Slashdot Mirror
Suggestions for Company Wide Password Vault?
androidtopp asks: "My company, an IT and business consulting firm of around 150 people, is looking for a Password Vault/Manager/Database solution to manage the numerous passwords we've developed in the course of a major internal network and server upgrade. Our must haves are multiple privilege levels (I don't need to see network passwords, and the network guys don't need to see database passwords, and so on) and it would be nice if we could view when people last retrieved each password. Does anyone manage passwords in this fashion at their work/home? A lot of the free password managers are one user, full access, which is a little less secure than we need. How do other companies (small or large) manage the hundreds of server, network, database, and application passwords that must crop up?"
Seems to me, saving every password in a company in a central location would be the first place any hacker would go after.. and should they gain access.. you can say goodbye to that company.
MABASPLOOM!
Buy bulk post-it notes and a novelty sized keyboard.
Each closet will have a whiteboard.
Each whiteboard will have post-it notes covered in [database/network/other] passwords.
Hand out keys.
Key the locks so that only the people who need to have access to the closeted passwords can open the door.
Problem solved. Right?
And you don't even have to get rid of the post-it notes.
[Fuck Beta]
o0t!
That's exactly what it was designed for.
Do you even lift?
These aren't the 'roids you're looking for.
Sounds like a PHB came up with that. It's the same thing that a PHB I used to work for did. CIO puts all passwords into an Access database that is password protected then places it in his own, higher level private share on the network. Each password is actually entered in a "secret" code that all IT employees are aware of just in case it is hacked. The CTO also has access to this database.
It's current for about 30 minutes at which point it begins to become outdated as passwords are changed.
Good luck.
"A government is a body of people, usually notably ungoverned." - Shepard Book Quoting Malcolm Reynolds
If you are requiring complex passwords that expire every 30 days, maybe a more relaxed approach will enhance security. It's more secure to have a sane policy than to have stickies with passwords on every monitor.
As far as a "vault" I suggest an encrypted piece of paper kept in your wallet. I abbreviate made-up words to the first character. If someone can figure out that 23T~ is 23Trimble~ they deserve to get in to my shit.
Man, you really need that seminar!
Use Kerberos instead.
This is what we do for a much smaller group of admins and systems:
Create a simple text file with the systems, usernames and passwords. GPG/PGP encrypt this file to a list of recipients. Now you have a single encrypted file that can be decrypted by any of the recipients. You could break this out into multiple levels by having multiple files, one for each group of "only these users have these passwords" and each file is encrypted to different sets of users.
No logging, nothing fancy, but it just plain works and doesn't require lots of money or time to set up.
One bit of advice: include your web passwords for vendor support or ordering in here as well, not just your internal systems.
Sadly, Kerberos can't be used for everything. Especially logins to systems you don't control such as support and vendor ordering logins that should be available to people.
CmdrTaco -- I got a 404 from the link on the homepage to this story for a couple of minutes. Probably a bug.
The first question I'd ask is, do you need this for distributing passwords to the people who need to use them, or for escrowing passwords so you can get access to them in an emergency when the people who normally use them and know them aren't available?
There is this: http://thycotic.com/products_secretserver_overview .html
Noone pays attention to that.
Just have everyone use a blank password for everything then you don't need any fancy vaults.
http://www.openntf.org/Projects/pmt.nsf/ProjectHom e?ReadForm&Query=Open%20Notes%20Picture%20Database
It's written by Christian Brandlehner, Jason Engel and Hynek Kobelka. Encrypts the password for the chosen people. Requires the Notes ID to get to it. Very secure. You can control who gets onto the server, then another list of who can get into the application, and finally a third list of who is allowed to see each individual password. The passwords are stored in an encrypted format (for each ID file), so cracking the server does you no good. You can allow everyone in the company access to it, but without the document being encrypted for their ID, they can't tell what the password is. VERY secure.
Since the Lotus Notes client has just been released for Linux, all y'all zealots can't complain as much, though I know the "Lotus Notes UI sucks" people will swarm out of the woodwork.
