Educause Security Discussion mailing list archives
Re: Managing passwords. Storing passwords.
From: Josh Drummond <jdrummon () UCI EDU>
Date: Tue, 4 Mar 2008 14:29:13 -0800
I found that these are fine for personal use, but don't scale to the enterprise. It is common for different people in an organization to need to be able to get/set the same password, i.e. sysadmin team all need access to root/administrator/sa etc or for disaster recovery purposes. I've seen surprisingly few password safe type applications have the ability to delegate access controls on the passwords you keep and allow multiple users. Based on the recommendation from this thread: http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=SECURITY&P=R19268&D=0&I=-3 on this very same list earlier last year I've been looking at Secret Server. Putting any anti-Microsoft biases aside, it seems to be one of the few that actually has that feature. At 08:47 AM 3/4/2008, Warner, David F wrote:
We have been using password safe. <http://passwordsafe.sourceforge.net/>http://passwordsafe.sourceforge.net/ I have also heard keepass is a good solution. <http://sourceforge.net/projects/keepass/>http://sourceforge.net/projects/keepass/ both are open source projects available for free. David Warner Senior Security Specialist CT Community Colleges ---------- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bombard, Charles L Sent: Tuesday, March 04, 2008 11:40 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Managing passwords. Storing passwords. I was wondering more along the lines of the process that system administrators use to secure passwords they need to use/remember. Recommended applications to use or avoid? Processes that you currently support? -Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234 <mailto:bombardc () ccv edu>bombardc () ccv edu PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated recipient only and may contain privileged, confidential, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of an email received in error is prohibited. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Hanny Sent: Tuesday, March 04, 2008 9:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Managing passwords. Storing passwords. I am currently testing a product by edmz security (<http://edmzsecurity.com>http://edmzsecurity.com) that allows multiple users to connect to systems for priveleged tasks. It is an appliance that acts as a proxy between authorized users and the system being managed. I really like the functionality of the appliance. Having said that I am having security do a full assessment on the device before I recommend deploying it on our network. You may want to look at their website and see if it looks like the type of system you are looking for. Respectfully, Jon Hanny, CISSP Applications Security Specialist The George Washington University <mailto:jehanny () gwu edu>jehanny () gwu edu www.gwu.edu ---------- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bombard, Charles L Sent: Tuesday, March 04, 2008 8:52 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Managing passwords. Storing passwords. What policy do you have for having a password storage utility? What do you use/sanction? -Charlie ========================================== Charles Bombard, GSEC LAN/Systems Administrator Community College of Vermont 119 Pearl Street Burlington, VT 05401 802.657.4234 <mailto:bombardc () ccv edu>bombardc () ccv edu PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated recipient only and may contain privileged, confidential, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of an email received in error is prohibited. ------------------------------------------------------------------------------- NOTE: The sender of this email is different from the email address shown in the headers. The real sender of this message is: owner-security () LISTSERV EDUCAUSE EDU If you want to permanently block the sender of this email, you would need to add owner-security () LISTSERV EDUCAUSE EDU to your Anti-Spam Blocked Senders List. For more information see the Anti-Spam FAQ item: http://www.commnet.edu/it/security/anti-spam-faq.asp#BlockRealSender -------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------- Josh Drummond Security Architect Administrative Computing Services, University of California - Irvine jdrummon () uci edu 949.824.9574
Current thread:
- Managing passwords. Storing passwords. Bombard, Charles L (Mar 04)
- <Possible follow-ups>
- Re: Managing passwords. Storing passwords. Jon Hanny (Mar 04)
- Re: Managing passwords. Storing passwords. Bombard, Charles L (Mar 04)
- Re: Managing passwords. Storing passwords. Warner, David F (Mar 04)
- Re: Managing passwords. Storing passwords. Isac Balder (Mar 04)
- Re: Managing passwords. Storing passwords. Joseph Corey (Mar 04)
- Re: Managing passwords. Storing passwords. Josh Drummond (Mar 04)
- Re: Managing passwords. Storing passwords. Ray Bruder (Mar 05)
- Re: Managing passwords. Storing passwords. Lunceford, Dan (Mar 05)
- Re: Managing passwords. Storing passwords. Adam Schumacher (Mar 05)
- Re: Managing passwords. Storing passwords. John H. Sawyer (Mar 05)