Security Basics mailing list archives

Re: Password Storage

From: PCSC Information Services <info () pcsage biz>
Date: Tue, 1 Aug 2006 20:52:05 -0400

Hi Doug,
Have you considered a certificate based authentication mechanism?

http://www.utexas.edu/its/unix/reference/oracledocs/v92/B10501_01/network.920/a96582/pki.htm (Google is your friend)

has some insights into the use and deployment of PKI forauthentication. Passwords are 'the weakest link' in the securitychain and if you're in a position to influence or write policy it isa highly recommended method for authentication. Furthermore if youare keen to store different certificates for different users youmight consider LDAP, as is mentioned in the linked document. This isby no means the most comprehensive site for PKI but you mightconsider this approach if you find that your organization needs toprotect itself from lost passwords. With this methodology, you couldalso enable a single sign-on mechanism thereby eliminating the needfor users to require multiple passwords, and worse, rememberingmultiple passwords.


Sean Swayze
swayze AT pcsage DOT biz

Try? There is no try. Do or do not! - Yoda

On 1-Aug-06, at 11:11 AM, Doug W wrote:

Hi Everyone
What do people generally do in the case of password storage? Forexample, I strongly believe that storing passwords in documents isa terrible idea as I am sure you would agree.
However, how do you account for having multiple support staff,possibly working off site, most with extremely bad memories(unfortunately), and in need of high level rights to fix systems etc.
I also try to enforce that all actions are taken wtih the users ownprivileged account for auditing purposes but when buildingmachines, installing software or troubleshooting problems, serviceaccounts and administrations accounts may be required.
Or, is this problem more universal than I think and forcing peopleto not document passwords will be an interesting challenge?
D
---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of AcademicExcellence in Information Security. Our program offers unparalleledInfosec management education and the case study affords youunmatched consulting experience. Using interactive e-Learningtechnology, you can earn this esteemed degree, without disruptingyour career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Password Storage Doug W (Aug 01)
- Re: Password Storage PCSC Information Services (Aug 02)
- Re: Password Storage Devdas Bhagat (Aug 02)
- Re: Password Storage Rob klein Gunnewiek (Aug 02)
- Re: Password Storage Robert Larsen (Aug 02)
  - Re: Password Storage Ayaz Ahmed Khan (Aug 03)
- RE: Password Storage Nicholas Fanelli (Aug 02)
- Re: Password Storage Greg Merideth (Aug 03)
  - Re: Password Storage Saqib Ali (Aug 04)
- Re: Password Storage Glenn English (Aug 03)
- Re: Password Storage Kenton Smith (Aug 03)
- <Possible follow-ups>
- Re: Password Storage guhus (Aug 02)

(Thread continues...)