Oh well. It's good enough for IBM and the CIA to use.....
I've used Cyber-Ark's Enterprise Password Vault, it seems extensive as for what it can do. http://www.cyber-ark.com/datasecuritysoftware/ente rprise_password_vault.aspCyber-Ark's website
Storing these things electronically is dangerous. Storing them on an electronic box which can be accessed over a network (any network) is just stupid.
.. paranoid crackpot leftover from the days of Amiga.
If you're going to do that, it really shouldn't be on line. While I agree that someone needs to be able to get to the "God" passwords in the event of a catastrophic event, our solution to that is very low tech. They are written out on a sheet of paper and placed in a slightly special safe. It takes two keys to open and only a few of us have keys. Some of us have the A key and some of us have the B key.
That way if any of us needs a password to which we do not normally have access, we still have to convince another person to help us open the safe. It provides a secure check & balance with very little inconvienence other than filing away a new sheet of paper once a month.
2 cents,
QueenB
HDGary secures my bank
where do you store the combination for the safe?
I shit you not.
checkout PowerKeeper
Seems to me it does everything you need and then some.
UNIX? They're not even circumcised! Savages!
As far as I'm concerned (and It's an informed opinion), shared passwords are BAD.
You'd be much better off with a distributed authentication system.
Set up RADIUS/TACACS+ for authentication for all your network devices. I'd suggest Radiator because it's extensible and reasonably quick, and cheap (not free, but you get the source).
Radiator can do it's password lookups by LDAP (and lots of other things), so you can set up LDAP to keep user's individual passwords. Configure samba, ftp, mail, apache, squid, etc all to do authentication against LDAP, and you'll never need a shared password again.
It only takes a simple web page to manage LDAP records, and I'm sure there's an open source one around.
This is probably a little more work than you were looking for, but this is one case where changing the process gives you a LOT of benefit now, and in the future.
Anything is possible, except skiing through revolving doors.
Get a metal box. Put a thin slit in it incase passwords are ever updated. Weld it shut. If it's important enough that someone needs to retrieve the password, then it's important enough to break open the box.
IANA*
Part of my responsibility is related to information security, and as such, I have been exposed to a number of propositions related to password security. The bottom lines are that: 1. No two people should EVER share a password -passwords must be individual, otherwise they have little or no meaning. 2. Every time a password is reset, it must be a "one-shot" reset, forcing the user to change it again before he/she can use it 3. Passwords must be changed every 90 days (maximum), and there must be a certain length of time before the same password can be reused. 4. The user must be the one who is forced to change the password, and it must not be shared with anyone. 5. The support point must have the ability to reset passwords, but not to use the account once the password is reset. 6. In case of requiring urgent access to someone's individual password, that must not be made available without an explicit directive from a company officer, in writing, before the support point will reset the password and give the reset password to anyone other than the user whose password it is. 7. Passwords must at a minimum be 7 characters in length, and contain at least one alpha character, and one numeric character. If you want to piss someone off, use a password generator to create a random password whenever the password has to be renewed - people like to have a password that they have at least a chance of remembering, but this is more secure. Do that, and you'll have some level of security. Use your password vault, with shared passwords, and you might just as well not use anything.
Will those of you who think that you know what you are doing, get out of the way of those of us who know what we are doi
And single sign on.
http://en.wikipedia.org/wiki/Single_sign-on
Deleted
MIIS with foreign export (LDAP, flat file, Novell, etc) is like $25K per processor. However it is free between AD stores including Active Directory Application Mode (ADAM). One drawback is that you cant debug it with VS2005, you have to use older version. Even then I was not successful, the project has been de-emphazised so I haven't had a chance to set it all up again and reporduce the issue with M$ support.2 003/evaluation/faqs/default.mspx
What you might be able to do is combine the free MIIS and the *ix support in 2003 Server R2 to push passwords from AD to a *ix LDAP and sync the non-MS with the LDAP.
I wonder if they are thinking about this in the SAMBAv4 development. It'd be a kick to see them outfox M$ highway robbery.
