Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: Storing passwords - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Storing passwords

I have a problem, no a challenge, for you all.  How do you store passwords that have to be shared between team members. 

I'm confident in saying that every IT environment has this problem.  You have passwords for service accounts, printers, switches, routers, firewalls, admin passwords for products, build passwords when building servers or desktops, etc, etc, etc.  Many of these can only be accessed through limited userid and can't be hooked into a radius Many of these don't need to be used often, but they do need to be recorded and in a typical IT environment there are likely to be a number of people that need these.  So how do you share them in a sane manner?

Some of the examples I've come across include the traditional word document or spreadsheet, sometimes it even has a password.  Other examples are databases, Lotus Notes, MS Access, Sharepoint pages, wiki pages, post-it notes, commercial tools, some are better solutions than others.  So I'd like to know what you do when faced with this issue?  Send some in and we'll share your experiences in an update.

UPDATE

Thank you all for contributing, the response has been excellent.  Most of the methods used have been reflected in the comments.  

Mike has one for the *nix users out there.   

"My preferred method is an encrypted file (using vi -C) read/write only by root on a system like a nis master, where you have to log in as you then using either pfexec or sudo to access the file.

This satisfies the theory that you need to have a user account on the correct system, the correct privs and know just one more password - this is reasonably straightforward.
One additional safeguard is using a version control system like the builtin (on Solaris) sccs to keep a good record."

Joost uses Keepass like many in the comments.  

"On a share only accessible by IT we have 2 keepass (http://keepass.info/) databases. Both are protected by a password and a keyfile (on a usb stick).

database 1 is for all passwords that are for the helpdesk, network- and systemadmins.
database 2 is only for network- and systemadmins."

Several people wrote in regarding the eDMZ product. 

Bryan mentions their own application:

"we used to have a commercial app, then we started having problems. So we built our own internal PHP-MySQL webapp. It is only accessible via HTTPS, and the database uses MySQL's built in AES encryption to store the password data encrypted. Users must enter a username, password, and encryption key to login. This does make the encryption key short, but it is never stored in the application itself.

It is a stand-alone webapp at the moment, but we are planning on having it connect to AD for authentication, and writing in permissions to limit user/group access to passwords.
"

A few readers also use the good old piece of paper and safe method, after all you don't really need to use these shared accounts often, if at all.  

Thank you all for your excellent contributions.   

Mark

 

Mark

391 Posts
ISC Handler
I use Keepass on an encrypted USB drive
Dan

1 Posts
So, this is the big issue in theory you should never have to access these password and they should be stored in a safe. And all servicing should be done on a dlegated manner where each user uses his/her user/pwd combo.
However the reality is that this just isnot possible in some environments. My experience gambles on an effective SCM - security configuration manager where you store all the necessary security components (configs, accounts, etc) and log when confidential information is access such as passwords.
FVTer

1 Posts
Keepass on a shared folder too...
But as FVTer wrote...when we grant access...we grant access to all password. We didn't found a suitable product for that
FVTer
1 Posts
on the work front we use a ManageEngine's Password Manager Pro. Personally I use KeePass and am currently evaluating PassPack.
FVTer
1 Posts
We manage our common admin passwords on an offline machine stored in a secure location. On that machine the passwords are stored in an encrypted database using an in-house application to manage it. Our admins plug in encrypted USB flash drives (that are secured with both a biometric ID and a password) which are automatically loaded with the DB data after they have authenticated. If someone snags one of the USB drives and fails authentication 3 times, the software starts a 30-pass wipe.
FVTer
3 Posts
Take a look at Password Manager XP by CP Labs (http://www.cp-lab.com). It's a commercial app, , but inexpensive and we are very happy with it.

Highly encrypted.

support for multiple databases.

ability to access passwords databases from
multiple computers across the network.

adjustable user privileges per given database.

permissions can be set for folders or even individual records.

concurrent write access to a database for multiple users.

NT authentication support.

logging of all data changes.
FVTer
1 Posts
as already mentioned, i'm used to have password safes for storing various account details. benefit in my point of view, u can use different "password databases" for different people/groups in a secure way. and with the right software u can also take them on a usb stick/cd for field or on-site service et al. (e.g. password safe, keepass)

if u don't need the mobility, i think a wiki/sharepoint site over https with appropriate user access rights (if supported) is also quite easy to use. but to be honest, i think, that such ways to "store" passwords is not that good - people tend just to print out the document in case they need it offline. and paper documents tend to get lost ;-)
Stef

2 Posts
I have done it two ways.
KeePass Database (encrypted) in a TrueCrypt Partition.

Apple's builtin KeyChain Access which KeyChain is protected by my main system password, then the individual keychain I setup for sensitive passwords has an additional password.
Stef
1 Posts
@UniAdmin - the usb stick itself sounds interessting; may you can provide some details about that?
Stef

2 Posts
We have a shared "sysadmin" keepassX database... On GetDropbox.com shared :)
Anonymous
I've used a number of methods over my time. I have worked for a number of Managed Security Service providers, where we have had a requirement to store access passwords for security devices, appplications, etc.

