.

Storing Passwords

<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Tue Jul 13, 2010 11:16 am

Storing Passwords

I've been thinking about this, and would like your input please:

Handling company passwords can be a tricky thing (i know i don't have to tell you all this).

You shouldn't write down passwords because physical security can become a problem. Even if physical security is not a main concern, it still shouldn't be written down, because you never know who will have access to it.

It also shouldn't be kept on a computer, because first of all, you might need a password that is in that file to login to the computer to begin with. Secondly, it is possible that someone may gain access to that file and obtain your passwords. Even encrypted files run that risk (unless your company invests in good encryption software).

For a large company with a good budget, there seems to be more options as far as password storing software or good encryption software that can be purchased.

However, what about a small business that does not focus much on security because they don't feel they would ever be a target. The administrator understands that ANYONE can be a target, SPECIALLY those who think they won't ever be attacked. So in an effort to secure the place as best possible with what is available, he attempts to harden the passwords for all the systems, etc...

But then obviously, by making them more complex, a place to write them down becomes a necessity. You come in to the office, had a rough weekend, come in on Monday, and run a blank.

Maybe keeping a book with the passwords in a cabinet locked by a key that only one person has access to is a the best choice?

How about keeping it stashed in your email somewhere? Emails can be compromised as well, so i don't see that as being very safe.

I'm just trying to weight all the options i have regarding this. I figured some of you have had so much experience with this, that you may have a better solution than what i can think of.

"He" is me by the way.  :)

Sorry for the long post, but thanks for reading.

Knb15
<<

yatz

Full Member
Full Member

Posts: 222

Joined: Tue May 25, 2010 2:58 pm

Post Tue Jul 13, 2010 11:40 am

Re: Storing Passwords

You are right, storing passwords is tricky but definitely needs to be done.

I may not be the best source of info, but I would definitely keep the passwords in some way as part of a disaster recovery scenario in a fireproof safe that is locked with a key.  Keep in mind who may need to access these passwords, whether it's just you as admin or the rest of your staff, or whatever.

Keeping them digitally may be good, but I would think a printed copy of the passwords is more efficient since a digital copy would require a working computer to get at, which is not a certainty during a disaster.

Also keeping them with other sensitive documents like a printout of router/switch configs, etc. in a binder that is locked in a safe.

If you think about it, HR needs to keep their documentation safe too, and much of the time that sensitive data is kept in a simple locking file cabinet.
"Live as though you would die tomorrow, learn as though you would live forever."

CCNA, MCSA, MCTS, Sec+, Net+, Linux+, CEH
<<

caissyd

User avatar

Hero Member
Hero Member

Posts: 894

Joined: Thu Dec 31, 2009 11:20 am

Location: Ottawa, Canada

Post Tue Jul 13, 2010 11:59 am

Re: Storing Passwords

Here is what we do for our applications:

1) Passwords are hashed (SHA-1) and stored in a database
2) We NEVER print passwords anywhere. So we never display them on the screen, print them on paper, etc.
3) We make database backups. Once a month, they are sent to a vault in another location.
4) The administrator of the system can reset any password, but since they are hashed, he cannot see them.
5) In the event of a disaster, we rebuilt the servers from the backups
6) If we would really, really have problems, we can manually go in the database and reset them.

We this, you will never lose data because of a disaster or lost passwords.

So don't print any passwords anywhere. Instead, make sure and administrator can reset them.

Hope that helped!
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
(aka H1t.M0nk3y)
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Jul 13, 2010 1:57 pm

Re: Storing Passwords

What types of passwords are you trying to manage? Utilities like Keepass and Password Safe can be helpful. Then users just have to keep track of one password (or two if you count logging into the computer); that's still much more manageable. Sometimes they do forget, so you have to have reset policies in place.

Storing a book with everyone's in them and giving access to someone is dangerous because he/she can then impersonate users.

Pass phrases are another good technique to make passwords easier to remember (although longer to type).
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Jul 14, 2010 12:06 am

Re: Storing Passwords

I only know about 5 passwords at work, but that's because I use them the most.
Login, 2 root passwords, My password safe password, and the firewall password.

The rest are stored on a network drive in a Password Safe file. The software to open the safe is on my box. it works pretty well. Only time we've been hosed recently was when the SAN fried, before getting everything copied over to the new NAS. Even then it was just a case of restoring 8TB from tape.

We also have a back up copy on an full Disk Encrypted USB drive, requiring true crypt. There is a sealed envelope that goes with it. In the envelope are 3x5 cards: how to mount it, the passpharse for the USB drive, and the password for the master network engineering safe (has the passwords to all the other safes). They are not kept together, 1 is on site, 1 is off site. I get them both back once a month to check it's not open, and to update the passwords. My writing on the front, with a date (and I have have unique hand writing), Manager's signature on the back (after he seals it, with me watching).

The warning on the envelope says opening it will require changing all the passwords for all they systems company wide. When they opened it, I did just that. Caused a huge mess. But changed them all anyway.

I don't agree with the system we use, but it's worked for the most part.

Personally, I want to switch from Password Safe to Keepass (use it at home). I'm also curious now, what the traffic looks like with wireshark when opening a safe on a network drive...
OSWP, Sec+
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Wed Jul 14, 2010 9:34 am

Re: Storing Passwords

Thanks for the replies, some very good ideas.

Most will not benefit this office i work for now because of how small it is. However, i will take bit and pieces of the ideas and find a medium that fits us well. Either way, it is good information to know how bigger companies work.

In response to dynamik, we don't have THAT many passwords. I don't care about saving the user passwords because i can reset them if needed. The ones im interested in storing some place safe are admin pass, router pass, some passwords for applications we use.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed Jul 14, 2010 11:29 am

Re: Storing Passwords

Knb15 wrote:Thanks for the replies, some very good ideas.

