Storing credentials in plain text-whether in Excel spreadsheets, Word documents, or text files, is one of the riskiest practices a business can adopt. Yet, many organizations do this. I consistently find password files sitting in file shares or SharePoint sites, often labeled something as obvious as “passwords.xlsx.” While this might seem harmless if access is restricted to certain people, the reality is that plain text storage leaves your organization wide open to both insider threats and external attacks.
If you’re still storing credentials this way, it’s time to stop. Here’s why:
The Risks of Storing Credentials in Plain Text
When passwords are stored in plain text, they’re completely unprotected. Anyone with access to the file can open it and see everything without any barriers. Even if you think only “necessary people” have access, there are several ways this practice can backfire:
- No Encryption: Plain text files don’t have encryption, meaning passwords are exposed as-is. If someone gains access to the file—whether through a phishing attack, malware, or even an accidental share—those credentials are immediately compromised.
- Indexing Makes It Worse: Tools like Windows Search or SharePoint indexing make it easy for anyone to find these files by searching for terms like “password.” Attackers know this and will exploit it during breaches or insider attacks.
- Human Error: Even trusted employees can accidentally share a file or sync it to an unsecured location like a personal cloud drive or USB stick. Once that happens, you lose control over where those credentials go.
- Insider Threats: Not all risks come from external attackers. An employee with malicious intent could use those exposed credentials to access sensitive systems or sell them to bad actors.
Now imagine this scenario gets worse: users unknowingly create public Microsoft 365 Groups or Teams and share sensitive documents there. Many don’t realize that files shared in public Groups are accessible to everyone in the organization or even external users if sharing settings aren’t properly configured. If password files were stored here, they’d be exposed to far more people than intended, creating a massive security vulnerability. This combination of poor credential storage and careless sharing practices can lead to catastrophic data leaks and unauthorized access across your environment.
The Case for Password Managers
Password managers help mitigate these problems by securely storing credentials in encrypted vaults designed specifically for this purpose. They offer:
- Encryption: Passwords are stored securely so no one can read them without proper authentication.
- Access Control: You can restrict access so only authorized users see specific credentials—and no one else.
- Audit Trails: Enterprise-grade password managers log who accessed which credentials and when, adding accountability and transparency.
- Password Generation: They create strong, unique passwords for every account so you’re not reusing weak ones across systems.
- Autofill Capabilities: A lot of password managers have an autofill feature, making them easy to use
How This Affects Compliance
Let’s say your organization has to follow a certain compliance framework. Storing credentials in plain text may be violating certain controls. For example in NIST 800-171, control 3.13.11 states: “Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.” If any of these passwords stored in a plain text file are used to gain access to CUI, then it is not compliant. These passwords should be stored in a password manager that uses FIPS validated cryptography, such as Keeper Password Manager.
By using a password manager , you eliminate the need for unsecured files entirely while improving both security, compliance and efficiency.