A consultant's account of a 2,000 employee firm keeping every credential in a single spreadsheet, an MFA ban, and IT DMs for passwords is more than one bad CEO. It is the same structural failure repeating across organizations.
Credential centralization without separation of duties is one of the oldest security anti-patterns, and it keeps showing up in new costumes. A former security consultant's account of a 2,000-employee facility services firm keeping every username and password in a single Excel file on the CEO's desktop is the latest costume. Luke Irwin, CEO and principal consultant at Aegis Cybersecurity, told The Register's PWNED column that the CEO personally directed the centralization, banned multi-factor authentication across the firm, and had IT message credentials directly to staff when someone needed access.
The story, written by Avram Piltch for The Register in the 11 June 2026 PWNED column, is a single anecdote from an unnamed company observed by one consultant. The specifics should not be generalized to any one firm, and the affected company is not identified in the source. What generalizes is the pattern. Three habits show up together: a leader-maintained credential vault, a ban or quiet suppression of MFA, and an IT function that hands out shared secrets on request. None of them is a file-format problem. All three are separation-of-duties problems.
The CEO's spreadsheet is the visible part. The MFA ban is the same failure in a different place. NIST's digital identity guidelines have long treated memorized secrets as the weakest acceptable authenticator for most enterprise use, and have called for phishing-resistant multi-factor authentication in higher-assurance contexts, in NIST Special Publication 800-63B. When leadership rules MFA out, every account becomes a single point of failure held inside one file. The IT DMs-for-passwords habit closes the loop: a function that should enforce access boundaries is, in practice, distributing them.
What good looks like is well documented. Single sign-on with a federated identity provider reduces the number of credentials any one person has to remember and lets the security team enforce policy centrally. Phishing-resistant MFA, the kind that binds the authenticator to the origin it serves, makes stolen passwords less useful on their own. Audited vaulting with role-based access means that even the CEO does not accumulate unconstrained credential visibility. Separation of duties, the principle that no single actor should both create and use a secret, predates the spreadsheet era and still applies.
The load-bearing claim is structural, not biographical. A leader who insists on holding every credential, an environment that punishes MFA adoption, and an IT function that pushes secrets through chat are three faces of the same accountability asymmetry: one person or one team owns, distributes, and bypasses the controls that should be independent. That asymmetry is what attackers look for. It is also what breach postmortems keep naming, in different language, in incidents that started with a single shared secret nobody could rotate.
Watch for the next time a breach write-up places "centralized credential store" or "privileged access consolidation" in the same paragraph as a successful lateral move. The Excel file is the cartoon version. The pattern is the real story.