Detecting Plaintext Passwords in Google Drive
TL;DR
There is a risk that people may store their passwords in an Excel file or something similar into Google Drive. This behaviour is insecure. We’ve added alerts that detect this behaviour. It has some limitations, but we had some success with it and we have been able to educate employees on how to securely manage their passwords.
The Problem
It is known that some companies got deeply hacked by simply having their passwords stored in plaintext. Just look at Sony; they stored multiple passwords in plaintext. They even had a folder on a computer named Password.
Most of you reading this blog know that keeping passwords in plaintext inside a Word, Excel or whatever file is insecure. Those passwords are not hashed and salted, may be accidentally shared with others and etc. And if people use a cloud storage service like Dropbox, Google Drive or similar, their passwords will be synced on their computer. The real solution is to use a password manager (and 2FA!).
So guess what? We want to prevent that!
At Poka, all employees are expected to use a password manager and are continuously trained on security (including passwords). But for some, password managers might be frightening or they may find it too cumbersome to use. Whatever the reasons, some may still decide to manage their passwords in an Excel file or something else.
We extensively use Google Drive so there are possibilities that some employees manage their passwords in it.
The Solution
In G Suite, you can create customizable alerts for detecting user behaviour. This will be the basis for detecting files that might contain passwords.
Let’s look at how we can do that!
How to create an alert
1. Go to the Google Admin page and open Reports.
2. Open the Drive section under Audit.
3. Select Create in the Event name and enter “password” under Item name. That way, every time a file is created in Google Drive that contains the word “password”, it will trigger this alert. Then, click on Set Alert.
4. Enter your Alert name, add a Recipient to the alert and save it (the email address must be inside your domain).
I recommend not tying it to a person’s email address; it’s preferable to use a general purpose email address like security@yourdomain.com or alerts@yourdomain.com.
5. Repeat step 3 and 4, but this time with “Edit” and “Upload” as the Event Name. An alert will also be sent if an existing file has been edited (e.g a new password has been added to an existing file) or if a file has been uploaded.
6. Repeat step 3 to 5, but now, with a different item name, such as “credential” or any other word that could be used to detect file that could contain passwords. Also, if you work in a multilingual company (like us!), it could be a good idea to add item names in other language.
The Results
Alerts should look like this when you receive it:
At Poka, we actually went the extra mile and we forward the email to our incident management system (OpsGenie). We now receive a message in Slack in our #incident-security channel.
If you ever receive an alert, remember to not blame anyone. You should take this moment to explain why passwords should not be managed this way, and show them how to use a password manager.
In our case, we were able to detect that some passwords were managed that way, and we were able to take action.
Limitations
Unfortunately, this solution has some limitations ¯\_(ツ)_/¯
- Obviously, the file name must contain one of the configured words to be detected.
- In our case, we had some false-positives for legitimate files (e.g. Password policy, process for resetting the password in our SaaS). Fortunately, those situations are minimal.
- This only works for files stored on Google Drive, not for files stored on a computer or passwords stored in an application (note taking app, Airtable, Trello…). Though, for files on a computer, we could look unto Osquery.
Have fun!
