Security Basics mailing list archives

Re: Password Storage

From: "Greg Merideth" <gmerideth () ftnj net>
Date: Wed, 2 Aug 2006 10:44:06 -0400

For websites and forums I use a program called password safe
[http://passwordsafe.sourceforge.net/] which stores your pw's in an
encrypted file with a master password to secure.  Given the number of
sites that require registration to perform simple tasks as downloading
bios updates or firmware a program like password safe helps me a great
deal.  There's over five hundred passwords in my pwdb now.

We have a custom app that requires two passwords entered [from two
different users] to access passwords for our servers and customers
servers.  Double encrypting a file with passwords would do the same
thing.  [think of it like the two air force officers turning two keys
to launch missiles].

On 8/1/06, Doug W <dougiegee () hotmail com> wrote:

Hi Everyone

What do people generally do in the case of password storage?  For example, I
strongly believe that storing passwords in documents is a terrible idea as I
am sure you would agree.

However, how do you account for having multiple support staff, possibly
working off site, most with extremely bad memories (unfortunately), and in
need of high level rights to fix systems etc.

I also try to enforce that all actions are taken wtih the users own
privileged account for auditing purposes but when building machines,
installing software or troubleshooting problems, service accounts and
administrations accounts may be required.

Or, is this problem more universal than I think and forcing people to not
document passwords will be an interesting challenge?

D



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



--
Greg Merideth
Forward Technology, LLC.
CTO & Other Wild Stuff
gmerideth () forwardtechnology net
PGP Fingerprint
D0FCCD39743A6ABF87470A87EDE382594968A60A
"10b|~10b" - Shakespeare

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE

The NSA has designated Norwich University a center of Academic Excellencein Information Security. Our program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life.


http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Password Storage Doug W (Aug 01)
- Re: Password Storage PCSC Information Services (Aug 02)
- Re: Password Storage Devdas Bhagat (Aug 02)
- Re: Password Storage Rob klein Gunnewiek (Aug 02)
- Re: Password Storage Robert Larsen (Aug 02)
  - Re: Password Storage Ayaz Ahmed Khan (Aug 03)
- RE: Password Storage Nicholas Fanelli (Aug 02)
- Re: Password Storage Greg Merideth (Aug 03)
  - Re: Password Storage Saqib Ali (Aug 04)
- Re: Password Storage Glenn English (Aug 03)
- Re: Password Storage Kenton Smith (Aug 03)
- <Possible follow-ups>
- Re: Password Storage guhus (Aug 02)
- Re: Password Storage info (Aug 02)
- Re: Password Storage c . brace (Aug 02)
  - Re: Password Storage Needs More Longcat (Aug 03)
- RE: Password Storage Del Thompson (Aug 02)
  - RE: Password Storage Dunigan, Michael (Aug 03)
- RE: Password Storage Krpata, Tyler (Aug 03)

(Thread continues...)