cloud
nothing of value or only locally (client side) encrypted stuff belonged there.
Password attic OneLogin has been breached, and it's bad, because the service that suffered the breach is one often used by people to store credentials like admin password and software keys. The online credential manager says its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between …
The online credential manager says a its Secure Notes facility was breached, allowing the intruder to read in cleartext notes edited between 2 June and 25 August this year.
Well give yourself a good slap if you use an online password silo without encrypting it yourself first. But mostly, how is it even possible for the service to obtain your notes in plaintext if it's meant to be secure? If the service can read your notes, they're not fucking secure, are they? The hacking is just the cherry on the top, really. This might have been understandable if it was historical data from 2002 or something; but this is how they're doing it this month! Wow.
This kind of systems just becomes high return targets. Compromise one of them and you have the needed data to compromise a lot more easily. They become appealing targets like banks, but at least if someone robs a bank doesn't get access to everything else you have - and the bank is accountable.
"Whilst on this topic - what is wrong with a password-protected Excel file placed on a folder with restricted access? So that only IT (sysadmins etc) can view that file, but for normal lusers it is inaccessible?"
In an ideal world - nothing really. However spreadsheets have a habit of wanting their information to be freely available.
I recommend KeePass instead - it's designed for the job.
Sure it'd be a lot better than using a cloud service that doesn't do its job... But:
"what is wrong with a password-protected Excel file"
Check out the number of Excel file crackers that are available. You'd want to use a strong password.
"only IT (sysadmins etc) can view that file"
You loose accountability when there is more than one person who can view the file.
There are trade-offs. Sealing a password in an envelope in a safe is another option.
This post has been deleted by its author
Just another way to use Excel instead of a proper database.... which at least usually has better access control.
Anyway it's funny people still fail to understand "shared logins/password" are baaaaaaad (and just plainly lazy). Each and every user must have its login/password pair. It makes accountability clear, it allows for revoking access easily, it allows for more granular permission (not everybody needs full privileges).
"Disaster recovery" is a different issue. Your boss may want to have a "disaster recovery" account stored safely somewhere if something happens to each and every authorized people. Still, this disaster recovery account must be one separated from all the others, and never used for everyday use.
"Check out the number of Excel file crackers that are available. You'd want to use a strong password."
- Am aware of this, a strong password is being used.
"You lose accountability when there is more than one person who can view the file."
So it seems the only safe option is a baggie with a numbered seal ~ a sealed baggie for each and every critical system password, if anybody need access to a certain account and password, it is recorded in a logbook, baggie handed over, seal broken, password retrieved, new password generated, placed in baggie with new seal, and recorded in logbook...
A major schlepp, but if you're really strict about security...
"I allways keep my passwords safely stored on a post-it note attached to my monitor..."
You joke but actually, provided you evaluate the risks involved for the particular password stored on the PostIt, that could be close to the most secure place for it.
The most secure place is obviously the top drawer on your desk, which is the second place IT look when attending a call where the user has buggered off.
That's a lesson for any company using a solution of this type. Don't use a vendor that doesn't employ full client-side encryption. That way, even the vendor's employees can't see your data.
I've worked for several companies that use more secure alternatives such as Okta, PingIdentity and My1Login.
I repeat, you must use full client-side encryption. You can check for this using debug tools in the browser and see for yourself.