How secure is storing passwords in plaintext on a spreadsheet, specifically for someone without physical access to the computer?

[Sprinkles276381Member]

Hello! My dad does this. He named it something creative in order to hide it amongst the hoards of other spreadsheets on his computer, but I don’t buy that this way is secure enough. If anyone is looking for a document named “passwords” or whatever, they wont find it, but is it easy to comb through the contents of lots of documents looking for passwords? Is this something someone would spend time doing, or would they just move on to a different person?

Also if you could give me pointers on convincing him of changing his ways that would be very helpful.

[z-lf]

The document will show in “recently open”. So… it’s pretty bad.

[spektre]

It’s easy to search for all spreadsheets, dump the strings from them, and then use them in a dictionary attack. It can all be scripted and run from some malware infecting the computer, a real person doesn’t even have to interact with them.

It’s pretty common for people to store passwords in spreadsheets, so it’s not exactly far-fetched for malware to do this.

[skully_kiddo]

I’ll run you through on how I’d do it, so then you can notice how security through obscurity is a really bad idea:

Imagine having direct access to your father’s computer. Through a remote exploit, I’d be limited by internet bandwidth and physically by media transfer rate. Alright, so let’s say it takes two hours to copy your dad’s disk with whichever of these techniques. Doesn’t have to be the entire disk, just document files and applications configuration files.

From that point forward time is my only restriction.

If your father is completely oblivious to the hack, then I have just as much as it’d take for him to change all of those passwords, which could be virtually never.

So after getting that I’d classify the different types of files that he’s got there. Judging by the fact that you said he loves spreadsheets, it’s pretty probable that all juicy information on him would come from there, since that would be the largest amount of files of that type. Images and videos are usually not that useful, so that could be discarded.

So that establishes a basis for the entire search. I would then take all of the spreadsheet rows and column contents, probably the same file with the name of the file as splitter. Passwords wouldn’t probably cross my mind, so I’d star classifying big numbers, those are usually credit cards, ID numbers, etc. Then I’d go for dates, since those are usually in a clear format, that would probably give away tax returns, bills and what not. All of those together could be then stripped from the resulting content, which I’m pretty sure would be the majority, but if that wasn’t the case and it’s just a lot of spreadsheets with jibberish, I’d then do a reverse dictionary account to find stuff that aren’t words, names, numbers and dates, just to make sure passwords aren’t there.

By then I’d have a pretty clear understanding of who you father is, what are his spending behaviors, bank accounts, phone records, emails and of course, his passwords.

TLDR: don’t.

[Unh0lyshot]

Well one reason is that when his computer is infected with malware. Criminals wil search the file system for low hanging fruit like an Excel file with passwords. A password manager like KeePass (free and open source) or like Lastpass (payed but shared between devices) is far more secure.

[Comfortable_Bath_270]

Plus if your dad gets hit with ransomware he loses access to everything he needs in the digital world.

[JVAV00]

I would way to have an offline password manager like keepass. I use keepass2

[Snitches_B_Crazy]

Cybersecurity is just like home security.

Think of your front door. All the lock does is keep honest people honest. If a criminal wants in, they’ll get in. How do you deter? Add layers (alarm, lights, dogs, etc.).

Most cyber criminals (that aren’t nation-state actors involved in cyber espionage) are looking for the low hanging fruit.

So, if he has it buried among tons of other plain text docs, most criminals aren’t going to spend their time perusing a lot of plain text docs. If however he only has two plain text docs, then yeah, this is simply just locking the house and hoping that’ll stop the criminal.

Ideally, a password manager with a 2FA hardware token (e.g. Yubikey) is his best route. Automatically generates complex passwords/passphrases, no password recycling, stores them in one location (usually encrypted for the good ones [i.e. that u pay for, not the free ones]), syncs across multiple devices, and he only needs to remember the one password to get into the manager.

[BrazilianDev]

Why not store in a physical notebook he keeps near the computer? It’s easier to restrict access to people in your house. And of course it’s impossible to hack.

Also, he could keep a copy of that notebook on your house for example.

Technically a burglar would be able to steal all passwords, but it’s pretty rare for a burglar to steal a laptop and than a random notebook, specially if it’s just one notebook amongst many.

[399ddf95]

It’s not the best thing ever but it’s a big improvement over just using the same password everywhere.

The goal should be to get people to a reasonable level of security that they’ll actually use, not to get them so wrapped up in chasing new technology that they can’t do what they wanted to do in the first place.

What if you approach this like showing him something better, rather than telling him his current thing sucks?

Three awesome things about password managers are: they can fill in username/passwords on websites with one click, they help you avoid fake/phishing sites (because they *won’t* autofill if the URL isn’t correct, giving the user a chance to investigate), and they can sync across browsers/computers/phones so all copies stay current.

A *person* is super unlikely to go through every file on his computer looking for interesting stuff. A *person who knows about computers* will make the computer do the searching, and look at the results.

For example, this bit of PowerShell will list every .xlsx file on the computer:

dir -Path C: -Filter *.xlsx -Recurse -ErrorAction SilentlyContinue | %{$_.FullName}

.. unless he’s got hundreds of other spreadsheets, his password spreadsheet probably shows up pretty quickly .. and if I were snooping on somoene’s computer, I’d probably look at the recently read/modified files first ..

