Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Networking Security

Password Storage for Fun and Profit? 75

Posted by Cliff from the accessible-but-secure dept.
adwb asks: "I work for a small company which performs network installations and support for clients in the Seattle area. We have a handful of network admins and programmers who go out to client's offices to solve problems as needed. A problem we have been trying to deal with is the various administrator passwords for different client networks at different domain levels. It seems the easiest solution is not the most secure: just dump every client's administrator password into a text file and store it in a secure network location inside our local domain. Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?"
For those of you interested in protecting your personal passwords, an answer might be found in this tidbit from jswinth, but there are issues here, too: "The wired article about Never Forget Another Password talks about the Just1Key service allowing all your passwords to be accessible from any PC. They use an applet and encrypt the password information before it leaves the local PC. What about when you cannot trust the PC, like when using a public terminal? I would hate to have all my passwords compromised because I couldn't remember my password to my free New York Times account at the library."
This discussion has been archived. No new comments can be posted.

Password Storage for Fun and Profit? More

Password Storage for Fun and Profit?

Comments Filter:

  • Unless the security is ironclad. . . (Score:3, Insightful)

    by Limburgher ( 523006 ) on Friday September 02, 2005 @02:31PM (#13465427) Homepage Journal
    it's just too risky. To satisfy me, the storage should be encrypted, and the access should require SSL.

    At the very least.

    I still don't think I'd trust it.

  • Roboform! (Score:5, Informative)

    by fm6 ( 162816 ) on Friday September 02, 2005 @02:31PM (#13465436) Homepage Journal
    Check out RoboForm [roboform.com]. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.
    • Check out RoboForm. Snarfs up passwords, automatically enters them for you. Passwords can be saved to Palm, PocketPC, or USB key. Supports Firefox.

      Almost perfect. Doesn't support OSX or Linux.

  • So.... (Score:3, Interesting)

    by ArsonSmith ( 13997 ) on Friday September 02, 2005 @02:32PM (#13465442) Journal
    You're asking how can I let everyone know the passwords, yet still be secure?

    Sounds like you have an architectural problem not a password problem. Not sure how to fix it, we are cursed with the same thing here. Some is being addressed but it is slow and making sure every application supports a centralized authentication system is the hardest part.

    • Of course...because forcing your clients to use your centralized authentication system will be fun...you might want to re-read it...

      Can any of you experienced network admins recommend a method (either pre-built software or custom database/interface solution) of storing client authentication information in a way that can be easily accessed by our employees (preferably from any computer, including their Pocket PC's) but secure from the outside world?"
    • I think you misunderstand the question. We are just looking for a method to store passwords and access them remotely. This data is for humans to read while on-site, not for applications to connect to.
      • This data is for humans to read while on-site, not for applications to connect to.

        In that case, a text file on a USB stick would do the job just fine, wouldn't it? Sometimes the simplest solutions are the best...

  • Have you ever considered USB keys to store the text files? Having them on your person is just as secure as the key to your car. (Well not exactly, but pretty close.)

    I've been wanting to find a Java app (for cross platform compatability. Pretty much everything I will be using will have a JVM) that would store the passwords encrypted on the usb key, but I haven't really looked for one.

    --
    How the fuck do you get get caught overwhemed at the Astrodome when you know exactly how many people are coming, and have
    • Well, this is actually what I've been doing for a while now. I have a small program called passpack [cjb.net] which encrypts all the passwords to one file unlockable via a master password. Also, it has a screen hiding capability so that if someone creeps up behind you you can simply press F8 and its gone. If you want to go the open source direction you can use such applications as Password Safe [sourceforge.net]. Both can be deployed on the network by having a centrally updated file on the internal network

      There is also the matter of

      • Thanks for the links. While they may be useful for some people, it's not really what I'm looking for. I need something that runs on linux, solaris, macosx, and windows. You can't really assume that any of those platforms will have the same libraries, so any dependencies you need to bring with you.

        I guess that's less of an issue with 512 meg USB drives, but then you have four different executables and libraries. That's why I suggested Java. An implementation of java is preinstalled on windows, macsox, an
  • Password Safe [sourceforge.net] is an open source application that encrypts all your passwords with a master password, so you only have to remember the master password.

    It is only available for Windows.

