Thanks for the tips and advice Chrisj!

I'm downloading both Keepass and TrueCrypt and will set up a system at work where this can also be used.

I'm also interested in looking at the source code for these programs just to see what they look like.

Chrisj, if i may ask, why are you thinking of switching to Keepass? Is it due to a deficiency in Password Safe? More/better features on Keepass?

In my company we have 5 employees (including myself) and the boss. When i first read your post Chrisj, i thought you guys used actual "safes" (lol). However, after re-reading i realized that you were talking about the software Password Safe, which would definitely work for my purposes.

Lastly, using a software solution means storing the passwords in a network drive like you said, or on a local drive.

1. Just to make sure i understand correctly, the benefit of having it saved on a network drive is because you have greater security on the server and the password database would then be accessible from anywhere on the network, as opposed to having it on a local drive and having access to it only on that machine?

2. Storing the passwords on a computer (rather than physically) requires a working computer to extract them when/if needed. Your solution is to have the file also stored on a USB in case the computer(s) fail?

If so, is there a way to encrypt the USB using a free software, or would it require a something purchased?

Thanks!

T-Bone, here are my two cents since i am another person on the same boat as you and many others.

I got in to the security field or interested in it only about 3 months ago. Since then, much like everyone who has posted in this thread, i have found that there is a multitude of information out there that can be overwhelming to say the least.

On one hand it is great that information is readily available for anyone that is willing to take the time to learn. On the other hand, it can easily overwhelm you at the same time.

So after reading the advice of many from this forum i decided to start slow by purchasing some beginner books about Ethical Hacking. Right now i have enough books to last me a good amount of time (about 4 books).

Along with reading the first book, i've been working on setting up my practice lab at home to be able to test what i learn in the books. So far i've got my host machine, 2 VMs (XP and Linux), and a laptop with Backtrack4 and Ubuntu. I've got more steps laid out of what i want to accomplish. Just the idea of having a lab can be too much, because it's hard to know where to begin, what to use, what to do. But i'm taking it one step at a time and think it will work out.

What Sil was talking about, in the field of psychology, is known as "Self fulfilling prophecy." There are many books on that, it is a known fact that it does affect your progress in what you do in life.

In closing, i would just like to say that while the field is huge and hard to get in to, having a community such as this where you can ask questions, and have SO MUCH information at your fingertips helps a great deal!

Btw, lack of time is also one of my top problems.

Knb15

Thanks for the replies, some very good ideas.

Most will not benefit this office i work for now because of how small it is. However, i will take bit and pieces of the ideas and find a medium that fits us well. Either way, it is good information to know how bigger companies work.

In response to dynamik, we don't have THAT many passwords. I don't care about saving the user passwords because i can reset them if needed. The ones im interested in storing some place safe are admin pass, router pass, some passwords for applications we use.

I've been thinking about this, and would like your input please:

Handling company passwords can be a tricky thing (i know i don't have to tell you all this).

You shouldn't write down passwords because physical security can become a problem. Even if physical security is not a main concern, it still shouldn't be written down, because you never know who will have access to it.

It also shouldn't be kept on a computer, because first of all, you might need a password that is in that file to login to the computer to begin with. Secondly, it is possible that someone may gain access to that file and obtain your passwords. Even encrypted files run that risk (unless your company invests in good encryption software).

For a large company with a good budget, there seems to be more options as far as password storing software or good encryption software that can be purchased.

However, what about a small business that does not focus much on security because they don't feel they would ever be a target. The administrator understands that ANYONE can be a target, SPECIALLY those who think they won't ever be attacked. So in an effort to secure the place as best possible with what is available, he attempts to harden the passwords for all the systems, etc...

But then obviously, by making them more complex, a place to write them down becomes a necessity. You come in to the office, had a rough weekend, come in on Monday, and run a blank.

Maybe keeping a book with the passwords in a cabinet locked by a key that only one person has access to is a the best choice?

How about keeping it stashed in your email somewhere? Emails can be compromised as well, so i don't see that as being very safe.

I'm just trying to weight all the options i have regarding this. I figured some of you have had so much experience with this, that you may have a better solution than what i can think of.

"He" is me by the way.  

Sorry for the long post, but thanks for reading.

Knb15

The video on my end has very poor quality, i see many different bright colors...although the sound is perfect.

Is that the case for anyone else?

Thanks for the info. I guess i'll have to settle for reading it while at a computer. It's just that i'm on trains a lot, and it's a great time to read. So i'll have to print out articles if i want to do that.

I'm looking around the website in order to subscribe but can't seem to find where to do so, or information on it (pricing, etc...).

Is it only an online magazine now or do they still mail out hard copies?

Thanks!

Knb15 actually came from about 9 years ago when i spent a long time thinking of a nickname for an email address i was creating. With my lack of creativity i couldn't come up with anything. I had just seen the movie Hackers and "Crash and Burn" came to mind. So it stuck. Changed the C to K since others had already used some variation of crash and burn.

I've bookmarked that site, and have just been waiting to have enough time to go through WebGoat myself. I would love to read a write up of your experiences going through it.

Seems like a very useful learning tool.

In addition, whatever solution is put into place, it would have to be something that still works as fast or pretty close to how it works now.

If too much security is added in a way that users must do too much, and takes them a significant amount of time to do so, they won't use it.

People use online banking and other mechanisms available because they don't have much time to actually go to the bank, its more convenient. Put a system into place that takes them double the time to do their banking than what they are used to, and they won't use it anymore.

Is it worth going through more hoops in order to have a secure channel for online banking? If you ask me, yes. But again, it all comes down to the population at large.

You're correct. I read this book as part of a psychology course i took years ago. There's no security related example, but one can always apply the ideas and theories to the technology field.

It's indeed a great book.. if for nothing else, at least to learn when to say "no."

I just saw this...but thanks for the advice! It's appreciated.

To add to this, i agree that education is a big problem. By that, i don't mean that you need schooling, or to get certified in a field to know how to protect yourself. Being aware when you are online, knowing what not to click on or what not to open is a huge start.

Someone came to me with a story a week ago that i couldn't believe. The person received an email from someone claiming they were Bank of America, asking for all her personal data, account number, passwords, uncles middle name, mothers maiden name, i mean you name it... and guess what? Yeah... she clicked reply and sent all the information to the thief. Needless to say, the next morning she had a huge headache trying to fix all the crap the perpetrators did with her account information.

You would think that people would be smarter these days right? Wrong.. this woman is a very educated person, but knows diddly about computers...except to turn it on, write on word, send emails, and surf websites.

A little research and knowledge can go a long way.

I can see your point Jordy. What makes me unsure of whether or not to pursue my Master's is that the master's might take me more into a managerial position and not really be hands on. Although i don't know this for sure, but just from some things i have read, so i could be wrong. In addition, managerial positions aren't always a bad thing, i guess it just depends on what you really want to do.