MIIS FAQ http://www.microsoft.com/windowsserversystem/miis
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
Quote from the CP Lab About Us page: "Our company is located in Kiev, Ukraine. CP Lab's employs high-class experts, ..."
It's difficult to imagine that it would be acceptable to use an encryption product without having the source code. If you have problems, will you go to Kiev and discuss them with the "high-class" experts? Do you speak Russian?
Suppose a database becomes corrupted, and you need to recover your passwords? Will you send the entire database to the Ukraine?
Suppose the company is now selling an entirely acceptable product. However, suppose that later the company is sold to someone else, without notifying the customers, as is usual with software companies. Possibly the new owner will decide to build a back door into a "minor" a version upgrade.
The Ukraine? Isn't that one of the places that the U.S. government's break-the-law department, the CIA, holds prisoners illegally? Is CP Labs owned by the CIA, perhaps? Is CP Labs owned by the CIA, but most CP Labs employees don't know that?
If you use an encryption product, it should be open source. That at least provides some protection. One advantage of open source, free software is that the users can hide the fact that they are using the product from the developers. Paying creates a connection between your company and the developers.
Possibly there is some way of using TrueCrypt and GnuPG that would work for you. Need passwords for your department? Someone in your organization who acts as password manager sends them to you encrypted with your public key. Only someone who has your department's private key can decrypt them.
Search for it, authord.com is apprently dead or broken. Not affiliated with them, have used it for a couple years. Does NOT integrate with AD. Keeps a local list of users/categories/groups you can assign access levels and if they (or their group) are not assigned to the category or their access level is too low, they do not even see the entries. Windows only, written in VB, $129 for 10 users. I haven't found any viable open source alternatives.
We put the the executable and database on a network share (no registry keys!!), it stores the personal preferences (window size, position, etc) in My documents.
Individual logins, radius, MIIS sync are all superior alternatives, of course, but this is quick, affordably priced and reasonably secure.
Alternatives you might want to look at:
pGina http://www.pgina.org/?page_id=3 Master your passwords on a platform other than AD for your central identity store.
AcctSync, doen not appear to be actively developed, it has not had any news posted in about 18 months. https://sourceforge.net/projects/acctsync/
PSync http://www.psynch.com/, commercial, no pricing on their site (schmucks).
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I actually borrowed an idea from a previous employer (tho wrote my own implementation), called StrongBox. it's a mysql database AES encrypted messages (containing passwords, messages, etc), the key is a SHA-1 has of a request ID and their employee ID.. it works rather well, it's all php/mysql and a little bit of javascript
Dont forget not all paswords are for the directory login eg routers etc. Generally users would not store their user password using this system. If a user loses their password a reset is the most common remedy. I have worked in security with classified and highly classified networks. The most highly secure networks will have a paper filing system stored in a physically secure location with all access fully audited. The less secure networks use LAN accessible password database applications, which is also highly audited of course. Seperation of duties between audit and access are essential. I would not recommend integration with directory if seperation of duties is not possible.
One problem my organization has is we keep forgetting passwords that are rarely used.
a ny Name]'s_Passwords
My suggestion is to post it to http://en.wikipedia.org/index.php/List_of_%5BComp
You'll never lose your password again--guaranteed!
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Yeah, especially the root password for your KDC...
- "History shows again and again how nature points out the folly of men" -- Blue Oyster Cult, 'Godzilla'
Lots of little yellow postit notes stuck on your monitor.
Unexpect the expected!
They don't speak Russian in Ukraine anymore. They speak Ukrainian. It's like assuming that the Portuguese spoken by a Brazilian is Spanish. But the rest of your argument appears valid.
You're asking, "How can I build a metel boot to protect my toes for when I keep shooting myself in the foot."
This is a very straight-forward identity management problem. Lots of good solutions, that have already been posted. And in the long run, implementing some combination of policy and idm technology will cost less than the solution you have envisioned now.
I did this informally but there's no reason it can't be done formally.
