Slashdot Mirror

← Back to Stories (view on slashdot.org)

Suggestions for Company Wide Password Vault?

Posted by ryuzaki0 on from the just-don't-lose-the-combination dept.

androidtopp asks: "My company, an IT and business consulting firm of around 150 people, is looking for a Password Vault/Manager/Database solution to manage the numerous passwords we've developed in the course of a major internal network and server upgrade. Our must haves are multiple privilege levels (I don't need to see network passwords, and the network guys don't need to see database passwords, and so on) and it would be nice if we could view when people last retrieved each password. Does anyone manage passwords in this fashion at their work/home? A lot of the free password managers are one user, full access, which is a little less secure than we need. How do other companies (small or large) manage the hundreds of server, network, database, and application passwords that must crop up?"

4 of 100 comments (clear)

  1. Separate GPG files encrypted to lists of users by cblack · · Score: 2, Interesting

    This is what we do for a much smaller group of admins and systems:
    Create a simple text file with the systems, usernames and passwords. GPG/PGP encrypt this file to a list of recipients. Now you have a single encrypted file that can be decrypted by any of the recipients. You could break this out into multiple levels by having multiple files, one for each group of "only these users have these passwords" and each file is encrypted to different sets of users.
    No logging, nothing fancy, but it just plain works and doesn't require lots of money or time to set up.
    One bit of advice: include your web passwords for vendor support or ordering in here as well, not just your internal systems.

  2. First question by Todd+Knarr · · Score: 2, Interesting

    The first question I'd ask is, do you need this for distributing passwords to the people who need to use them, or for escrowing passwords so you can get access to them in an emergency when the people who normally use them and know them aren't available?

  3. MS Identity Integration Server (MIIS) by Anomalyst · · Score: 2, Interesting

    MIIS with foreign export (LDAP, flat file, Novell, etc) is like $25K per processor. However it is free between AD stores including Active Directory Application Mode (ADAM). One drawback is that you cant debug it with VS2005, you have to use older version. Even then I was not successful, the project has been de-emphazised so I haven't had a chance to set it all up again and reporduce the issue with M$ support.
    What you might be able to do is combine the free MIIS and the *ix support in 2003 Server R2 to push passwords from AD to a *ix LDAP and sync the non-MS with the LDAP.
    I wonder if they are thinking about this in the SAMBAv4 development. It'd be a kick to see them outfox M$ highway robbery.
    MIIS FAQ http://www.microsoft.com/windowsserversystem/miis2 003/evaluation/faqs/default.mspx

    --
    There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
  4. Re:Isn't that idea flawed? by styrotech · · Score: 2, Interesting

    This isn't really a single sign on need as far as I can tell.

    Sure SSO helps out heaps with access control on all the machines on your LAN, but there are a ton of other passwords a typical IT team will need to keep track of that it can't help out with. eg passwords for domain registrars, CA logins for SSL certs, logins for supplier or partner extranets, DMZ or externally hosted servers, any lower end network devices that can't integrate with your SSO system, AD recovery accounts, local admin accounts, all those unix services that can't/won't integrate with SSO etc etc.