Client storing customers passwords in plaint text Client storing customers passwords in plaint text
Page 1 of 2 12 LastLast
Posts 1 to 10 of 11
  1. #1

    Still gathering requirements...


    Join Date
    May 2016
    Posts
    70

    Default Client storing customers passwords in plaint text

    Ok so I’ve recently started working for a new client which is a SMB consultantancy and it turns out they have a public folder structure with each of their clients config in, including their usernames and passwords for domain admin accounts.

    This is a huge security issue in my opinion but the consensus I get from the other guys who work there is yes we know but management won’t pay for a proper password management tool.

    Surely there is some legislation or laws they are breaking doing this?? Anyone got any experience regarding GDPR or similar that can shed any light on this?

    I’m not interested to grass them up, more so I educate them and give them actual hard facts as to why this is a major no no

    Cheers all

  2. #2

    Double Godlike!


    Join Date
    Sep 2014
    Location
    Work-life balance nirvana
    Posts
    10,106

    Default

    Sounds like it has more to do with operational risk than GDPR. Leaving yourself open to a data breach because data isn't encrypted is different to incorrect data retention policies. If those account details are needed, then as per GDPR, they don't need to be removed.

    Raise it with their information security bod.
    The greatest trick the devil ever pulled was convincing the world that he didn't exist

  3. #3

    Contractor Among Contractors


    Join Date
    May 2018
    Posts
    1,500

    Default

    Quote Originally Posted by LondonManc View Post
    Raise it with their information security bod.
    Anonymously!

    If this thread was in general I would ask about the best way of blackmailing the company.....

  4. #4

    Still gathering requirements...


    Join Date
    May 2016
    Posts
    70

    Default

    Quote Originally Posted by LondonManc View Post

    Raise it with their information security bod.
    They don’t have an information security bod which I think it part of the problem. What’s laughable is they are. FTSE 350 public limited company

  5. #5

    My post count is Majestic

    northernladuk's Avatar
    Join Date
    Mar 2009
    Posts
    38,861

    Default

    Quote Originally Posted by SouthernManc78 View Post
    They don’t have an information security bod which I think it part of the problem. What’s laughable is they are. FTSE 350 public limited company
    Not your problem then. Don't get involved I'd say.

    I once pointed out to a client that their their highly sensitive CRM which was administered by IBM didn't have a change password on first log in, nor did it have an expiration policy. They also created all users with something akin to w3lcome (obviously not that one but you get my point) as standard.

    Pulled the contract and it stipulated that change on log in, expiration was in the requirements and it specifically mentioned unique random passwords for new users or resets.

    Oddly enough I became center of a right tulipstorm. Wished at the time I'd just kept quiet.
    Last edited by northernladuk; 1st February 2019 at 13:17.
    'CUK forum personality of 2011 - Winner - Yes really!!!!

  6. #6

    Double Godlike!


    Join Date
    Sep 2014
    Location
    Work-life balance nirvana
    Posts
    10,106

    Default

    Quote Originally Posted by northernladuk View Post
    Not your problem then. Don't get involved I'd say.

    I once pointed out to a client that their their highly sensitive CRM which was administered by IBM didn't have a change password on first log in, nor did it have an expiration policy. They also created all users with something akin to w3lcome (obviously not that one but you get my point) as standard.

    Pulled the contract and it stipulated that change on log in, expiration was in the requirements and it specifically mentioned unique random passwords for new users or resets.

    Oddly enough I became center of a right tulipstorm. Wished at the time I'd just kept quiet.
    Odd, I could never imagine you causing a tulipstorm at work.
    The greatest trick the devil ever pulled was convincing the world that he didn't exist

  7. #7

    Nice But Dim

    DaveB's Avatar
    Join Date
    Oct 2005
    Posts
    19,742

    Default

    Quote Originally Posted by SouthernManc78 View Post
    Ok so I’ve recently started working for a new client which is a SMB consultantancy and it turns out they have a public folder structure with each of their clients config in, including their usernames and passwords for domain admin accounts.

    This is a huge security issue in my opinion but the consensus I get from the other guys who work there is yes we know but management won’t pay for a proper password management tool.

    Surely there is some legislation or laws they are breaking doing this?? Anyone got any experience regarding GDPR or similar that can shed any light on this?

    I’m not interested to grass them up, more so I educate them and give them actual hard facts as to why this is a major no no

    Cheers all

    If the accounts are generic Administrator accounts and dont use isentifiable names, and the config data doesn't contain any information that would allow you to identify an individual then there is no GDPR / Data Protection issue.

    It is a general security issue but from that point of view it's a business risk for them to accept or do somewthing about. They may be relying on robust boundary controls at the perimiter and access restrictions on the folders so that only known and identified individuals can access them. Not ideal, but also not unusual.

    GDPR may come into it if the admin credentials gave acess to systems containg personal data relating to identifiable individuals, howver the legislation doesnt specify the controls, technical or procedural,required, only that they be "appropriate".

    The liability will be in the contracts they have with their clients to manage and maintain their systems. If the client suffers a loss as a result of this then the contract is where that liability will be defined.
    Last edited by DaveB; 1st February 2019 at 14:29.
    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

  8. #8

    Super poster

    Lance's Avatar
    Join Date
    Sep 2013
    Location
    home
    Posts
    3,603

    Default

    won't pay? Or haven't looked at what's available?

    Pricing Details - Key Vault | Microsoft Azure

    Storing passwords at a huge cost of €0.026 for every 10,000 transactions.
    So basically free.

    Also FTSE-350 isn't really an SMB is it?
    See You Next Tuesday

  9. #9

    More time posting than coding


    Join Date
    Apr 2015
    Posts
    217

    Default

    Hashing passwords doesn't require a 'proper password management tool', and basic security measure aren't optional extras, and should have been costed in at the start. I'd just make sure you have a lot of evidence that you have raised it and leave it at that. If you raise it with infosec now it'll be pretty obvious who it was.

  10. #10

    Should post faster


    Join Date
    Oct 2017
    Posts
    121

    Default

    I'd suggest KeePass or similar for password management (GNU license). It's not completely ideal (as it's a shared encrypted password database(s) with a single passphrase to access the whole vault of passwords), but it sounds a hell of a lot better than what you've got in place. And easy to set up, this is online freeware and IIRC doesn't even require a local admin account to install and use.

    As the password vault is stored in a single file, it'd be easily stored on a file share for team use (or in a cloud storage account).

    I've experienced KeePass being used on most customer accounts (one KeePass database per customer) at one of the big name FTSE100 outsourcers, so if it's good enough for them, your FTSE350 client should consider it.
    Last edited by man; 1st February 2019 at 15:11. Reason: More details

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •