you want if you are that way inclined. This is not only Microsoft but every cloud provider, your VM may be controlled by you but do you really know where it is? When that instance moves datacentre how did it happen so fast. What happened to the copies? Who has access to them.

        These are questions I ask myself, Does anyone have the answers?

        1. Mahhn

          Re: The Skyhigh guys again

          "These are questions I ask myself, Does anyone have the answers?"

          Yes.

          1. Ragarath

            Re: The Skyhigh guys again

            Please share I beg of you ;)

            1. Seajay#

              Re: The Skyhigh guys again

              If you RTFA you'll see that businesses buy Skyhigh to "monitor employee cloud use". Of course to do that you've got to grant Skyhigh admin access to your OneDrive. So there are no data protection rules broken, the crazy businesses who have bought in to Skyhigh have just given away access to all their confidential, medical and commercial information. It seems that they'll then use that access partly for your benefit and partly for their own benefit to run analysis like this.

              If you trust your own employees less than you trust Skyhigh, you have got real problems.

    3. Mark 85 Silver badge

      Re: The Skyhigh guys again

      How could you possibly know that? It's a random guess at best.

      It a guess and not even a SWAG at best unless they actually got into a lot/most of those servers. Comments like "144 file" sounds like either they are BSing or they know. If they know, and got in without permission, they should be charged and fed porridge for several years. Oh.. and the exec management team should be given more time since they probably directed this.

      1. John Tserkezis

        Re: The Skyhigh guys again

        "If they know, and got in without permission, they should be charged and fed porridge for several years."

        You are implying that Skyhigh is in the wrong here because they *did* obtain data that way.

        You should be implying that the fact that Skyhigh got in, indicates the user in question are idiots for at least expecting security on a medium that doesn't promise it..

  2. Anonymous Coward
    Anonymous Coward

    Use the password as the name of the file, problem solved.

    1. Seajay#

      Yep, there will be plenty of false negatives from people doing minor obfuscation of their password file. There will also be false positives. There's nothing wrong with storing a "Password policy.doc" but it sounds like that would be flagged up as a password file.

  3. trickie
    Facepalm

    BS!

    I call BS. There isn't one word in their report about how they got their "estimate". Saying "is based on real life data from more than 600 enterprises and 27 million users" is meaningless. It's just throwing big numbers around as though that makes the result "better".

    You're not doing your reputation as a news source any favours if all you do is reprint crap like this from advertising agencies without at least thinking about it.

    1. Anonymous Coward
      Anonymous Coward

      Re: BS!

      There are a number of services which corporates can use to scan their cloud usage. It's not that hard to look for lists of names, numbers in credit card format, postcodes, etc.

      I'm not saying that these have been hired by corporates but its not that far-fetched.

      1. Triggerfish

        Re: BS!

        But, what, why, why would I want some outside agency to scan my drives / storage for intersting stuff to help them out in their sales pitch?

        1. DougMac

          Re: BS!

          Because some industries have regulations that require such things for servers and such, and the IT crowd likes it enough to extend it enterprise wide?

          I've seen plenty of reports of scans of this nature.

        2. Duffaboy

          Re: BS!

          Hear Hear

    2. chivo243 Silver badge

      Re: BS!

      Fiction or not, just don't use the word password in the file name. I doubt I would be using the password as the file name...

      1. VinceH

        Re: BS!

        "Fiction or not,"

        Others have pointed out that they offer nothing to back up their assertions. However, there are people out there who do store simple password files in cloud services. I know of one, for example, who uses a Google Docs spreadsheet.

        "just don't use the word password in the file name. I doubt I would be using the password as the file name..."

        And the person I speak of did just that. Until I expressed alarm at the very idea of storing an unencrypted password file in the cloud - at which point, he changed the file name. That'll make it perfectly safe, I'm sure. :/

    3. Doctor Syntax Silver badge

      Re: BS!

      'I call BS. There isn't one word in their report about how they got their "estimate".'

      Let's see now.... Google Skyhigh Networks.... Hmm, there's their web-site, click on it, scroll down till we find out what they do for a living... Hey, they act as security consultants for corporates, checking both shadow IT and official IT. You know something? They might just be in a position to discover what they say.

      1. Ken Hagan Gold badge

        Re: BS!

        You know something? They might just be in a position to benefit from what they say.

        1. Doctor Syntax Silver badge

          Re: BS!

          "They might just be in a position to benefit from what they say."

          Of course.

    4. asdf Silver badge

      Re: BS!

      And once again the root of the problem is free news is worth what you pay for it. Don't say but but the ads as ok the news then costs .000001 cents fine. I agree not having a subscription option means its take it or leave and it should be called out when this crap occurs but its easy to see why.

    5. MrDamage
      Facepalm

      based on real life data

      They must have gone through their own account, found the amount of password related muppetry performed by their non-IT staff, and extrapolated from there.

      As for why they don't mention this, would you take a security company seriously that admitted to it?

