Re: Managing passwords. Storing passwords.

[Ray Bruder <bruder () DUQ EDU>]

Has anyone looked into the Thycotic software for managing passwords.  We
have just recently begun research into different packages and this is one of
first we are looking at.  It appears to offer many of the features others
seem to be looking for but this is only after reading reports.  We haven't
downloaded and tested the product yet.



  _____

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Josh Drummond
Sent: Tuesday, March 04, 2008 5:29 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Managing passwords. Storing passwords.



I found that these are fine for personal use, but don't scale to the
enterprise.  It is common for different people in an organization to need to
be able to get/set the same password, i.e. sysadmin team all need access to
root/administrator/sa etc or for disaster recovery purposes.  I've seen
surprisingly few password safe type applications have the ability to
delegate access controls on the passwords you keep and allow multiple users.
Based on the recommendation from this thread:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701
<http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=SECURITY&P=R19268&;
D=0&I=-3> &L=SECURITY&P=R19268&D=0&I=-3 on this very same list earlier last
year I've been looking at Secret Server.  Putting any anti-Microsoft biases
aside, it seems to be one of the few that actually has that feature.


At 08:47 AM 3/4/2008, Warner, David F wrote:



We have been using password safe.
http://passwordsafe.sourceforge.net/

I have also heard keepass is a good solution.
http://sourceforge.net/projects/keepass/

both are open source projects available for free.


David Warner
Senior Security Specialist
CT Community Colleges



  _____

From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] On Behalf Of Bombard, Charles L
Sent: Tuesday, March 04, 2008 11:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Managing passwords. Storing passwords.

I was wondering more along the lines of the process that system
administrators use to secure passwords they need to use/remember.



Recommended applications to use or avoid?

Processes that you currently support?



-Charlie



==========================================



Charles Bombard, GSEC

LAN/Systems Administrator

Community College of Vermont

119 Pearl Street

Burlington, VT 05401

802.657.4234

bombardc () ccv edu



PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated
recipient only and may contain privileged, confidential, or otherwise
private information. If you have received it in error, please notify the
sender immediately and delete the original. Any other use of an email
received in error is prohibited.



From: The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU
<mailto:SECURITY () LISTSERV EDUCAUSE EDU> ] On Behalf Of Jon Hanny
Sent: Tuesday, March 04, 2008 9:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Managing passwords. Storing passwords.



I am currently testing a product by edmz security (http://edmzsecurity.com)
that allows multiple users to connect to systems for priveleged tasks.  It
is an appliance that acts as a proxy between authorized users and the system
being managed. I really like the functionality of the appliance.  Having
said that I am having security do a full assessment on the device before I
recommend deploying it on our network.  You may want to look at their
website and see if it looks like the type of system you are looking for.



Respectfully,



Jon Hanny, CISSP

Applications Security Specialist

The George Washington University

jehanny () gwu edu

www.gwu.edu <http://www.gwu.edu/>







  _____

From: The EDUCAUSE Security Constituent Group Listserv [
<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bombard, Charles L
Sent: Tuesday, March 04, 2008 8:52 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Managing passwords. Storing passwords.

What policy do you have for having a password storage utility? What do you
use/sanction?





-Charlie



==========================================



Charles Bombard, GSEC

LAN/Systems Administrator

Community College of Vermont

119 Pearl Street

Burlington, VT 05401

802.657.4234

bombardc () ccv edu



PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated
recipient only and may contain privileged, confidential, or otherwise
private information. If you have received it in error, please notify the
sender immediately and delete the original. Any other use of an email
received in error is prohibited.



----------------------------------------------------------------------------
---
NOTE: The sender of this email is different from the email address shown in
the headers. The real sender of this message is:
owner-security () LISTSERV EDUCAUSE EDU

If you want to permanently block the sender of this email, you would need to
add owner-security () LISTSERV EDUCAUSE EDU to your Anti-Spam Blocked Senders
List. For more information see the Anti-Spam FAQ item:
http://www.commnet.edu/it/security/anti-spam-faq.asp#BlockRealSender
----------------------------------------------------------------------------
---

----------------------------------------------------------------------------
-----------------------

Josh Drummond
Security Architect
Administrative Computing Services, University of California - Irvine
jdrummon () uci edu
949.824.9574