Home > password > Keeping and maintaing a password list

Keeping and maintaing a password list

May 21Hits:1
Advertisement

Possible Duplicate:
Company Password Management

How Do You Manage Your Passwords

Not sure if this question suits this site but here goes.

What recommendations can you give to centralize and maintain a list of passwords (PCs, hosting, ssh, server ...) inside a small software dev. company?

The aim is to avoid problems if someone forgets a password or goes missing. Obviously such a list should not fall into the hands of an outsider.

P.S: If it's important, the company server is running Linux.

Edit: I'm also interested in any policies concerning the form of passwords and a recommended recurring time interval within which they should be changed.

Answers

I always do this with a flat text file, encrypted to all the relevant admins' GPG keys, under source control.

This has several advantages. Firstly, it makes you make all your admins install GPG, use it, and generate, and exchange, keypairs. This has a lot of knock-on benefits in security terms (eg, admins can authenticate requests from each other, which makes social-engineering attacks much harder).

Secondly, the security's not in some centralised application, but in the individuals' key management. You can hack the server that stores the encrypted file all you like, all you'll get is ciphertext. You can keep a local copy of this file on any device that suits you without endangering anyone's security, and without having to install any application other than GPG (which anyone working with security should have around anyway, see above).

Thirdly, because of the source control, you can always step back to find out what the company-wide desktop root password was three years ago, when someone digs a machine out of the basement and insists it needs to be resuscitated right now. You encrypt the current version of the document only to the keys of the currently-serving admins, but you can always add an escrow key for emergencies (passphrase and private key stored in a secured, tamper-proofed medium, and only ever used once - generate a new escrow key if the current one ever has to be used).

KeePass is a password manager I find very usefull, it's cross platform, has features like generating passwords and maintining expiration dates etc.

But it is a single user tool so i'm not sure it fits your needs unless you disallow your users to change their passwords and instead do that centrally. Whether or not that is feasible/acceptable will depend on your security policies.

It's probably best (in turns of policies and the like) to have each user maintain his/her own password and use admin privileges to reset the password of a user who has forgotten his/hers.

As said above KeePass + i use Dropbox to sync the kdbx over multiple devices (PC, Notebook, Android smartphone, it's everywhere).

You can even set password expiration dates there to remind you.

That's pretty much the best tool on the market right now.

As for password policies i think you should find what's the best for your company yourself, just use common sense or google for the best practices, ex. MIT policies.

There is also an online password manager called LastPass with sharing capabilities. They also provide LastPass Enterprise adding functionality useful for organizations.

You should read about technoligy behing LastPass as it states that encryption/decription is done locally on your PC, so only encrypted data passes over the wire and is stored in LastPass data centers. The other important thing is that you can export LastPass data if it happends that LastPass goes out of bussines, your passwords won't

We are currently evaluating http://www.teampass.net/ as tool to manage passwords in our team. So far it seems to work well and can even import KeePass-exported entries.

Since cpm is not mentioned, I'll write a few sentences about it.

cpm is a simple tool based on a ncurses ui. It stores your password database in a GPG-encrypted file which can be distributed out or stored in a git-repository if you want. The data is stored as XML, so it is easy to grab the data and use it in other programs as well.

Related Articles

  • Keeping and maintaing a password list May 21

    Possible Duplicate: Company Password Management How Do You Manage Your Passwords Not sure if this question suits this site but here goes. What recommendations can you give to centralize and maintain a list of passwords (PCs, hosting, ssh, server ...)

  • Securing Passwords in Your Database

    Securing Passwords in Your DatabaseJuly 9

    When ASP.NET developers think of Web security and authentication, three options typically come to mind: Windows authentication, forms authentication, and passport authentication. If you're building an Intranet application within your organization, fo

  • Change the Default Password PleaseFebruary 14

    The recent ruckus over MySQL on Windows was largely due to those who have installed the application and left the default root password untouched m(which in MySQL's case – is no password at all). I have never invested time thinking about default passw

  • What is the default administrator password?September 14

    Sorry if this is an overly simplistic question, but I'm a bit stuck here. :) I need a windows machine for me to do some programming for class. Since I have my Macbook with me everywhere I go, I figured that it would be easiest to install a vm. And si

