Password Storage for Fun and Profit? 75
adwb asks: "I work for a small company which performs network installations and support for clients in the Seattle area. We have a handful of network admins and programmers who go out to client's offices to solve problems as needed. A problem we have been trying to deal with is the various administrator passwords for different client networks at different domain levels. It seems the easiest solution is not the most secure: just dump every client's administrator password into a text file and store it in a secure network location inside our local domain.
Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?"
For those of you interested in protecting your personal passwords, an answer might be found in this tidbit from jswinth, but there are issues here, too: "The wired article about Never Forget Another Password talks about the Just1Key service allowing all your passwords to be accessible from any PC. They use an applet and encrypt the password information before it leaves the local PC. What about when you cannot trust the PC, like when using a public terminal? I would hate to have all my passwords compromised because I couldn't remember my password to my free New York Times account at the library."
Unless the security is ironclad. . . (Score:3, Insightful)
At the very least.
I still don't think I'd trust it.
Re:Unless the security is ironclad. . . (Score:2)
Re:Unless the security is ironclad. . . (Score:2)
Re:Unless the security is ironclad. . . (Score:1)
Re:Unless the security is ironclad. . . (Score:2)
Roboform! (Score:5, Informative)
Re:Roboform! (Score:2)
Almost perfect. Doesn't support OSX or Linux.
So.... (Score:3, Interesting)
Sounds like you have an architectural problem not a password problem. Not sure how to fix it, we are cursed with the same thing here. Some is being addressed but it is slow and making sure every application supports a centralized authentication system is the hardest part.
Re:So.... (Score:2)
Of course...because forcing your clients to use your centralized authentication system will be fun...you might want to re-read it...
Re:So.... (Score:1)
Re:So.... (Score:1)
In that case, a text file on a USB stick would do the job just fine, wouldn't it? Sometimes the simplest solutions are the best...
USB Keys? (Score:1)
I've been wanting to find a Java app (for cross platform compatability. Pretty much everything I will be using will have a JVM) that would store the passwords encrypted on the usb key, but I haven't really looked for one.
--
How the fuck do you get get caught overwhemed at the Astrodome when you know exactly how many people are coming, and have
Re:USB Keys? (Score:1)
There is also the matter of
Re:USB Keys? (Score:1)
I guess that's less of an issue with 512 meg USB drives, but then you have four different executables and libraries. That's why I suggested Java. An implementation of java is preinstalled on windows, macsox, an
Password Safe (Score:2)
It is only available for Windows.
Re:Password Safe (Score:1)
Re:Password Safe (Score:3, Informative)
Use Gmail (Score:3, Interesting)
Re:Use Gmail (Score:2)
Activesync and local subnet limited (Score:2)
I'd have an access database with an intranet web interface that checks MAC addresses to limit access through the web interface. In addition, I'd use Activesync Access Table Synchronization to synchronize the PocketPCs, but only when they are connected to a machine within your LAN- physical connection, not network connection- sync the table.
That way, you maintain full access for your people- but no access for anybody else. To
Re:Activesync and local subnet limited (Score:1)
ssh keys and sudo (Score:1)
Here's what we do (Score:4, Interesting)
1. password
2. password2
etc.
On an ssl, password protected web site not hosted by us, we have a web page with:
Server x, root, password #1
Server x, admin, password #2
etc.
The people who need it keep all or part of the printed out text file in their wallets. I'm sure someone will point out some flaw, but it is pretty disconnected.
Only problem I can see is... (Score:4, Insightful)
Wrong. (Score:2)
Re:Here's what we do (Score:1)
Swear to god. They still do it that way, I'm sure. I mean, they *did* name the directory "secret", so it's secure, right?
Re:Here's what we do (Score:1)
No, it's only secret if you name it ".secret".
Two open source solutions (Score:4, Informative)
The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another.
KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Homepage, etc.). You can drag-n-drop passwords into other windows. The powerful auto-type feature will type usernames and passwords for you into other windows. The program can export the database to various formats (like TXT, HTML, XML, CSV,
http://passwordsafe.sourceforge.net/ [sourceforge.net]
Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).
Re:Two open source solutions (Score:1)
Re:Two open source solutions (Score:2)
For web forums, shops, misc services etc. I take the username I used, the domain and a secret masterpassword.
Then, my script basically does this:
echo -n "$user:$domain:$masterpass" | sha1 | openssl base64
From the resulting string I take the first 16 characters and use that as a password. Every user/domain pair that I used also gets stored for later retrieval. The secret password is never stored anywhere.
Can anyone comment on the security of this solution? I figured that using 16 characte
Re:Two open source solutions (Score:2)
What happens when... (Score:3, Informative)
Nothing, because they cannot belong to the same universe.
The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.
Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.
Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.
A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.
SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.
This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.
Re:What happens when... (Score:1)
- Yes you can fake the originating MIN of the request SMS, but tell me, how do you receive the response without compromising a SIM?? The server will answer only to the CORRECT, known phone. Even if you somehow "sniff" the traffic to get the answer, and if it's not encrypted, t
May I suggest... (Score:1)
Re:May I suggest... (Score:2)
And written in Reformed Egyptian.