[3DMilk]

i download all the shit and grep it for @ and keyword like password. sorry, ineffective.

[typower5000]

How secure is it? 1 out of 10. 10 being the most secure. -14.

Set him up with a password manager.

[davidds0]

i think letting google chrome save his passwords (and also suggest random unrepeatable passwords as well) plus adding 2 factor authentication to his google chrome account, will be a safer solution and more convenient.

[NoAssumption205]

Plaintext is not secure no matter what

[Kessler_the_Guy]

Is it connected to the internet? Then it’s not at all secure. If he’s willing to maintain a password spreadsheet, then really it’s not much more effort to just set him up with a password manager like KeePass.

[maztron]

Security through obscurity is not security. Spreadsheets can be cracked even if password protected. Tell him to get a password manager and be done with it.

[SierraP615]

Once time while reviewing job applicants,I saw one guy accidentally uploaded his password text document instead of his résumé.

[UhOh-Chongo]

A hacker is not going to look for a password document and only take that. They are going to download all your docs and browse through them at their leisure on their own PC.

[KotomiIchinose96]

You could test this.

Make a Google account that doesn’t matter. Just because Google will tell you when there’s a new login. (You’ll probably want to set 2fa on this)
Put this in a spreadsheet with a bunch of other passwords.
Create a bunch of random spreadsheets or just download a bunch.

Leak them somewhere, maybe on here there’d be a bunch of bored nerds with some free time. See if anyone actually tries login into your account.

Problem with this question and some answers you may get is that you don’t actually know what a bunch of hackers will do with files they have no context on unless you give them the chance and here it’s difficult because you’ve given the solution.

Lots of the theories makes sense of dictionary attacks and etc, and looking for strings but it also comes down to the passwords themselves and how they are stored. You could obfuscate a password simply enough in a spreadsheet that would bypass most methods of automation and look innocent enough to avoid manual attempts.

For example let’s say you have let’s say you’re spreadsheet contains usernames in col 1 and col 2 – 255 contains random looking characters.
Now using each character sequentially is only slightly less stupid than having the password stored in col 2. But if you say make a pattern of the the password is something like start on col 3 then go back 1, then forward 3 then repeat. It’s unlikely that the password would be broken without knowledge of the pattern. That being said if you used a macro on the system to pull out the passwords rather than manually getting the password out. Then that knowledge would leak. But this is just a method to make this slightly more secure.

That being said to answer the question. If youre sceptical enough about the storage methods security it’s probably not secure. And for what password managers are and do. They are so much easier, simpler and more secure. There really isn’t much reason to not use them. Even the free versions are good.

Security doesn’t really exist. Nothing is really secure. Things are only inconvenient to access. The point of security is to make it as inconvenient for malicious actors to access as possible. Keeping passwords in plaintext in an unencrypted spreadsheet file is not very inconvenient. Especially not when password managers are orders of magnitude more difficult to crack and much simpler to use.

[KarryLing18]

Dashlane + Double-Blinded Password has worked so far for me.

[mysterytoy2]

You could password protect the spreadsheet.

[SingleDesign6051]

Not very smart. Dont do that. Enable 2FA whenever you can. Or optionally you can use a password manager. If you ever accidentally attract the wrong type of virus and they get free access to your computer, theyll have free reign on all of your accounts if you dont do 2FA and pw manager.

[rolamit]

It’s better than putting it on the cloud, but nowhere near sleep tight at night secure. If his alternative is using the same password everywhere, then I would say he is better off with the spreadsheet of different passwords.

I know someone who simply is not up to the task of using a password manager. For them, a handprinted paper list of passwords, backed up periodically by xeroxing, is the solution.

[cobalt-radiant]

What’s his threat profile? How likely is it that someone will be snooping through his computer looking for a file with passwords?

[Sweet_Wafer_8182]

lol

[LeckerBockwurst]

Let him at least use ms office standard encryption (‘setting a password to the file’), it’s aes-256 and somewhat safe, with a complex password. Not uncrackable, but will cost lots of time and ressources.

[strongest_nerd]

It’s one of the bigger blunders you can do in terms of security.

[1s44c]

Simple, pragmatic, and imperfect solution: tell him to use a password on that spreadsheet.

[grandrelda]

It’s not secure.

[Roanoketrees]

Worst idea ever

[FelipeeSaM]

I think he can store his password in a zip and put a passoword in it.

[Gzmester]

Fill the passwords into a database, encrypt, hash them or something?

havn’t heard of many people that still uses pen & paper.

[mdopoiex1]

I cringe how bad this is

[starboytrek]

Just use Bitwarden 0-0

[tj4sheelee]

don’t know about other os’es… but on macs, the contents are completely searchable… a search on a bank name stored in the spreadsheet would give it away… along with passwords to whatever else the spreadsheet contains…

[splashedwall25]

Just use a little black notebook under the mattress.

[imnotabotareyou]

It’s stupid. He should stop asap.

Bitwarden free option is great. Use that.

[ZETA8384]

He would be better off printing them out and keeping them as a paper copy and deleting the digital copies

[SADAME_AME]

Print out the plain text. Put it in condom. Shove up your ass. Everyday you get one chance to memorize it and use it. Shove back up ass immediately upon use. Repeat this cycle until you remember the password.

[Author]

Posts