  • Password Cracking Windows AccountsOctober 1

    At work we have laptops with encrypted harddrives. Most developers here (on occasion I have been guilty of it too) leave their laptops in hibernate mode when they take them home at night. Obviously, Windows (i.e. there is a program running in the bac

  • How To Create Friendlier Random PasswordsNovember 13

    One aspect of web applications which is almost always overlooked when it comes to accessibility is how easy any randomly generated string might be to read. If you're lucky enough to have near perfect vision and have no learning or cognitive disabilit

  • How do you change the password for the keyring manager in Ubuntu?December 8

    I don't have the password for the keyring manager? Can I delete the keyring to renew the password or are there any other ways of stopping the keyring manager from prompting before accessing programs that use the keyring manager --------------Solution

  • How to use SHA() to insert a user with Secure password in Mysql December 30

    It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. This question, Is "double hashing" a password less secure than just hashing it once? suggests tha

  • MS.Excel- Is it possible to password protect one or two columns in an excel file?January 28

    I have an excel file which would be available on a shared drive. I want the users to be able to access all columns except one or two columns. Except the two columns which are protected all other columns should be editable. thanks --------------Soluti

  • Can I run VNC server on linux which don't required any password?January 29

    I want access a VNC Server running on a linux machine from windows client, without using any password. Is that possible? --------------Solutions------------- It depends on the VNC Server, but yes, the ones I've seen have an option whether to use a pa

  • Passwords: Most People Do It Wrong

    Passwords: Most People Do It WrongFebruary 11

    Quick: What's your password? Is it 123456? Is it password? Is it abc123? Is it your first name? Surprisingly, for a large number of users, those are the types of words being picked to safeguard private accounts. Not surprisingly, that's a bad thing.

  • Interactive CLI password prompt in PHPMay 1

    Just a quick tip, since I spent a good hour figuring this out recently. PHP has no native way of doing an interactive password prompt, when running as CLI. You can however use bash for the task. Of course this means that it won't work on Windows, but

  • How do you setup ssh to authenticate using keys instead of a username / password?May 1

    How do you setup ssh to authenticate a user using keys instead of a username / password? --------------Solutions------------- For each user: they should generate (on their local machine) their keypair using ssh-keygen -t rsa (the rsa can be replaced

  • How do I recover a Windows XP or Vista user-account password? May 1

    Possible Duplicate: Windows 7 administrator password lost! How can I log into Windows 7 without a password? Yesterday, I had a relative that forgot the password for the admin account on their Windows Vista box. How can I recover that password? Free i

  • How can you configure windows to Auto Logon with specific username and password?May 1

    There are some scenarios for which you want to configure a machine to automatically login using a specific user account and password without blocking on the logon screen. How does one do that? --------------Solutions------------- Windows XP autologin

  • Storing rarely used single-purpose passwords

    Storing rarely used single-purpose passwordsMay 3

    How do you handle the storage of passwords that, by nature of their usage, you can't expect administrators to memorize? Such as: Administrator/root password when everyone logs on using their own account with administrator rights Service account passw

  • User password age/complexity policyMay 4

    Has anyone got any resources for determining a reasonable password policy for my users? My personal leaning is to ratchet up password complexity and allow them to change them less often as a kind of compromise. It seems that my average user has a hig

  • How to reset or recover admin account password for MySQL?May 4

    I have a MySQL database that I "inherited" and I was not given the admin credentials. I do however have access to the box that it runs on. Is there a way to either recover the admin credentials or create new ones? --------------Solutions--------

  • Password best practices

    Password best practicesMay 7

    Given the recent events with a 'hacker' learning and retrying passwords from website administrators, what can we suggest to everyone about best practices when it comes to passwords? use unique passwords between sites (i.e. never re-use a password) wo

  • Workaround for when windows scheduled tasks fails when user changes their passwordMay 11

    When a users password changes that users scheduled tasks will fail unless you change the password associated with that task. This is a problem for me as I have a small script that gets run by a scheduled task every day on someone else's server. They

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.505 s.