Security Basics mailing list archives
Re: Password Storage
From: Devdas Bhagat <devdas () dvb homelinux org>
Date: Wed, 2 Aug 2006 09:56:33 +0530
On 01/08/06 15:11 +0000, Doug W wrote:
Hi Everyone What do people generally do in the case of password storage? For example, I strongly believe that storing passwords in documents is a terrible idea as I am sure you would agree.
Personally, I am the fan of one password for all things. And then make sure that this is a strong password. Making me change my 15 character mixed case, numeric and special character using password is likely to have bad effects on security.
However, how do you account for having multiple support staff, possibly working off site, most with extremely bad memories (unfortunately), and in need of high level rights to fix systems etc.
For everything else, sudo(8) is your friend. Logging in using ssh, with key only authentication works fine.
I also try to enforce that all actions are taken wtih the users own privileged account for auditing purposes but when building machines,
Use software like cfengine, isconf4, puppet, bcfg2 ... for such purposes.
installing software or troubleshooting problems, service accounts and administrations accounts may be required.
About the only time the administrative password should be needed is for major troubleshooting. Of course, all the above applies to Unixy systems. Devdas Bhagat --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password Storage Doug W (Aug 01)
- Re: Password Storage PCSC Information Services (Aug 02)
- Re: Password Storage Devdas Bhagat (Aug 02)
- Re: Password Storage Rob klein Gunnewiek (Aug 02)
- Re: Password Storage Robert Larsen (Aug 02)
- Re: Password Storage Ayaz Ahmed Khan (Aug 03)
- RE: Password Storage Nicholas Fanelli (Aug 02)
- Re: Password Storage Greg Merideth (Aug 03)
- Re: Password Storage Saqib Ali (Aug 04)
- Re: Password Storage Glenn English (Aug 03)
- Re: Password Storage Kenton Smith (Aug 03)
- <Possible follow-ups>
- Re: Password Storage guhus (Aug 02)
- Re: Password Storage info (Aug 02)
(Thread continues...)