Most will not benefit this office i work for now because of how small it is. However, i will take bit and pieces of the ideas and find a medium that fits us well. Either way, it is good information to know how bigger companies work.

In response to dynamik, we don't have THAT many passwords. I don't care about saving the user passwords because i can reset them if needed. The ones im interested in storing some place safe are admin pass, router pass, some passwords for applications we use.


Knb15,

I'm using my solution in a company with less than 100 employees, 10 in my department, (3 help desk, 4 developers, 2 project managers, and me). Can't get much smaller than that.

The engineering safe, has admin passwords (linux and windows), routers / switches, firewalls (network firewall and spam firewalls), vendors (like cisco), other safes (help desk, and developers don't need access to the infrastructure).

Once upon a time we had all 3 mixed together, but there was an issue with people accessing things they were not supposed to (developers making changes to the firewall, help desk people making changes to switches), so we broke it up.
OSWP, Sec+
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Mon Jul 19, 2010 12:39 pm

Re: Storing Passwords

chrisj wrote:Knb15,

I'm using my solution in a company with less than 100 employees, 10 in my department, (3 help desk, 4 developers, 2 project managers, and me). Can't get much smaller than that.

The engineering safe, has admin passwords (linux and windows), routers / switches, firewalls (network firewall and spam firewalls), vendors (like cisco), other safes (help desk, and developers don't need access to the infrastructure).

Once upon a time we had all 3 mixed together, but there was an issue with people accessing things they were not supposed to (developers making changes to the firewall, help desk people making changes to switches), so we broke it up.


Chrisj, if i may ask, why are you thinking of switching to Keepass? Is it due to a deficiency in Password Safe? More/better features on Keepass?

In my company we have 5 employees (including myself) and the boss. When i first read your post Chrisj, i thought you guys used actual "safes" (lol). However, after re-reading i realized that you were talking about the software Password Safe, which would definitely work for my purposes.

Lastly, using a software solution means storing the passwords in a network drive like you said, or on a local drive.

1. Just to make sure i understand correctly, the benefit of having it saved on a network drive is because you have greater security on the server and the password database would then be accessible from anywhere on the network, as opposed to having it on a local drive and having access to it only on that machine?

2. Storing the passwords on a computer (rather than physically) requires a working computer to extract them when/if needed. Your solution is to have the file also stored on a USB in case the computer(s) fail?

If so, is there a way to encrypt the USB using a free software, or would it require a something purchased?

Thanks!
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Mon Jul 19, 2010 2:45 pm

Re: Storing Passwords

I'm thinking to switching to keepass, because I like some of the features more.

1: Password Safe only works on windows (haven't tried in wine).  Keepass (well version 1.x anyway),works both on windows and linux. We tend to use both here. Some people have complained about having to use windows to open the password files.

2: Keepass hides the user names as well as the passwords when looking at the entries.  If I have someone (vendor, contractor, day help for project overload) in my office, I don't have to show them the naming conventions of our system. I can open the keepass, copy the user name with a right click, and then the password. Thus never exposing them to the outsider. (Yes I'm paranoid). At least that's how keepass 1.x works on my linux box at home.

--------------------------

We store the encrypted password files on the network, because several people have to access them. Putting it on the network was my predecessor's idea, and it works out fairly well. The trade off was putting it in a less secure location (anyone can access the network drive) so everyone could use them.

I have my own personal password safe file on my desktop machine, since I'm the only one that should be accessing that one.

The "safes" are encrypted files to begin with, but yes I'm using TrueCrypt (open source) Full Disk Encryption on the USB drive. Basically the drive is the back up in case the network attached storage goes down, but we still need the passwords. (It has happened).
Last edited by rattis on Mon Jul 19, 2010 2:48 pm, edited 1 time in total.
OSWP, Sec+
<<

Knb15

Jr. Member
Jr. Member

Posts: 50

Joined: Tue Feb 23, 2010 10:18 am

Post Mon Jul 19, 2010 10:21 pm

Re: Storing Passwords

Thanks for the tips and advice Chrisj!

I'm downloading both Keepass and TrueCrypt and will set up a system at work where this can also be used.

I'm also interested in looking at the source code for these programs just to see what they look like.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Jul 19, 2010 10:29 pm

Re: Storing Passwords

chrisj wrote:The trade off was putting it in a less secure location (anyone can access the network drive) so everyone could use them.


Can't you configure ACLs so only you guys can access it?
The day you stop learning is the day you start becoming obsolete.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Tue Jul 20, 2010 10:47 am

Re: Storing Passwords

The whole company use these devices, since they provide all the department shares. We have group permissions set up at the share level, but I don't trust the current devices (problems I've had with them).

The original box was a Windows based filer, with fiber channel SAN Storage.

It's gone to iomega SOHO NAS devices (that have already failed multiple times, just copying the data to them). It has group policies set up, but if it has access lists I can't find them.

I know I'm overly paranoid, but the company as a whole doesn't take security very seriously.
OSWP, Sec+
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jul 21, 2010 9:18 pm

Re: Storing Passwords

Ew. Share permissions are trash. Those are left over from the Win9x days; they existed before NTFS permissions and attempted to provide a minimal level of security. It's often easiest to just give Everyone Full Control share permissions and then get granular with NTFS permissions. Trying to mix-n-match often leads to misconfigurations. Since accessing a share will use the most restrictive of the share and NTFS permissions, you won't have any surprises if you get the NTFS permissions rights. There might be some instances where you'd want to provide more restrictive share permissions, but they're very rare since people are usually accessing files exclusively over the network and not working locally.

It's pretty weak you can't get your own share that only you have access to. That's really not asking for that much IMHO...
The day you stop learning is the day you start becoming obsolete.

Return to Physical Security

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software