Slashdot Mirror

← Back to Stories (view on slashdot.org)

Password Storage for Fun and Profit?

Posted by Cliff on from the accessible-but-secure dept.

adwb asks: "I work for a small company which performs network installations and support for clients in the Seattle area. We have a handful of network admins and programmers who go out to client's offices to solve problems as needed. A problem we have been trying to deal with is the various administrator passwords for different client networks at different domain levels. It seems the easiest solution is not the most secure: just dump every client's administrator password into a text file and store it in a secure network location inside our local domain. Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?" For those of you interested in protecting your personal passwords, an answer might be found in this tidbit from jswinth, but there are issues here, too: "The wired article about Never Forget Another Password talks about the Just1Key service allowing all your passwords to be accessible from any PC. They use an applet and encrypt the password information before it leaves the local PC. What about when you cannot trust the PC, like when using a public terminal? I would hate to have all my passwords compromised because I couldn't remember my password to my free New York Times account at the library."

14 of 75 comments (clear)

  1. Unless the security is ironclad. . . by Limburgher · · Score: 2, Insightful
    it's just too risky. To satisfy me, the storage should be encrypted, and the access should require SSL.

    At the very least.

    I still don't think I'd trust it.

    --

    You are not the customer.

  2. Roboform! by fm6 · · Score: 4, Informative

    Check out RoboForm. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.

  3. So.... by ArsonSmith · · Score: 2, Interesting

    You're asking how can I let everyone know the passwords, yet still be secure?

    Sounds like you have an architectural problem not a password problem. Not sure how to fix it, we are cursed with the same thing here. Some is being addressed but it is slow and making sure every application supports a centralized authentication system is the hardest part.

    --
    Paying taxes to buy civilization is like paying a hooker to buy love.
  4. Use Gmail by LennyDotCom · · Score: 2, Interesting

    Open a gmail account with an obscure name upload the info and you can access it anywhere

    --
    http://Lenny.com
  5. Here's what we do by Anonymous+Crowhead · · Score: 4, Interesting

    We have an ecrypted text file stored locally with all passwords written on it like this:

    1. password

    2. password2

    etc.

    On an ssl, password protected web site not hosted by us, we have a web page with:

    Server x, root, password #1

    Server x, admin, password #2

    etc.

    The people who need it keep all or part of the printed out text file in their wallets. I'm sure someone will point out some flaw, but it is pretty disconnected.

  6. Two open source solutions by lucidvein · · Score: 4, Informative

    http://keepass.sourceforge.net/
    The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another.

    KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Homepage, etc.). You can drag-n-drop passwords into other windows. The powerful auto-type feature will type usernames and passwords for you into other windows. The program can export the database to various formats (like TXT, HTML, XML, CSV, ...). It can also import data from various other formats (Password Safe v2 TXT files, CSV files, ...).

    http://passwordsafe.sourceforge.net/
    Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).

    --

    "I have a cunning plan..."

  7. What happens when... by jsveiga · · Score: 3, Informative

    an irresistible force meets an immovable object?

    Nothing, because they cannot belong to the same universe.

    The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.

    Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.

    Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.

    A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.

    SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.

    This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.

  8. Novell: Passwords NEVER Travel the Wire!!! by mosel-saar-ruwer · · Score: 2, Interesting

    They use an applet and encrypt the password information before it leaves the local PC.

    Being an old Novell MCNI/MCNE/etc, I was innundated, inculcated, and imbued by the overarching mantra: PASSWORDS NEVER TRAVEL THE WIRE!!! ONLY HASHES OF PASSWORDS TRAVEL THE WIRE!!!

  9. Paper... by joto · · Score: 5, Funny
    You see, there is a form of written communication that predates the computer, and is very secure once you've taken care of the physical security. It is also portable, easy to carry, does not require electricity, or any form of advanced machinery. It will survive in temperatures from far below human tolerance, to +70 celcius. It can be damaged by exposure to water, but because of it's flexible form, can easily be stored in an airtight container. This miracle medium is called: PAPER!

    You write the passwords you need on a piece of paper. If there are lots of passwords to be remembered, an electronic device called a "printer "can transfer the passwords from a computer at your office building to the paper.

    The paper is carried by the admin to whatever clients he need to go to. Once at the client, he fetches this piece of paper, and use his eyes to retrieve the passwords he need. The passwords are typed manually by the admin into the clients computer.

    As your admin finishes his job, the paper containing the passwords can be easily destroyed. A device specifically made for this, called a "paper shredder" exists in many offices, and your admin is likely to find one at the clients office.

    If a client does not have a paper shredder, the admin may choose to use the fallback solution of tearing apart the paper with his hands, followed by flushing it down the toilet. Another solution is to ignite the paper with a device called a "lighter", something that can usually be found at the back entrance of the clients building (just ask one of the smokers there).

    I hope this suggestion helps!

  10. Only problem I can see is... by brunes69 · · Score: 3, Insightful

    .. you must have a finite number of clients. Even assuming 500 passwords in that file, it would take anyone with the nerve only a short time to brute force the right password.

  11. Re:Password Safe by hetfield_guitar · · Score: 3, Informative

    Password Gorilla http://www.fpx.de/fp/Software/Gorilla/ is an opensource app that works on Mac, Windows and Linux and is compatible with Password Safe's database.

  12. Keychain Access by zhenga · · Score: 2, Informative

    Apple's Keychain Access is pretty nice to store and manage passwords, secure notes, and certificates.
    I use it very often to store notes, beats Stickies imho and easier to backup as well :)

    It's possible to create a Shared Keychain as well. Then all users on the machine can access that keychain if they know its password.

    I think most part of the Keychain Access is Opensource (correct me if i'm wrong!):
    http://darwinsource.opendarwin.org/10.4/libsecurit y_keychain-78/lib/

    So any takers on making keychains crossplatform? (I hope there are ;)

  13. Why not ask? by minus9 · · Score: 3, Interesting

    "We have a handful of network admins and programmers who go out to client's offices to solve problems as needed."

    This is how I would do it...

    The people who go out on site, ask the client what the password is. If they are trusted then the password will be provided. If they are some halfwit who wants to "dump every client's administrator password into a text file" then they will be told to get the fuck away from my network and leave the building.

    They could also carry the passwords in a file using a modern concept called encryption, a new invention, only a few thousand years old.

    To think that I have recently been modding posters down for bitching about slashdot no longer being "News for nerds"

    There are also sites on the internet which can provide links to software which can fulfill this need.

    Sorry for being such a sarcastic twat but slashdot is sinking to the level of "My processor is running out of memory, should I buy a bigger monitor?"

    People come here to get away from this stupid crap.

  14. kedpm by Noksagt · · Score: 3, Informative

    I whole-heartedly suggest the use of Ked Password Manager. It has both a graphical and a command line interface. You can therefore keep the paradigm of using it from the network--just ssh in to your server, and run kedpm (instead of catting the password). The files are encrypted with blowfish to a single password. The database is compatible with Figaro's Password Manager. kedpm is in python and, properly packaged, will run on darn-near anything. Including a USB thumbdrive if you want to take your passwords with you.