Security Basics mailing list archives

Re: RE: Password Storage

From: krymson () gmail com
Date: 2 Aug 2006 18:59:52 -0000

I also recommend PasswordSafe to store passwords.

My previous job put me on a team of geographically dispered admins. Having a central store was not the best option for
us.

Instead, we distributed passwords either over the phone or in PGP-encrypted emails. Some admins were at home, so they
stored things however they wanted to, but most of us used PasswordSafe on our own systems to keep an encrypted store.
You can then back up your own database file on a central fileserver or just to a cd or something if you'd like. I
usually had a copy on a thumbdrive (alone with the installer for PasswordSafe) so that I could access it at home.

I shouldn't even address it, as it can easily hijack the thread, but password complexity and password vs single sign-on
are definitely very arguable topics. If you want to see how divided security people are about password security, just
throw those on the discussion table. :) Suffice to say there is no one recommended way to do it, and no silver bullet
method that beats the others. It's all one big game of paper/rock/scissors, depending on your environment.

Just to mention, even re-using one complex password for many things is dangerous. In this case, you need to absolutely
trust every instance that password is used. I will tell you that if I get into a system/network and glean a password,
it gets added to the top of my dictionary list for any other attempts on similar systems or other devices in a
corporate network. Little falls faster than widely shared passwords.

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

Current thread:

Re: Password Storage, (continued)
- - Re: Password Storage Saqib Ali (Aug 04)
- Re: Password Storage Glenn English (Aug 03)
- Re: Password Storage Kenton Smith (Aug 03)
- Re: Password Storage guhus (Aug 02)
- Re: Password Storage info (Aug 02)
- Re: Password Storage c . brace (Aug 02)
  - Re: Password Storage Needs More Longcat (Aug 03)
- RE: Password Storage Del Thompson (Aug 02)
  - RE: Password Storage Dunigan, Michael (Aug 03)
- RE: Password Storage Krpata, Tyler (Aug 03)
- Re: RE: Password Storage krymson (Aug 03)
- Re: Re: Password Storage mail (Aug 03)
  - Re: Password Storage Doug W (Aug 04)
  - What to look in IIS Logs on daily basis Bhattacharya, Ananda (Aug 04)
  - RE: Re: Password Storage BARRETT,WILL (Aug 04)
- Re: Password Storage e . m . baechle (Aug 04)