Suggestions for Company Wide Password Vault?

androidtopp asks: "My company, an IT and business consulting firm of around 150 people, is looking for a Password Vault/Manager/Database solution to manage the numerous passwords we've developed in the course of a major internal network and server upgrade. Our must haves are multiple privilege levels (I don't need to see network passwords, and the network guys don't need to see database passwords, and so on) and it would be nice if we could view when people last retrieved each password. Does anyone manage passwords in this fashion at their work/home? A lot of the free password managers are one user, full access, which is a little less secure than we need. How do other companies (small or large) manage the hundreds of server, network, database, and application passwords that must crop up?"

Don't.

[David+McBride]

Use Kerberos instead.

Re:Don't. (Kerberos can't be used for everything)

[cblack]

Sadly, Kerberos can't be used for everything. Especially logins to systems you don't control such as support and vendor ordering logins that should be available to people.

Physical vault

[whitehatlurker]

When I read this, I saw it as a physical vault - a locked, fireproof box in a secure location in your premises. This is a good idea, especially for important "secrets" which may cause problems if lost. (The password to the payroll system, for example. Your payroll accountant goes into a coma, you might have to get in to make sure that at least you [the IT people] get paid.)

Storing these things electronically is dangerous. Storing them on an electronic box which can be accessed over a network (any network) is just stupid.

Don't do it

[JoGlo]

Part of my responsibility is related to information security, and as such, I have been exposed to a number of propositions related to password security. The bottom lines are that: 1. No two people should EVER share a password -passwords must be individual, otherwise they have little or no meaning. 2. Every time a password is reset, it must be a "one-shot" reset, forcing the user to change it again before he/she can use it 3. Passwords must be changed every 90 days (maximum), and there must be a certain length of time before the same password can be reused. 4. The user must be the one who is forced to change the password, and it must not be shared with anyone. 5. The support point must have the ability to reset passwords, but not to use the account once the password is reset. 6. In case of requiring urgent access to someone's individual password, that must not be made available without an explicit directive from a company officer, in writing, before the support point will reset the password and give the reset password to anyone other than the user whose password it is. 7. Passwords must at a minimum be 7 characters in length, and contain at least one alpha character, and one numeric character. If you want to piss someone off, use a password generator to create a random password whenever the password has to be renewed - people like to have a password that they have at least a chance of remembering, but this is more secure. Do that, and you'll have some level of security. Use your password vault, with shared passwords, and you might just as well not use anything.

Re:Shared Passwords BAD

[Spazmania]

As far as I'm concerned (and It's an informed opinion), shared passwords are BAD.

As far as I'm concerned, you're right. Now, try setting up multiple accounts on an old APC masterswitch, multiple enable secrets on a cisco switch and setting up your unix box to allow multiple accounts to perform an fsck during a unix boot failure.

We live in a practical world man.

Set up RADIUS/TACACS+ for authentication for all your network devices. [...] password lookups by LDAP

Sure, because putting administrative access control for critical network infrastructure behind two layers of complex servers is a winning strategy.