Whenever you change your password, WRITE IT DOWN, put it in a sealed envelope with your name, the date, and what the password is for. Put it in a secure location where some "keeper of the keys" has access. Preferably the "box" would require two keys to open and would be emptied and the contents put in a vault daily. Just for good measure have 24x7 video recording of the drop-box and the vault.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Greetings,
We did this with a physical vault. Each machine's (routers, servers, kerberos domain key (actually stored on a usb key), etc) was generated randomly and printed out and put in a sealed envelope in a fireproof, keyed safe kept in the NOC. They key for the safe was then put in a key lockbox and locked with an "electricians lockout tag" which allows multiple padalocks to lock the same hasp. All padalocks need to be opened to open tke keybox. We used two keys (enforcing a two-man rule) and a security seal. The only way to open it was to open the two padalocks and break the security seal. The security seal number was recorded in the site log. Every shift change, the keys were passed to the site supervisor and another senior person and the security seal checked to insure that the keybox hadn't been opened.
Any time a root password was required the safe was opened (and the fact logged), and the correct password recovered from it's envelope. After use, a new password was generated and placed in a new envelope. At each safe closing, an inventory was taken to insure that all the envelopes were there.
A bit paranoid, but we certainly passed our auditors requirements.
What's more important, is first be sure there's a known way to get
around the password(s). This is generally the case with physical
access to the hardware. This is yet another reason why it's also
quite important to protect physical access to the hardware.
There are some exceptions, however. E.g. with good encryption, there
isn't a "back door". If the key / passphrase is lost, the data
generally won't be recoverable, period. For cases like that, one can
effectively (e.g. via software and/or procedures) effectively escrow
the encrypted data, e.g. by ensuring that there's some backup means
of getting to the data (e.g. there are multiple "passwords" (or at
least one "backup") which can be used to retrieve the
encryption/decryption key, or which can be used independently to
decrypt the same data (e.g. similar to using gpg to encrypt something
to multiple distinct recipients - either can decrypt the data, as the
data is encrypted to session key(s), and that(/those) key(s) are then
encrypted to the recipients keys.)
Vaults also fail in various ways - expect it. E.g. building blows
up, vault gone, upon testing "passwords" in the vault, 20% are found
not to be correct and current, bad guys crack the vault or steal it,
etc.
If the DB becomes corrupted I'd restore from a known good backup, which we have. As the web page states "there are no backdoors" which, true or not, is what I would expect from *anything* involving encryption. Even if there was a magic back door safety net, I still wouldn't be sending my password data off for recovery, regardless of who the company was or where they were based.
On the subject of them based in the Ukraine, so what? I think it more likely that if the CIA/NSA/whoever have backdoored any encryption programs it's more likely that they will have done the ones in their own country first, so I guess that's PGP out then. Personally, when it comes to security, I assume everything is as secure as wet tissue paper and factor that into my risk analysis and installation - hence this tip about using Windows' file permissions for an additional (independent) level of security. You could also add another layer by using something like TrueCrypt to scramble the partition that the databases were secured on if you wished.
UNIX? They're not even circumcised! Savages!
I know this first part is off-topic, but stick with me.
Isn't the FIRST rule of security that you don't ever share passwords?
And the second, and the third?
Structure your access so that the people who would need to access everything in an "emergency" (whatever that might be) have the proper passwords. Then create one MASTER password changed every week and encoded and writen on paper and kept locked in a keyed vault. Then hand out the other passwords structured UP from the users, through the managers, to the VPs and so on. Make your DB about who has what access, not what their passwords are and you will be more secure. This way you can have certain people responsible for changing passwords without giving them access to anything the passwords control.
Of course I could be talking out of my ass, too.
Here will be an old abusing of God's patience and the king's English.
Just a thought: If you've implemented an RSA tokens for dialup/vpn access you may be able to use them to authenticate to a ssl webpage tied to a database containing the passwords. Don't know if Java, .net, etc can hold them in protected memory, you may have to write a client side app for that. Or I suppose you could just risk other processes reading that memory segment.