I have used the following solutions:

* In-house developed Lotus Notes database, with two sets of encryption keys (representing Admin and Operator roles) that had to be securely issued to people that were granted access. Passwords were stored encrypted in the database, and could only be decrypted if you had the right key on your keyring.

* PHPChain - open source PHP/MySQL package that stores passwords, etc, encrypted in a MySQL database with a web front end to access it. The limitation is that this has only one level of access. Access to the web app is restricted through the use of an SSL VPN that requires strong authentication to access the system in the first place, and then a username/password are required to access the password database.

* Currently looking into ManageEngine's Password Manager Pro as it provides for role-based authenticated and audited access. It can also be used to change passwords on supported systems on a schedule, or at the click of a button.

* For personal passwords I currently use a combination of documents, and other files, stored in an encrypted PGP volume.

* A number of our customers use a spreadsheet or document stored in a location with restricted access permissions, and optionally further protected by a password to store passwords.
John

4 Posts
I use a Truecypt volume containing a spreadsheet of ID, associated device, service, rotation date, and past passwords (just in case). The volume is encrypted with Serpent-Twofish-AES. That volume is obfuscated as a multimedia file and stored on a network server (with appropriate file permissions) that gets backed up to tape.
This requires access to the sever housing the file, knowledge of the files true nature, Truecyprt, and the files complex and lengthy password. We manage the tapes for the backups, and offsites are secured in locked boxes on encrypted media.

Did someone say paranoid?
John
1 Posts
PasswordSafe on a network share. The password to the PasswordSafe is shared verbally.
The PasswordSafe has all of the default admin accounts for our equipment and software. We are expected to use our individual accounts for normal work and only grab the built-in admin accounts for emergencies.
Jasey

93 Posts
Check out ManagedEngine's PasswordManager Pro. It is very reasonably priced and has a lot of great features.
Jasey
1 Posts
If you are looking for an inexpensive, feature-rich, web-based solution, take a look at Thycotic Secret Server (http://www.thycotic.com/products_secretserver_overview.html).
Tim

1 Posts
We use Password Corral. Unfortunately, it's not multi-user, but it is free and flexible.
Tim
10 Posts
@UniAdmin: I've been in a similar environment... USB drives with biometric and password auth. Simple excel spreadsheet from there.

Passwords on an admin's spreadsheet were given based on their role. This was all good, until considering when a password changes.

Since there was no automated system, every admin had to get their thumb drive manually updated from a master list every so often. This grew worse when individuals in a specific role required additional access not inherent to their role (i.e. additional privilege for special cases). This turned it into individualized lists for each admin.

I suppose it's granular enough to promote wonderful security, but the overhead involved from the old system (notebook in a controlled safe) was huge.
Tim
2 Posts
We commercially use CyberArk - it has a web interface and some granularity as to who can access each "safe", plus the ability to update passwords according to time / use on many platforms. There is also logging / reporting of access.


Personally, I use PasswordSafe

To share in a group I use gnupg encrypted files (adding or deleting "encrypt to" as the group who should access the file changes)
Tim
1 Posts
* 1 Envelope with 1 server's name and date of last password change written on outside.
* 1 Password for root/admin/other printed and stored in envelope.
* Many many envelopes stored in highly secured safe, Security Officer and CIO are only people with access.
* All access configured for personal admin accounts -- root/admin/other used only in emergencies.
Anonymous
Our organization is looking into tackling this issue at some point soon. Currently, we have a KeePass database that is on a shared drived that is locked down to certain users via AD group membership. The key for the database is in a different shared folder that is controlled by group membership. Still, we definitely want to get away from long term local admin and service account passwords being available to a non-unique audience. One solution that we are looking into is called Lieberman Software Password Manager. From what I've heard from the guy who is looking into this is that this would be able to log access to the system and all that in addition to randomize local admin passwords and check them out to authorized users. The password would be re-randomized after a certain amount of time creating a kind of one-time password situation. I'm not sure how this would work, but if it does, perfecto!

For starters though, KeePass is a fantastic app. I want to roll it out to all of our users so we can finally get rid of all the post it notes under keyboards etc.
jtwaldo

17 Posts

Sign Up for Free or Log In to start participating in the conversation!