"Despite repeated advice, he held that position for around four months, until we were able to demonstrate that the IT team could remove messages centrally using fairly simple administrative commands, without needing everyone’s password," Irwin said.
A CEO who kept every employee’s credentials in one file
The incident Luke Irwin described involves a large national facility services organization — a 2,000‑employee firm that provided cleaning, security guards, industrial abseiling and related services. According to Irwin, the company’s CEO kept an Excel spreadsheet on his desktop that listed every employee username and password. The rationale, Irwin said, was specific and personal: after seeing a colleague send secret information to the whole company, the CEO had spent an evening logging into every account to delete the message and wanted the ability to do so again.
Administrative controls versus shared passwords — and a refusal to use MFA
Irwin emphasised a basic control: in "any decent security setup, no one in the company has access to anyone else’s password. Even the head of the IT department should not know another employee’s password." In this case, the IT team eventually demonstrated they could remove email messages centrally using administrative commands without requiring every user’s password. That demonstration led to the Excel file’s removal after "around four months."
But the CEO would not allow multi‑factor authentication (MFA). Irwin said the CEO was adamant against MFA because it would "have kept him out of people’s inboxes." The firm had previously suffered a ransomware incident; despite that prior compromise and the spreadsheet removal, Irwin reports the company subsequently suffered two data breaches that involved sensitive client data.
Medical client: convenience for consultants trumped MFA — and signs of exposure
Irwin described a second client in the medical sector that opposed MFA because it "made things just a little too hard" for the external consultants they used to access systems. While Irwin worked with that organisation, he said they were "lucky" and no one breached them during that period. Since then, Irwin has seen signs that the medical client's data was available on the dark web; he did not report whether the organisation ever enabled MFA afterward.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Irwin’s account underscores the value of administrative tooling. He points to "fairly simple administrative commands" that let IT remove messages centrally without sharing credentials, and he stresses that administrators should not know user passwords.
- Affected enterprises and procurement leaders: The two cases show how operational convenience — giving a single executive full access or allowing consultants to bypass MFA — can outlast explicit security advice and precede compromise. The medical client’s later apparent dark‑web exposure highlights that luck is not a substitute for controls.
- End users and clients: For employees and the clients whose data the firm handled, the practical consequence was concrete: post‑spreadsheet removal, refusal to adopt MFA was followed by two breaches involving sensitive client data; in the medical case, data later showed signs of exposure online.
Irwin’s takeaways, in his words
Irwin distilled his experience into two prescriptive points. First, "don’t let anyone, even administrators or CEOs, have other people’s passwords." If someone needs access to another account, he recommends IT use administrative access rather than sharing credentials. Second, "always enable MFA, preferably MFA with passkeys." Those recommendations close the loop on the two stories he recounted: an Excel spreadsheet that centralized credentials and a refusal to adopt MFA both preceded real exposure.
The two examples are small but stark: a single desktop file held "all the keys," administrative capability existed but was initially rejected, and repeated resistance to MFA coincided with later compromise and apparent leakage. The record Irwin lays out ends with a simple question of tradeoffs — convenience versus risk — and an unambiguous prescription: remove shared passwords and enable MFA.
