RE: Password management

["Andrew Shore" <andrew.shore () holistecs com>]

Perhaps a physical solution of a different type may solve your problems.

Some form of identity token solution with strict logging may be a way
forward. This way there is not requirement to record passwords.

HTH

Andy 

-----Original Message-----
From: Leon North [mailto:leon_nc () linuxmail org] 
Sent: 09 November 2004 10:16
To: aldr1c
Cc: security-basics () securityfocus com
Subject: RE: Password management

We are looking for an online solution, because the passwords are complex
and changing regularly. Up until now we have used a solution similar to
the physical safe idea you mentioned, but this isn't so practical for an
admin to 'quickly' look up the current password of the system they want
to connect to.

----- Original Message -----
From: "aldr1c" <aldr1c () nildram co uk>
To: "'Leon North'" <leon_nc () linuxmail org>
Subject: RE: Password management
Date: Mon, 8 Nov 2004 20:31:55 -0000

> Leon,
>
>       There are several packages out there that can do what you are
> looking for; your chosen solution will depend upon your environment.
> Working in secure facilities (well, complying with regulations set
down by
> the Government and other interested agencies;-) ) we use a fairly low
tech
> mechanism.  We hold a standalone computer with removable HD which is
kept in
> a security container along with our other sensitive network
documentation.
> On this we hold a spreadsheet of all of our sys passwords and
certificates.
> This is purely for our convenience.  When we create/change one of our
> passwords, the new string is written down, sealed in a marked envelope
and
> 'stored in a manner commensurate with its protective marking' by our
SSO.
> The same is done with exported certs.
>
> Would this sort of approach cover your needs, or is there a driver for
an
> on-network, high tech solution?
>
> All the best
>
> Aldr1c
>
> -----Original Message-----
> From: Leon North [mailto:leon_nc () linuxmail org] 
> Sent: 08 November 2004 14:13
> To: security-basics () securityfocus com
> Subject: Password management
>
> Hi,
>
> We are looking for advice on how others handle recording of passwords
in IT
> departments. 
>
> Whenever we look at this all we get back are Single Sign On (SSO) &
related
> solutions, which is not what we want at the moment. We are more
interested
> in purely secure & granular network storage for passwords. I'm
surprised
> there isn't more around that does this, given that there must be
plenty of
> IT departments still without SSO, that are needing to remember a
number of
> regularly changing passwords for various systems. How do they record
them,
> but also only allow appropriate levels of access, i.e. access to
passwords
> of systems that each person in the department should have access to?
>  
> So far, apart from simply encrypted, password protected spreadsheets,
the
> only solution that I have found that does precisely this is the
Cyber-Ark
> Password Vault. If anybody has used this or any other similar products
I'd
> be very interested to hear what, and how well they worked.
>
> If not, what do you do instead? 
>
> Any help appreciated.
>
> Leon
> -- 
> ______________________________________________
> Check out the latest SMS services @ http://www.linuxmail.org 
> This allows you to send and receive SMS through your mailbox.
>
>
> Powered by Outblaze
>
> ---
> Incoming mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004
>  
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.789 / Virus Database: 534 - Release Date: 07/11/2004
>  

-- 
______________________________________________
Check out the latest SMS services @ http://www.linuxmail.org 
This allows you to send and receive SMS through your mailbox.


Powered by Outblaze