  • Use Gmail (Score:3, Interesting)

    by LennyDotCom ( 26658 ) <Lenny@lenny.com> on Friday September 02, 2005 @02:52PM (#13465602) Homepage Journal
    Open a gmail account with an obscure name upload the info and you can access it anywhere
    • If I was to do that, I'd be sure to access gmail through https (and even then you may want to have a message with a javascript bookmarklet to encrypt/decrypt passwords rather than leave em in email).
  • Here's what I'd do- but then again, I'm just wild about security AND PocketPCs.

    I'd have an access database with an intranet web interface that checks MAC addresses to limit access through the web interface. In addition, I'd use Activesync Access Table Synchronization to synchronize the PocketPCs, but only when they are connected to a machine within your LAN- physical connection, not network connection- sync the table.

    That way, you maintain full access for your people- but no access for anybody else. To
  • I am in the same boat; I admin multiple networks owned by different organizations, each with their own admin passwords. My mantra is to never know the super user passwords. If they dont give them to me, I am not the security risk. Instead, I give my user account the ability to sudo (or slide as the case may be), and copy my ssh keys where needed. This way I can have different user account passwords that I wont need to remember, have the ability to become root when needed, and if one of the client sites

  • Here's what we do (Score:4, Interesting)

    by Anonymous Crowhead ( 577505 ) on Friday September 02, 2005 @03:02PM (#13465679)
    We have an ecrypted text file stored locally with all passwords written on it like this:

    1. password

    2. password2

    etc.

    On an ssl, password protected web site not hosted by us, we have a web page with:

    Server x, root, password #1

    Server x, admin, password #2

    etc.

    The people who need it keep all or part of the printed out text file in their wallets. I'm sure someone will point out some flaw, but it is pretty disconnected.

    • Only problem I can see is... (Score:4, Insightful)

      by brunes69 ( 86786 ) <`gro.daetsriek' `ta' `todhsals'> on Friday September 02, 2005 @03:52PM (#13466052)
      .. you must have a finite number of clients. Even assuming 500 passwords in that file, it would take anyone with the nerve only a short time to brute force the right password.

    • I worked for a major news website (linked to by slashdot on occassion). They kept all of the root passwords for every system (about 70 of them) in a plain text file located in a "secret" directory in the home directory of an employee who had not worked there in years. something like /home/jsmith/secret/passwds.lst

      Swear to god. They still do it that way, I'm sure. I mean, they *did* name the directory "secret", so it's secure, right?

  • Two open source solutions (Score:4, Informative)

    by lucidvein ( 18628 ) on Friday September 02, 2005 @03:08PM (#13465730) Homepage
    http://keepass.sourceforge.net/ [sourceforge.net]
    The program stores your passwords in a highly encrypted database. This database consists of only one file, so it can be easily transferred from one computer to another.

    KeePass supports password groups, you can sort your passwords (for example into Windows, Internet, My Homepage, etc.). You can drag-n-drop passwords into other windows. The powerful auto-type feature will type usernames and passwords for you into other windows. The program can export the database to various formats (like TXT, HTML, XML, CSV, ...). It can also import data from various other formats (Password Safe v2 TXT files, CSV files, ...).

    http://passwordsafe.sourceforge.net/ [sourceforge.net]
    Password Safe is a tool that allows you to have a different password for all the different programs and websites that you deal with, without actually having to remember all those usernames and passwords. Password Safe runs on PCs under Windows (95/98/NT/2000/XP). An older (but fully functional) version is available for PocketPC. Linux/Unix clones that use the same database format have also been written (see Related Projects).
    • I find KeePass [sourceforge.net] quite useful.
      • I use my own method.

        For web forums, shops, misc services etc. I take the username I used, the domain and a secret masterpassword.

        Then, my script basically does this:

        echo -n "$user:$domain:$masterpass" | sha1 | openssl base64

        From the resulting string I take the first 16 characters and use that as a password. Every user/domain pair that I used also gets stored for later retrieval. The secret password is never stored anywhere.

        Can anyone comment on the security of this solution? I figured that using 16 characte
    • http://keepass.sourceforge.net/
      So that's where OSDN stores the porn collection!

  • What happens when... (Score:3, Informative)

    by jsveiga ( 465473 ) on Friday September 02, 2005 @03:11PM (#13465756)
    an irresistible force meets an immovable object?

    Nothing, because they cannot belong to the same universe.

    The same is valid for the two concepts "from any computer" and "secure from the outside world". You can't have both. "Any computer" can have keyloggers, screen capturers, mouse trackers, mind readers, whatever it takes to snatch the passwords on the way to your employee.

