Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Storing passwords

Published: 2009-09-23
Last Updated: 2009-09-23 23:59:11 UTC
by Mark Hofman (Version: 1)
46 comment(s)

I have a problem, no a challenge, for you all.  How do you store passwords that have to be shared between team members. 

I'm confident in saying that every IT environment has this problem.  You have passwords for service accounts, printers, switches, routers, firewalls, admin passwords for products, build passwords when building servers or desktops, etc, etc, etc.  Many of these can only be accessed through limited userid and can't be hooked into a radius Many of these don't need to be used often, but they do need to be recorded and in a typical IT environment there are likely to be a number of people that need these.  So how do you share them in a sane manner?

Some of the examples I've come across include the traditional word document or spreadsheet, sometimes it even has a password.  Other examples are databases, Lotus Notes, MS Access, Sharepoint pages, wiki pages, post-it notes, commercial tools, some are better solutions than others.  So I'd like to know what you do when faced with this issue?  Send some in and we'll share your experiences in an update.


Thank you all for contributing, the response has been excellent.  Most of the methods used have been reflected in the comments.  

Mike has one for the *nix users out there.   

"My preferred method is an encrypted file (using vi -C) read/write only by root on a system like a nis master, where you have to log in as you then using either pfexec or sudo to access the file.

This satisfies the theory that you need to have a user account on the correct system, the correct privs and know just one more password - this is reasonably straightforward.
One additional safeguard is using a version control system like the builtin (on Solaris) sccs to keep a good record."

Joost uses Keepass like many in the comments.  

"On a share only accessible by IT we have 2 keepass ( databases. Both are protected by a password and a keyfile (on a usb stick).

database 1 is for all passwords that are for the helpdesk, network- and systemadmins.
database 2 is only for network- and systemadmins."

Several people wrote in regarding the eDMZ product. 

Bryan mentions their own application:

"we used to have a commercial app, then we started having problems. So we built our own internal PHP-MySQL webapp. It is only accessible via HTTPS, and the database uses MySQL's built in AES encryption to store the password data encrypted. Users must enter a username, password, and encryption key to login. This does make the encryption key short, but it is never stored in the application itself.

It is a stand-alone webapp at the moment, but we are planning on having it connect to AD for authentication, and writing in permissions to limit user/group access to passwords.

A few readers also use the good old piece of paper and safe method, after all you don't really need to use these shared accounts often, if at all.  

Thank you all for your excellent contributions.   



46 comment(s)
Diary Archives