Slashdot Mirror

← Back to Stories (view on slashdot.org)

Suggestions for Company Wide Password Vault?

Posted by ryuzaki0 on from the just-don't-lose-the-combination dept.

androidtopp asks: "My company, an IT and business consulting firm of around 150 people, is looking for a Password Vault/Manager/Database solution to manage the numerous passwords we've developed in the course of a major internal network and server upgrade. Our must haves are multiple privilege levels (I don't need to see network passwords, and the network guys don't need to see database passwords, and so on) and it would be nice if we could view when people last retrieved each password. Does anyone manage passwords in this fashion at their work/home? A lot of the free password managers are one user, full access, which is a little less secure than we need. How do other companies (small or large) manage the hundreds of server, network, database, and application passwords that must crop up?"

4 of 100 comments (clear)

  1. Don't. by David+McBride · · Score: 2, Insightful

    Use Kerberos instead.

  2. Re:Don't. (Kerberos can't be used for everything) by cblack · · Score: 2, Insightful

    Sadly, Kerberos can't be used for everything. Especially logins to systems you don't control such as support and vendor ordering logins that should be available to people.

  3. Physical vault by whitehatlurker · · Score: 2, Insightful
    When I read this, I saw it as a physical vault - a locked, fireproof box in a secure location in your premises. This is a good idea, especially for important "secrets" which may cause problems if lost. (The password to the payroll system, for example. Your payroll accountant goes into a coma, you might have to get in to make sure that at least you [the IT people] get paid.)

    Storing these things electronically is dangerous. Storing them on an electronic box which can be accessed over a network (any network) is just stupid.

    --
    .. paranoid crackpot leftover from the days of Amiga.
  4. Re:Shared Passwords BAD by Spazmania · · Score: 2, Insightful

    As far as I'm concerned (and It's an informed opinion), shared passwords are BAD.

    As far as I'm concerned, you're right. Now, try setting up multiple accounts on an old APC masterswitch, multiple enable secrets on a cisco switch and setting up your unix box to allow multiple accounts to perform an fsck during a unix boot failure.

    We live in a practical world man.

    Set up RADIUS/TACACS+ for authentication for all your network devices. [...] password lookups by LDAP

    Sure, because putting administrative access control for critical network infrastructure behind two layers of complex servers is a winning strategy.

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.