excel.. argh.. yet so existant in many places you wouldnt believe...
as for the clear passwords, that is way more common than you want to know!
a cheapscape solution would be something like oubliette:
http://www.tranglos.com/free/oubliette.html
as for storing infrastructure credentials, its not only having them on a sheet or two, the whole process of accessing and using them needs to be defined, otherwise you would be neglecting the essense which is that you need to
- Authenticate that the right pesonnel is obtaining the passwords
- Authorize that the right personnel can access the predesignated passwords
- Audit keep a log of the whole prosesses
- Monitor that the password is used for the predesignated purpose, hence a user can not issue for example dir /a twice, only once in accordance to the predefined procedures to the defined task being executed
i can go on listing, just thought of highlighting some things that need to be noted and that not is resolved by the password itself regardless of whether its clear on encrypted.
in many places, what they do is the created the root password with over 40 characters long string, place that string within a "ceremony process" in a sealed untaperable bag and place it in a vault. a secondary account with sudo rights is created to be able to perform required functions hence never requiring the root password itself. now the funny side to this is, that in some places, the sudo itself is missconfigured or neglected and often is the case where the secondary account has a common password across all systems, so go figure whether that "password ceremony" has any value at that point :P
ive seen so many funny things in different companies that it really is sad and i have to say that i havent seen a company that really has implemented security to the full extent. almost always the weak link has been the human factor, or the failure in controling the human factor with defined processes.