13

Our startup has something like 100 usernames and passwords to keep track of, and we can't keep track of all of them. Would putting all of them in a Google spreadsheet shared amongst ourselves be a bad idea? It feels like a security problem, but I can't articulate why I think that.

davidscolgan
  • 261
  • 1
  • 4
  • Note that we have around 3 people in our organization, and this is only for accounts that more than one person might log into. We don't share email passwords with each other. –  Dec 24 '11 at 19:58
  • 1
    Could you not reset the passwords if you forget? If all accounts are not critical (such as youtube account for demos) it shouldnt be terrible to do this. –  May 20 '12 at 08:39
  • 1
    Possible duplicate of [Storing passwords in access-restricted Google spreadsheets?](http://security.stackexchange.com/questions/142546/storing-passwords-in-access-restricted-google-spreadsheets) – Ben Nov 29 '16 at 15:38

6 Answers6

23

Without wanting to pick on Google, you should read the article by James Fallows in the November Atlantic Monthly. In brief, Fallows's wife's GMail account was compromised by a scammer. The scammer used her mailing list and old emails to generate a "Help, I've been mugged in foreign city and need money!" scam. On top of that, the miscreant deleted all of her documents and old email before she regained control of the account.

Consider: your shared document is no more secure then the Google account of your most careless team member. While Google's security may be generally better than yours in theory, it's also a more prominent target, and can easily be undermined by carelessness on the part of a user.

You may incorporate the Google cloud into your infrastructure, but you can't just assume that Google is going to take on all the responsibility for your security. Nobody will care about your data as much as you do.

Charles E. Grant
  • 331
  • 1
  • 3
  • 4
    +1 for the shared document being free and accessible for the one user that decides for example "password1" is "good enough and easy to remember". And all you have to do is find that one user which from a recent report on password analysis, is only too common. –  Dec 24 '11 at 21:03
12

Use a secure password management system. They are easy to set up and fairly inexpensive.

Here's one I've had recommended to me by a colleague: http://www.thycotic.com/

And yes, putting all your passwords into a shared spreadsheet is a bad idea for at least 2 reasons:

  • The obvious reason(security). One mistake (e.g. you fat-finger an email address or accidentally attach the wrong file to an email) and you have to change every password. Or if your network is compromised, you have to assume that spreadsheet was lost, and now the attacker potentially has all your vendor/partner passwords (or whatever is stored on the list).

  • The not-so-obvious reason: eventually the spreadsheet will get out of date or multiple copies will exist. This is a problem with document management in every company. Even as a startup, it's never too early to begin planning for how you will share documents from a central location and manage change.

Tim M.
  • 216
  • 1
  • 7
  • 1
    Using a Google spreadsheet would take care of the versioning problem, since it would be in the cloud and shared amongst everyone. I'd also assume that Google's network is more secure than my own network. Nowadays my Gmail account is the key to my life, so if our Google docs got hacked, wouldn't we have this problem anyway, if only to a lesser extent? –  Dec 24 '11 at 18:33
  • 1
    @dvcolgan - Google is a great answer to the versioning problem for a small business. In my opinion it's still a security hole for the simple reason that every time someone opens that document, they have access to all your passwords. Let's say you make a new hire for your startup like a secretary who needs only a few of those passwords. Do you give them access to the whole list? What if someone leaves the company (especially on bad terms)? You still need to change passwords when someone leaves, but it's much better if they can't download a copy of the whole list. –  Dec 24 '11 at 18:36
  • 1
    @dvcolgan - This may not be a problem you need to solve right this minute, but at least keep it in mind for the future. –  Dec 24 '11 at 18:37
6

Wait --you are thinking of sharing amongst yourselves the list of all your usernames and passwords? That's not just spectacularly, that's a monumentally bad idea regardless of whether you store it as a google spreadsheet or post-it notes!

And, of course, a google spreadsheet has the additional disadvantage of being publishable to the entire planet with a couple of clicks.

The rule about passwords should be: "Your password is very strictly personal. If we find out that someone other than you knows your password, you are both fired."

  • 1
    I'm more thinking of accounts that more than one person would need to access. We keep going around having to ask, "What was the login for this web service?" Like our single login to a market research app, or the login for various Wordpress blogs we run. We definitely don't share email passwords. Also, our organization has 3 people in it, so this would definitely be a small-scale solution. –  Dec 24 '11 at 19:56
  • 3
    Okay, I am glad to hear this. Still, they should be distributed on a need-to-know basis, and preferably not on a medium on which they will be publishable to the world with 2 clicks. As a matter of fact, the medium should be chosen so that someone who leaves the company will not have access to it anymore. –  Dec 24 '11 at 19:59
  • I completely agree with MikeNakis. Do not share your users & passwords with everybody, including the cat and the dog. You don't know when someone is going to use your sensitive information for bad purpose. –  May 19 '12 at 17:08
4

In a targeted attack, an unprotected list of users and passwords is one of the first things scanned for. Once you have that, you have the keys to the kingdom.

The next thing in line is to look for an organizational chart to find which user names would be most likely to have access to the data you wish to steal.

If this is for access to infrastructure like routers and servers, it's particularly useful if the admin accounts have access to any files you wish to read, unencumbered by user account permissions.

Keep this stuff under lock and key, even if it's something as simple as Roboform's encrypted notes. Don't ever even think of sending this file anywhere else into the outside world, you have no idea as to where it will get sent or who it will be shared with.

In your scenario as a shared Google spreadsheet, you have no idea who will share it out. Your security model needs to be rethunk as you really have no security when you're sharing passwords like this. Quis custodiet ipsos custodes?

Fiasco Labs
  • 1,557
  • 10
  • 12
3

I have a colleague who consulted for a company that was doing something this colossally dumb - same thing, with bank passwords.

You want something like http://enterprise.lastpass.com/ ! (I'm just a happy (non-enterprise) customer.)

With that, NONE of your staff need direct access to the passwords to use them. < sic >

WHO's NoToOldRx4CovidIsMurder
  • 590
  • 2
  • 14
1

It depends on your required level of security.
If you are an inteligence agency, a police force or a health service holding confidential details of millions of people a Google spreadsheet is completely unacceptable

In that case the data should be in an excel spreadsheet on a USB key that is left on a train.

(in the US, where the left on a train loophole has been effecively blocked it should be left in a cab)