What are plaintext passwords and why are they a bad idea?

In July 2024, the RockYou2024 news broke: the largest compilation of breached passwords in history, consisting of over 10 billion unique credentials, appeared on a forum known among cybercriminal circles. The file, stored in plaintext, contained data retrieved from numerous hacks over the years.

Plaintext files pose a massive risk to data security. But it’s not just files spotted on Tor message boards that contain plaintext documents—many companies rely on them to store their essential information. So, let’s talk about plaintext files and why your business should find an encrypted solution.

What does “plaintext” mean?

Plaintext is not just a cybersecurity term. It refers to any file that can be accessed without an additional layer of protection. Think of a Word document or a spreadsheet that doesn’t require a designated key to access. It gets a bit more specific in cryptography, where plaintext refers to a message before it’s encrypted that’s visible to everyone besides the intended recipient or sender.

During encryption, an algorithm is used to scramble the content of the message and turn it into an unintelligible string of characters known as ciphertext. To unlock the ciphertext and turn it back into readable text, you need access to an encryption key. Encrypting a plaintext message helps protect its contents from unauthorized access.

Businesses and government agencies are increasingly using encryption for internal and external communications, financial operations, and file storage. Encryption also plays a key role in authentication, as it helps confirm a person’s identity without revealing any sensitive information.

The dangers of plaintext passwords

Unfortunately, plaintext documents are still commonplace as the most accessible option for storing passwords and other sensitive work-related information. They’re usually completely free or cost little compared to encryption software. It’s not unusual for employees to share a spreadsheet of frequently used credentials or send passwords over emails—both methods being plaintext.

The downside is easy to notice. If employees don’t need any authentication to see sensitive data, it's just as easy for outside parties—whether authorized or not—to obtain credentials. Such companies become an easy target for cybercriminals who only need to acquire one file to unlock all essential accounts.

It’s not just login details that can be stolen from plaintext files, though. Employee and customer information, ID details, Social Security numbers, banking information—anything stored in plaintext is at risk of being breached. Plaintext files are barely safer than scribbling down a password on a notepad and leaving it on the office kitchen table. It makes for an easy target with a very high reward.

What are the alternatives?

Plaintext data storage can be a serious threat to the safety of organizations. Breaches of easily accessible information can impact all aspects of a business, from employees to customers. It’s imperative to look for alternatives that put data protection first.

We’ve hinted at this in the beginning—encryption is essential to protecting plaintext information from unwanted exposure. However, switching from plaintext to ciphertext storage does not mean that the access steps become much more complicated. In fact, authentication methods can be as quick as using a fingerprint ID on a personal device.

Let’s start with shared company credentials. They can be a massive pain point in workflow and productivity. Who used the credentials last, and do they need to log out for another person to gain access? Is the password on a shared document the most up-to-date, or is it the old one? Has anyone accidentally deleted a row containing login details, or was the account unavailable in the first place? Questions like these can be easily resolved by switching to a more secure password management solution.

A password manager lets organizations store and share corporate credentials without relying on plaintext documentation. It uses encryption—usually AES-256 or XChaCha20—to secure data and ensure strictly authorized access. In addition to passwords, organization members can store information like addresses, banking details, and ID numbers.

However, business password manager features are rarely limited to just encrypted storage. Take NordPass, for example. In addition to the XChaCha20-encrypted vault, it offers advanced security tools for both security administrators and regular employees.

If your organization enforces two-factor authentication, NordPass helps facilitate it with its built-in Authenticator. This feature allows employees to store and generate time-based one-time passwords (TOTPs) directly in their NordPass vault, keeping their login access secure and uncomplicated.

The Admin Panel is a one-stop shop for organizations to create security policies and observe all account activity. NordPass is equipped with integrations like Vanta and Splunk, helping effectively manage workflows and create audit-ready documentation.

The Data Breach Scanner offers twofold protection. It tracks all organization domains for any appearances of this information on the dark web and also allows employees to check their individual credentials for such breaches.

As you can see, setting up a password manager does more than just help you eliminate the insecure use of plaintext credentials in your organization. It can help strengthen your overall security policies and help your business react to cases of unexpected breaches swiftly.

The best password security practices

With emails containing plaintext passwords deleted and shared spreadsheets set aside, here’s what you can do to practice secure credential management in your organization.

• Use strong and unique passwords to protect all corporate accounts. The more complex, the better. Ensure all passwords are complex and contain at least 12 characters. Take extra care to make shared credentials strong, and never use the same password for more than one account.

• Ensure all credentials are updated regularly and adhere to strong password standards. This can be easily achieved if your organization uses the Password Policy feature available with NordPass, which lets organizations determine how long passwords should be and how frequently they should be changed.

• Always use encrypted storage. Forget plaintext password storage—import your spreadsheets as a CSV file to NordPass and delete them for good afterward. From now on, all you need is your password manager to find what you need.

• Only use encrypted channels to share credentials. Don’t pass around notebooks or email login details to anyone. Use NordPass to securely share data instead and set your preferred access permissions to be in control of how this data is handled.