Educause Security Discussion mailing list archives

Re: Managing passwords. Storing passwords.

From: "Lunceford, Dan" <DLunceford () ADMIN NMT EDU>
Date: Wed, 5 Mar 2008 09:34:28 -0700

We have it and like it.  
  
We needed to sync some passwords with offsite personnel and we really
needed Active Directory integration into the password store.


Good audit trails (for change and read).  You can disable passwords or
information items, but never delete them (for auditing).


Fully customizable for any type of info to be stored (create your own
secrete types...if you need 3 IPs and 2 usernames and 6 passwords for a
device...you can create that "type".


For more info feel free to contact me off list. 
  
-drl 
  
  
-- 
Dan Lunceford 
Manager of Networking Services 
New Mexico Tech 
dan () nmt edu, 575-835-5961 


After the game, the king and the pawn go into the same box. 
  -- Italian Proverb 

  _____   

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ray Bruder 
Sent: Wednesday, March 05, 2008 6:28 AM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Managing passwords. Storing passwords. 



Has anyone looked into the Thycotic software for managing passwords.  We
have just recently begun research into different packages and this is
one of  first we are looking at.  It appears to offer many of the
features others seem to be looking for but this is only after reading
reports.  We haven't downloaded and tested the product yet.

  _____   

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Josh Drummond

Sent: Tuesday, March 04, 2008 5:29 PM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Managing passwords. Storing passwords. 

I found that these are fine for personal use, but don't scale to the
enterprise.  It is common for different people in an organization to
need to be able to get/set the same password, i.e. sysadmin team all
need access to root/administrator/sa etc or for disaster recovery
purposes.  I've seen surprisingly few password safe type applications
have the ability to delegate access controls on the passwords you keep
and allow multiple users.  Based on the recommendation from this thread:
http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0701&L=SECURITY&P=R192
68&D=0&I=-3 on this very same list earlier last year I've been looking
at Secret Server.  Putting any anti-Microsoft biases aside, it seems to
be one of the few that actually has that feature.


At 08:47 AM 3/4/2008, Warner, David F wrote: 



We have been using password safe. 
http://passwordsafe.sourceforge.net/ 
  
I have also heard keepass is a good solution. 
http://sourceforge.net/projects/keepass/ 

both are open source projects available for free. 
  

David Warner 
Senior Security Specialist 
CT Community Colleges 
  
  

  _____   

From: The EDUCAUSE Security Constituent Group Listserv [HYPERLINK
"mailto:SECURITY () LISTSERV EDUCAUSE EDU"
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bombard, Charles L

Sent: Tuesday, March 04, 2008 11:40 AM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Managing passwords. Storing passwords. 

I was wondering more along the lines of the process that system
administrators use to secure passwords they need to use/remember.

Recommended applications to use or avoid? 

Processes that you currently support? 

-Charlie 

========================================== 

Charles Bombard, GSEC 

LAN/Systems Administrator 

Community College of Vermont 

119 Pearl Street 

Burlington, VT 05401 

802.657.4234 

HYPERLINK "mailto:bombardc () ccv edu"bombardc () ccv edu 

PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated
recipient only and may contain privileged, confidential, or otherwise
private information. If you have received it in error, please notify the
sender immediately and delete the original. Any other use of an email
received in error is prohibited.

From: The EDUCAUSE Security Constituent Group Listserv [HYPERLINK
"mailto:SECURITY () LISTSERV EDUCAUSE EDU"
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Jon Hanny

Sent: Tuesday, March 04, 2008 9:07 AM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Managing passwords. Storing passwords. 

I am currently testing a product by edmz security
(http://edmzsecurity.com) that allows multiple users to connect to
systems for priveleged tasks.  It is an appliance that acts as a proxy
between authorized users and the system being managed. I really like the
functionality of the appliance.  Having said that I am having security
do a full assessment on the device before I recommend deploying it on
our network.  You may want to look at their website and see if it looks
like the type of system you are looking for.

Respectfully, 

Jon Hanny, CISSP 

Applications Security Specialist 

The George Washington University 

HYPERLINK "mailto:jehanny () gwu edu"jehanny () gwu edu 

HYPERLINK "http://www.gwu.edu/"www.gwu.edu 

  _____   

From: The EDUCAUSE Security Constituent Group Listserv [HYPERLINK
"mailto:SECURITY () LISTSERV EDUCAUSE EDU"
mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bombard, Charles L

Sent: Tuesday, March 04, 2008 8:52 AM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Managing passwords. Storing passwords. 

What policy do you have for having a password storage utility? What do
you use/sanction? 

-Charlie 

========================================== 

Charles Bombard, GSEC 

LAN/Systems Administrator 

Community College of Vermont 

119 Pearl Street 

Burlington, VT 05401 

802.657.4234 

HYPERLINK "mailto:bombardc () ccv edu"bombardc () ccv edu 

PRIVACY & CONFIDENTIALITY NOTICE: This message is for the designated
recipient only and may contain privileged, confidential, or otherwise
private information. If you have received it in error, please notify the
sender immediately and delete the original. Any other use of an email
received in error is prohibited.

------------------------------------------------------------------------
------- 
NOTE: The sender of this email is different from the email address shown
in the headers. The real sender of this message is:
owner-security () LISTSERV EDUCAUSE EDU 

If you want to permanently block the sender of this email, you would
need to add owner-security () LISTSERV EDUCAUSE EDU to your Anti-Spam
Blocked Senders List. For more information see the Anti-Spam FAQ item:
http://www.commnet.edu/it/security/anti-spam-faq.asp#BlockRealSender 

------------------------------------------------------------------------
------- 

------------------------------------------------------------------------
--------------------------- 

Josh Drummond 
Security Architect 
Administrative Computing Services, University of California - Irvine 
jdrummon () uci edu 
949.824.9574

Current thread:

Managing passwords. Storing passwords. Bombard, Charles L (Mar 04)
- <Possible follow-ups>
- Re: Managing passwords. Storing passwords. Jon Hanny (Mar 04)
- Re: Managing passwords. Storing passwords. Bombard, Charles L (Mar 04)
- Re: Managing passwords. Storing passwords. Warner, David F (Mar 04)
- Re: Managing passwords. Storing passwords. Isac Balder (Mar 04)
- Re: Managing passwords. Storing passwords. Joseph Corey (Mar 04)
- Re: Managing passwords. Storing passwords. Josh Drummond (Mar 04)
- Re: Managing passwords. Storing passwords. Ray Bruder (Mar 05)
- Re: Managing passwords. Storing passwords. Lunceford, Dan (Mar 05)
- Re: Managing passwords. Storing passwords. Adam Schumacher (Mar 05)
- Re: Managing passwords. Storing passwords. John H. Sawyer (Mar 05)