  4. Dabooka Silver badge

    I'm glad I'm not alone in querying how they know this

    It's not as if they can do a Google Sitesearch on Onedrive: *password* and corporate surveys can't give that level of response either.

  5. Anonymous Coward
    Anonymous Coward

    Have an "intranet" site that people upload random junk too, no end of fun looking to see what kind of confidential stuff people have spaffed in there. Password sheets are pretty common.

  6. Aristotles slow and dimwitted horse Silver badge

    My thoughts entirely...

    How did they get this, ahem... data? Presumably all of the Microsoft cloud customers gave their permission for them to go snooping around?

  7. Aodhhan

    This study says what?

    So, for some stupid reason... the number of files containing sensitive information is higher on one drive than it is on the typical corporate network? In this case.. a lot higher.

    We didn't hit anywhere close to 18% on our first run through using DLP on: personal folders, personnel folders, application storage or databases. So these figures seem a bit high to me. I just called a few people and asked them what they think, and they're inline with me.

    To provide a minimal fair sample, you'd need to study 100-200 companies using one drive for accurate figures. I'm thinking the companies who would allow this study to take place on their systems likely don't think security first; skewing the results. Please don't say people used some sort of survey. Surveys aren't accurate for technical information like this due to interpretation for one thing.

    The blog you're getting this information from isn't even concentrating on security. It talks about the increased use of Office365. Even then it only provides figures, and doesn't provide any informative proof to back it up. Doesn't provide what type of study was done, how it was conducted and participants. Nothing for us to go... "hmmm".

    1. Doctor Syntax Silver badge

      Re: This study says what?

      "I'm thinking the companies who would allow this study to take place on their systems likely don't think security first; skewing the results."

      A minimal amount of research - if you could go as far as calling a quick Google and looking at their website research - shows that they're security consultants who do such scanning on clients' cloud use to look for this sort of thing. So companies who call them in are actually being security conscious* and the skew might be in the opposite direction to what you thought.

      *Or maybe not if they're using someone else's computer.

  8. James 51 Silver badge

    I wish we could rip One Drive totally out of Windows or at least completely lock it down so that it's totally inaccessible. I don't want it on my PC because MS keep trying to set it to the default location to save files. Thought I'd somehow deleted a bunch of photos which I just uploaded onto my PC but they'd been 'synced' onto One Drive and deleted locally. Then I noticed it was doing the same thing to documents. Did everything thing I could including regedit but have only maimed rather than killed it.

    1. captain veg

      If you must use Windows, do the sensible thing and upgrade to 7. No OneDrive integration there.

      -A.

      1. James 51 Silver badge

        My main machine is Windows 7 but it managed to commit suicide somehow, I suspect it was something to do with Windows 10. Had disabled all the Windows 10 download patches but I can't recover using my Windows 7 media because it detects a newer version of Windows and refuses to budge.

    2. Triggerfish

      I have to say one drive for business is shite, and an administration nightmare.

      1. joed

        I can confirm it's the same (crap) from end user support angle (until they've just given up on it).

        BTW, if someone shared their file with you you can share it with others. A gossip feature?

        Also, while it's easy to see files shared with you, it's much more difficult to find/manage all files you've shared from one central point. Because this would make too much sense.

    3. Ken Hagan Gold badge

      Surely if there is no Microsoft account then One Drive refuses to store anything? Certainly on my PCs, One Drive just sulks in a corner, complaining occasionally that it can't do anything because I haven't molly-coddled it enough.

      1. Geoffrey W Silver badge

        @Ken Hagan

        Hah. I like the idea of sulky software very much indeed. I'll have to see if I can't build some sulkiness into my software without annoying my users, too much...

      2. DiViDeD Silver badge

        @ Ken Hagan

        It gets better than that. When you shut down OneDrive, it gives a little gasp and throws up a little dialog saying "Are you SURE you want to shut me down? You won't be able to sync with your cloud data, or anything!"

        The fact that I don't have a Microsoft account (well, an MSDN account, but don't tell Windows 10) doesn't seem to stop or even slow down its whining panic.

        I love it

  9. Geoffrey W Silver badge

    How did they get their data?

    They have three clients, to the systems of which they have access. At "Idiots Are Us" it was discovered they were storing lots of text files called Passwords.txt on OneDrive. At "MEH.COM" only a couple of such files where found. At "Smarty-Pants Inc" no such files were found.

    They averaged this sample data and extrapolated it to the whole of the Corporate universe.

    Probably.

  10. Anonymous Coward
    Anonymous Coward

    You are all assuming all these password files are real and not decoys. I have fake passwords on sticky notes on my monitor just to annoy anyone who steals them. I assume fake password spreadsheets could serve a similar purpose.

  11. Captain Scarlet Silver badge

    I missed a fad obviously

    To keep up with the fad I have saved a blank excel spread sheet called passwords.xlsx and saved it to OneDrive (Yay its actually being used for something now we are probably being overcharged for)

  12. Dr Patrick J R Harkin

    The solution is obvious.

    There are characters which you can't have in a file name. Just add "p", "s", "w", "r" and "d" and

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019