    Plugging the USB memory to "any computer" to retrieve the passwords is also dangerous for similar reasons.

    Either you have all the passwords stored in autonomous devices from where your employee can safely retrieve them (for example PDAs or some mobile phones, which have a protected "password storage" feature), or a centralized database which can only be queried by 'safe' clients.

    A possible centralized solution: Your employee calls a number or sends a SMS from his mobile. On the other side, a system which knows the 'trusted' mobile numbers recognizes him from the caller ID (and optionally a user password), retrieves the one password he queried for, and sends it back via SMS.

    SMS (at least over GSM networks) are encrypted, and GSM SIM cards are quite hard (impossible) to counterfeit.

    This could be easily implemented with GSM phones or GSM modem modules connected to the server, and SMS handling tools freely available.
  • Post-It(tm) Notes under the keyboard of the various machines and servers written in an ink that becomes visible only with special glasses?
  • What i used to do was: Each admin knows the passwords that they need to know. Then the network manager or somone who knows all of the passwords would write them all down on seperate pieces of paper and sealed in individual envolope then put in to a fireproof safe with the rest of the companies sensitive documents. Problem solved at a minimum cost thats also very secure.

  • Novell: Passwords NEVER Travel the Wire!!! (Score:3, Interesting)

    by mosel-saar-ruwer ( 732341 ) on Friday September 02, 2005 @03:31PM (#13465895)

    They use an applet and encrypt the password information before it leaves the local PC.

    Being an old Novell MCNI/MCNE/etc, I was innundated, inculcated, and imbued by the overarching mantra: PASSWORDS NEVER TRAVEL THE WIRE!!! ONLY HASHES OF PASSWORDS TRAVEL THE WIRE!!!

  • Paper... (Score:5, Funny)

    by joto ( 134244 ) on Friday September 02, 2005 @03:32PM (#13465909)
    You see, there is a form of written communication that predates the computer, and is very secure once you've taken care of the physical security. It is also portable, easy to carry, does not require electricity, or any form of advanced machinery. It will survive in temperatures from far below human tolerance, to +70 celcius. It can be damaged by exposure to water, but because of it's flexible form, can easily be stored in an airtight container. This miracle medium is called: PAPER!

    You write the passwords you need on a piece of paper. If there are lots of passwords to be remembered, an electronic device called a "printer "can transfer the passwords from a computer at your office building to the paper.

    The paper is carried by the admin to whatever clients he need to go to. Once at the client, he fetches this piece of paper, and use his eyes to retrieve the passwords he need. The passwords are typed manually by the admin into the clients computer.

    As your admin finishes his job, the paper containing the passwords can be easily destroyed. A device specifically made for this, called a "paper shredder" exists in many offices, and your admin is likely to find one at the clients office.

    If a client does not have a paper shredder, the admin may choose to use the fallback solution of tearing apart the paper with his hands, followed by flushing it down the toilet. Another solution is to ignite the paper with a device called a "lighter", something that can usually be found at the back entrance of the clients building (just ask one of the smokers there).

    I hope this suggestion helps!

  • Why don't you setup seperate maintainance admin/appropriate level accounts on all your client networks and then keep the password the same?

    Obviously you'll need to get your clients to agree to this, but it sounds like you already have this level of access anyway.

    Since all these networks are disconnected, it's unlikely anybody will know you are using the same password for all of your clients, and I don't see how this is a worse risk than storing all of them in one location/file.
  • Network Password Manager [sowsoft.com]

    Run it on an Windows Server, install the clients on various people's machines. The clients authenticate against your domain controller, so there's almost no configuration necessary.

    It allows you to store passwords in a hierarchical fashion with a file-manager-style interface. You set permissions just like you would a normal windows shared file/folder.
  • Why not just set all the passwords to the same value and then tell everyone what it is? It's not like you're gaining any security by having multiple passwords; everyone knows them all anyway.
  • Start with the idea of the customer's authorized representative entering the password when your tech gets on-site.

    Second idea, Have the client create an account as needed for your Tech that gets deleted when your tech is done. At the very least have an account that gets disabled when not needed.

  • pms (Score:1)

    by gnarlin ( 696263 )
    password management system. Gives you encryption and a master password.
    Just put it on a server that you have ssh access to. It's a neat little program.
    http://passwordms.sourceforge.net/ [sourceforge.net]

  • Keychain Access (Score:2, Informative)

    by zhenga ( 770390 )

    Apple's Keychain Access is pretty nice to store and manage passwords, secure notes, and certificates.
    I use it very often to store notes, beats Stickies imho and easier to backup as well :)

    It's possible to create a Shared Keychain as well. Then all users on the machine can access that keychain if they know its password.

