Security Basics mailing list archives
RE: AW: Multi-User Access to Password Database
From: "D N Vaidya" <dnvaidya () rilinfo net>
Date: Thu, 24 Jul 2003 09:22:55 +0530
Hi Friends, As we are also using thousands of servers, we are using one methode to genrate password of the server. That methode is given to all authorised persons. Methode is based on IP address of that server. But drawback of this system is every-body in that group who know the methode to genrate password can access any server. User group wise credentials system is not possible in this way. Methode example: say IP of server is 12.12.13.14 then we can concentrate on last octate because genrally only that part is unique for that machine. In this case 14 is the last octate. Now we can represent 14 in various formats as a password of that machine. e.g consider 014 now take ascii equivalent of these digits and use as a password also we can add first octate at the end of ascii sequence. Hope this will help u. Sincerely, D.N.Vaidya -----Original Message----- From: Birl [mailto:sbirl () temple edu] Sent: Tuesday, July 15, 2003 9:33 PM To: security-basics () securityfocus com Subject: Re: AW: Multi-User Access to Password Database As it was written on Jul 14, thus John Brightwell spake unto Meidinger...: John: Date: Mon, 14 Jul 2003 18:51:02 +0100 (BST) John: From: "[iso-8859-1] John Brightwell" <brightwell_151 () yahoo co uk> John: To: Meidinger Chris <chris.meidinger () badenit de>, John: security-basics () securityfocus com John: Subject: Re: AW: Multi-User Access to Password Database John: John: We have a large number of systems each requiring a John: different password and I don't expect the sys admins John: to be able to remember them all (That's probably 100+ John: passwords when you take into account network equipment John: as well as unix and windows boxes - and that doesn't John: include all the desktop machines). John: John: Faced with having to remember that many passwords and John: bearing in mind that some systems might not be used on John: a daily basis. I think it's expecting a bit much for John: the Admins to keep them all in their heads! There's a John: danger that they will write down the less used John: passwords or maybe they'll reuse passwords across John: multiple systems or they'll use easy to guess John: passwords (you can be certain there will be a John: disincentive to expire the passwords after x months) John: John: I can't see this Board Member being very impressed John: with the constant interruption. This would possibly be John: more appropriate for a DR solution for password John: access. Although I'd perhaps avoid using a very senior John: manager or Board member. IMO you need someone senior John: enough to be trusted, yet accountable enough not to John: ignore the procedures around access to the passwords - John: perhaps HR or Legal...but that's another debate. John: John: For what I require - ongoing access to passwords - it John: really needs to be a system solution John: John: I suspect that you are talking from the perspective of John: a small company - in which case you may have John: relatively few systems. John: John: I'm sure there must be products that do this - I was John: just hoping that someone listening in on this thread John: might have done it before. John: John: Thanks Anyway John: John: --- Meidinger Chris <chris.meidinger () badenit de> John: wrote: > Hi John, John: > John: > how often do these people need to learn new John: > passwords? John: > John: > Most companies that i have been involved with have John: > one super-person (usually John: > something close to a board member - or in German John: > often the Prokurist, no John: > idea what that title is called in English) who keeps John: > the list and gives John: > passwords out on a need to know basis. John: > John: > There are, in my opinion, many advantages to having John: > a human factor in the John: > equation rather than relying on machines. John: > John: > badenIT GmbH John: > System Support John: > John: > Chris Meidinger John: > Tullastrasse 70 John: > 79108 Freiburg John: > John: > John: > John: > Dear All John: > John: > Looking through the archive of secuity newsgroups John: > and John: > mailing lists it looks as though there have been a John: > few John: > threads related to personal storage of passwords. John: > John: > Typically this results in a file or index of John: > passwords John: > encrypted and protected by a single password. John: > John: > I need to store a number of passwords and these must John: > be available to a group of support personnel and John: > engineers. John: > John: > 1. I don't want to have a single shared password to John: > access this data because it gets widely known and John: > abused (it's also impossible then to identify who is John: > accessing the information) John: > John: > 2. I want to be able to identify the person John: > requesting John: > the information so that an audit trail can be John: > produced John: > (useful to get an idea who knows each password) and John: > so John: > that only a subset of the passwords are available to John: > that user (determined by their need to access the John: > equipment) John: > John: > 3. The database used must securely encrypt the John: > password information John: > John: > I don't particularly want to burden the support staff John: > with yet another password, so ideally it would be good John: > to use one of the current methods of authentication John: > that we use. John: > We use ssh so the authentication to the database can John: > be based on the ssh private key. John: > We use SecurID so the authentication can be based on John: > the token (I prefer this one ... it also seems more John: > likely than ssh-key based). John: > John: > Can anyone think of a likely application ... how do John: > you store your system passwords? John: > John: > It doesn't have to be freeware/open source (I've got John: > limited coding ability and even more limited time so I John: > don't fancy starting from scratch) ... although I John: > guess I'd need to be fairly certain that there are no John: > backdoors coded into the application (a reputable John: > source perhaps) I typically store my personal passwords in a plain text file located inside of a PGPDisk. The PGPDisk being the size of 1024 kilobytes, formatted as FAT. This way: * The passwords are encrypted * Only 1 password needs to be remembered -- to unlock the PGPDisk * Small enough to fit on a floppy and lock it way. Thanks Scott Birl http://concept.temple.edu/sysadmin/ Senior Systems Administrator Computer Services Temple University ====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*= ===* --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: AW: Multi-User Access to Password Database D N Vaidya (Jul 24)