Why Storing Passwords in Excel is Risky Business

More than 30 years ago, the humble digital spreadsheet transformed the world of business.

Accountants could say goodbye to sprawling paper documents taped together. Their clients could say goodbye to slow (and expensive) recalculations whenever a change needed to be made.

Suddenly, every business could get a detailed picture of how they were doing – then experiment with changes to make more informed commercial decisions. There’s no overstating it: the software spreadsheet changed everything.

For business, it’s a game-changing tool.

But for storing and sharing your passwords, it’s absolutely useless.

Excel isn’t secure enough for passwords

The majority of businesses still use old and outdated versions of Microsoft Excel. Unfortunately, any version before 2013 comes with worryingly weak encryption – the type that could be cracked open in just a few minutes using tools that are freely available online.

Since Microsoft Excel 2013, encryption has become more robust with much-improved salting and hashing. However, encryption is just one aspect of what constitutes good security.

First, Excel files are easily transportable. Anyone with access to the file can move it to a USB drive, send it via email, or share it in the cloud. In many cases, they can even switch off encryption once they have entered the appropriate password just once. Even Data Loss Prevention (DLP) solutions can’t help, since they’re unable to determine that your ‘.xls’ file contains passwords.

Second, user authentication in Excel is weak. With no two-factor authentication, spreadsheets are inherently vulnerable in a way that’s just not good enough for your most confidential passwords.

Excel doesn’t give you visibility

Sharing privileged account passwords is often essential for day-to-day operations – and it’s not inherently bad. However, allowing multiple users to work with the same accounts shouldn’t mean compromising on visibility.

When a user opens an Excel file, there’s just no way to know which password they are using at a given time. If you find accounts have been misused, Excel can’t help you.

Equally, Excel doesn’t allow you to track who creates passwords or changes them. While some organisations attempt to use Microsoft’s ‘Track Changes’ to audit password changes, even the most novice user could probably work out how to change the username that displays next to their alterations.

PAM is a critical aspect of compliance with standards like PCI and GDPR. Excel files just aren’t up to the job of demonstrating that compliance.

Excel PAM is time-consuming and manual

Finally, storing passwords in Excel isn’t just a risk to your security – it’s a risk to your time and money.

Attempting to use a finance and mathematics tool for PAM comes with a huge workload, from updating and rotating passwords to laboriously changing every line in the event of a breach. The only effective approach is a solution built from the ground up for PAM.

Password security specialists Thycotic explain what effective PAM should look like in its recent report, Top Reasons Why Using Excel to Store Privileged Credential Passwords Creates Needless Risk.

It’s a quick, simple guide to the weaknesses of Excel-based password management – and the ways the right solution can help keep your credentials safe.

Written by