    I think most part of the Keychain Access is Opensource (correct me if i'm wrong!):
    http://darwinsource.opendarwin.org/10.4/libsecurit y_keychain-78/lib/ [opendarwin.org]

    So any takers on making keycha

  • I use Keyring [sourceforge.net]. It's very convenient to have it on the palm, and there are desktop editors for it as well (there are a couple of windows conduits, and a couple of java apps that work fine on macos or linux).
  • Write them down, and put them in a safe.

    Ta-da!

    - dshaw

  • Doy (Score:1)

    by Apreche ( 239272 )
    You can make multiple root/Administrator accounts on a machine. In Linux just make more users with uid 0. In Windows just add to the Administrator group.

    For everyone one on your staff who should have access, create an account on the machine for them. Give them the same username everywhere. They can keep track of their own passwords. If they want the same password at every client it's ok because they remember it. If they have a different password at every client there are plenty of handy palm/blackberry appl

  • Why not ask? (Score:4, Interesting)

    by minus9 ( 106327 ) on Friday September 02, 2005 @06:43PM (#13467129) Homepage
    "We have a handful of network admins and programmers who go out to client's offices to solve problems as needed."

    This is how I would do it...

    The people who go out on site, ask the client what the password is. If they are trusted then the password will be provided. If they are some halfwit who wants to "dump every client's administrator password into a text file" then they will be told to get the fuck away from my network and leave the building.

    They could also carry the passwords in a file using a modern concept called encryption, a new invention, only a few thousand years old.

    To think that I have recently been modding posters down for bitching about slashdot no longer being "News for nerds"

    There are also sites on the internet which can provide links to software which can fulfill this need.

    Sorry for being such a sarcastic twat but slashdot is sinking to the level of "My processor is running out of memory, should I buy a bigger monitor?"

    People come here to get away from this stupid crap.

  • kedpm (Score:4, Informative)

    by Noksagt ( 69097 ) on Friday September 02, 2005 @07:11PM (#13467288) Homepage
    I whole-heartedly suggest the use of Ked Password Manager [sourceforge.net]. It has both a graphical and a command line interface. You can therefore keep the paradigm of using it from the network--just ssh in to your server, and run kedpm (instead of catting the password). The files are encrypted with blowfish to a single password. The database is compatible with Figaro's Password Manager. kedpm is in python and, properly packaged, will run on darn-near anything. Including a USB thumbdrive if you want to take your passwords with you.
  • I keep all my passwords encrypted on GNU Keyring, on my old trusty Palm m100. It's not much good for that and addresses. It encrypts everything with DES3, and I guard it with a long password, that would be hard to brute force. It's probably the best device that I can think of to store passwords, since you can take it anywhere you go.
    • Similarly, I use Strip [zetetic.net] on my Treo 650, and used it on a succession of Visors before (finally) upgrading. After HotSyncing, I use POSE [netmeister.org] to emulate Palm OS on my PC so I can see the passwords and accounts right there.
  • I have a proprietary solution.
  • I would say create a means of doing this from scratch, something that doesn't have known flaws, backdoors, or exploitations. The leaking of information at that extreme is a big boo-boo to fix.
  • Sounds like a perfect use for a tool my friend told me about. It's from a little know company called Claria [claria.com] Hope this helps.

  • KeePass [sourceforge.net] is what you are looking for I have been using it for years now and it fucking cool.

    It stores all you Username/Password DataBase using so called "most secure encryption algorithms currently known (AES and Twofish)" [sourceforge.net] while SHA-256 is used as password hash.

    You can Group your list with details on each password: Title,Username,URL,Password (with AutoGen & Quality Rating), Notes, Expire Date and File Attachment. [sourceforge.net]

    It fully open-source (OSI certified) runs under Windows and PocketPC with [sourceforge.net]

  • My organization is in a similar situation with sharing administrative passwords. The politics dictate that I share specific account information with specific users. I was given a set of specifications which included a central repository of passwords, web interface, no 'master' password, and access control for each password entered. I really don't have the time to modify an open source package like http://w3pw.sourceforge.net/ [sourceforge.net] or http://pasonda.sourceforge.net/ [sourceforge.net], so I found http://www.argosytelcrest.co.uk/ [argosytelcrest.co.uk]

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close