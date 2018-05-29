You would think that the safeguarding of customer passwords and other credentials would be a top priority for IT professionals, but as we all know from repeated reports of data breaches, hackers time and again have outwitted the cyberguardians.

To understand why, think of it this way: A car thief enters a parking garage and walks right into the booth where ALL the keys are hanging on hooks. The attendant? Nowhere to be found.

The mass movement of company and personal data to the cloud has only complicated things. Hackers are sending bots to scour GitHub, the source code management system, looking for digital access keys to Amazon Web Services and other cloud systems. In 2015, one careless developer woke to find his stolen keys being used to run 140 AWS servers mining bitcoin.

Companies have uploaded VPN and cloud access credentials to cloud storage systems that are easily accessible. Even U.S. intelligence secrets, including security keys to connect to “distributed intelligence systems,” were apparently left accessible to the public, Bay Area security firm UpGuard disclosed last fall.

And even when credentials aren’t left where anyone can find them, security breaches are routinely made worse when hackers who enter one system are then finding the keys to another lying around unencrypted.

Despite the risks, developers are still regularly storing the digital keys to company assets and even user data in source code, configuration files, and other miscellaneous, unencrypted locations. Unlike typical users who can memorize their passwords or store them with a secure password manager, developers and IT workers often need to keep security credentials in places where automated software can find them.

And even everyday users can still leave sensitive data lying around in unintentionally public documents or in insecure locations on a company network where a hacker might quickly look after wrangling access.