The good old days (Score:1)
Novell: Passwords NEVER Travel the Wire!!! (Score:3, Interesting)
They use an applet and encrypt the password information before it leaves the local PC.
Being an old Novell MCNI/MCNE/etc, I was innundated, inculcated, and imbued by the overarching mantra: PASSWORDS NEVER TRAVEL THE WIRE!!! ONLY HASHES OF PASSWORDS TRAVEL THE WIRE!!!
Re:Novell: Passwords NEVER Travel the Wire!!! (Score:1)
Interesting, Novell people are usually the bright ones.
Re:Novell: Passwords NEVER Travel the Wire!!! (Score:2)
Re:Novell: Passwords NEVER Travel the Wire!!! (Score:2)
Passwords never travel the wire. Only responses to challenges travel the wire, and that only when the challenger is identified as legitimate.
Re:Novell: Passwords NEVER Travel the Wire!!! (Score:2)
Paper... (Score:5, Funny)
You write the passwords you need on a piece of paper. If there are lots of passwords to be remembered, an electronic device called a "printer "can transfer the passwords from a computer at your office building to the paper.
The paper is carried by the admin to whatever clients he need to go to. Once at the client, he fetches this piece of paper, and use his eyes to retrieve the passwords he need. The passwords are typed manually by the admin into the clients computer.
As your admin finishes his job, the paper containing the passwords can be easily destroyed. A device specifically made for this, called a "paper shredder" exists in many offices, and your admin is likely to find one at the clients office.
If a client does not have a paper shredder, the admin may choose to use the fallback solution of tearing apart the paper with his hands, followed by flushing it down the toilet. Another solution is to ignite the paper with a device called a "lighter", something that can usually be found at the back entrance of the clients building (just ask one of the smokers there).
I hope this suggestion helps!
Re:Paper... (Score:1)
Maintainance accounts? (Score:2)
Obviously you'll need to get your clients to agree to this, but it sounds like you already have this level of access anyway.
Since all these networks are disconnected, it's unlikely anybody will know you are using the same password for all of your clients, and I don't see how this is a worse risk than storing all of them in one location/file.
Not free, but... (Score:2)
Run it on an Windows Server, install the clients on various people's machines. The clients authenticate against your domain controller, so there's almost no configuration necessary.
It allows you to store passwords in a hierarchical fashion with a file-manager-style interface. You set permissions just like you would a normal windows shared file/folder.
How about the obvious? (Score:2)
The obvious answer: Don't (Score:1)
Second idea, Have the client create an account as needed for your Tech that gets deleted when your tech is done. At the very least have an account that gets disabled when not needed.
Re:The obvious answer: Don't (Score:1)
Re:The obvious answer: Don't (Score:1)
For example create a root/admin account with the same username at each site (f.x "MyCOTech")
Set the same password and bingo problem solved..
pms (Score:1)
Just put it on a server that you have ssh access to. It's a neat little program.
http://passwordms.sourceforge.net/ [sourceforge.net]
Keychain Access (Score:2, Informative)
Apple's Keychain Access is pretty nice to store and manage passwords, secure notes, and certificates. :)
I use it very often to store notes, beats Stickies imho and easier to backup as well
It's possible to create a Shared Keychain as well. Then all users on the machine can access that keychain if they know its password.
I think most part of the Keychain Access is Opensource (correct me if i'm wrong!):
http://darwinsource.opendarwin.org/10.4/libsecurit y_keychain-78/lib/ [opendarwin.org]
So any takers on making keycha
Keyring for Palm OS (Score:1)
The Old-Fashioned Way (Score:2)
Ta-da!
- dshaw
Doy (Score:1)
For everyone one on your staff who should have access, create an account on the machine for them. Give them the same username everywhere. They can keep track of their own passwords. If they want the same password at every client it's ok because they remember it. If they have a different password at every client there are plenty of handy palm/blackberry appl
Why not ask? (Score:4, Interesting)
This is how I would do it...
The people who go out on site, ask the client what the password is. If they are trusted then the password will be provided. If they are some halfwit who wants to "dump every client's administrator password into a text file" then they will be told to get the fuck away from my network and leave the building.
They could also carry the passwords in a file using a modern concept called encryption, a new invention, only a few thousand years old.
To think that I have recently been modding posters down for bitching about slashdot no longer being "News for nerds"
There are also sites on the internet which can provide links to software which can fulfill this need.
Sorry for being such a sarcastic twat but slashdot is sinking to the level of "My processor is running out of memory, should I buy a bigger monitor?"
People come here to get away from this stupid crap.
kedpm (Score:4, Informative)
Palm Pilot (Score:2)
Re:Palm Pilot (Score:2)
how much would you pay for the answer? (Score:2)
Here's My Idea (Score:1)
Tools to the rescue! (Score:1)
KeePass Password Safe (Score:1)
KeePass [sourceforge.net] is what you are looking for I have been using it for years now and it fucking cool.
It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" [sourceforge.net] while SHA-256 is used as password hash.
You can Group your list with details on each password: Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment. [sourceforge.net]
It fully open-source (OSI certified) runs under Windows and PocketPC with [sourceforge.net]
Enterprise Password Safe (Score:1)