Never ascribe to malice what can be adequately attributed to ignorance. -Napoleon
Fag.
Don't fall into the trap of the technical mind; we're talking about a business, here. For business and audit purposes, whether the product actually works as advertised is nowhere near as important as whether the purchasing authority did his due diligence (and can convincingly say he had every reason to believe it didn't have a back door built in), and whether the vendor officially supports the featureset the purchaser will be using (which means they, not the purchaser, can be blamed when the product fails to perform).
Now, purchasing security software from a company in Ukraine makes boths those goals harder to meet, but not impossible. Purchasing closed source software doesn't have any material impact on either of those goals.
Reality has a conservative bias: it conserves mass, energy, momentum...
Here is a product that was demo'd to a network security company I used to work for. IT is an enterprise level PW fault that would accomplish what you are looking for and might add some levels you didn't think of. http://www.cyber-ark.com/networksecurity/passwordv ault.asp
No I don't work for them I saw the post and remembered the demo.
Faster, Cheaper, Secure. Pick 2
First, though I would repeat what someone else posted: using shared passwords is a high risk. It's better to structure your group access appropriately and have people log on as themselves. This way you have a record of who did what and when. Only downside is the number of profiles that get created on servers (Windows), but that's minor.
- Create a secure network location that only those who need to have passwords can reach.
- Create a spreadsheet for each group/level of passwords needed to provide separation.
- Password protect each spreadsheet with a different password and provide that password to the appropriate people.
- Keep a master password list that only two people can access (top forest/domain admin/superroot and IT manager/VP/CIO). Most likely the head of the department and his/her supervisor. This list would only contain the passwords to the other lists and possibly some top level passwords no other group can access.
- Encrypt the directory.
From your description I get the impression that you have a different password per server, service, application, etc. While that separation may provide an extra degree of security, it may not be worth the effort. You might consider using "themed" passwords with l33t/hacker speak. SQLAdmin password might be 5QL.@dm1n#, webadmin could be W3B.@dm1n! and so on. Add your own twist to it so it's not an easily identified pattern. Add other factors to differentiate but be well known to those who understand the environment. i.e. all servers in rack 1 have passwords ending with ! or all IBM servers have passwords starting with an "e".You may be restricted by standards or other outside forces. Regardless of what you use to keep up with passwords, having some obscure yet memorable system for passwords sets a good foundation.
Yes. An LDAP database, Kerberos, perl (or expect) scripts managing access to systems you don't control (so the end user does not know the password of the system at your partner's site, and all access is logged) for example.
But stop trying to find a right way to do it wrong, and work towards doing it right... it's already technically possible (Novell, for example, has an SSO product that leverages their eDirectory/NDS system) you just need to transition towards a better infrastructure that includes identity management coupled directly into access controls.
I use OpenLDAP, perl, Kerberos, samba, and linux. That's the hard but cheap way to do it. It took us five years to implement but we are a large complex shop (and we started implementation seven or eight years ago, so now it's pretty damn solid). If you have more money than expertise use Novell.
the crypt rocks!!!
-- neil @ proslink
The following companies will be more than happy to sell you a password storage/single sign on solution:
Encentuate
ActivIdentity
Passlogix
Lasers Controlled Games!
Another product that tackles the problem of admin passwords id ID-Archive:
:-)
http://mtechit.com/products/idarchive.html
It basically randomizes passwords every 24 hours or so, and uses a central server cluster to archive the newly-randomized passwords, and act as a central point of control through which IT staff retrieve just the ones they are allowed to access, after suitable authentication, with proper access controls and logging.
To those who say use sudo or endorse avoiding passwords entirely: what would you do to deal with 10,000 workstations, which may be offline and/or remote? Most of the privilege-escalation and strong-authentication technologies require a live network connection, which isn't always feasible, especially for workstations.
This product also supports lots of platforms - not just Windows/Linux. It will manage mainframe passwords, SAP, DB passwords, etc. etc.
I do work for the company, so of course you can take what I say with a grain of salt.
- Idan