RE: Password Security and Distribution
Jeremy - I've not found a better solution than PGP. Perhaps more a formalized process for communicating password updates proactively is all you need. Ideally, distributing passwords at 3am is too late. In the past I've used small password database programs on a network share. You are then left with verbal or PGP encrypted communications to distribute a single new password to access the database versus distributing all of the changed passwords. If you're interested try http://www.anypassword.com There are others who read this list that prefer distributing passwords on paper. You can't hack into a piece of paper :) and if you have physical access to the paper then you most likely have physical access to the network equipment as well... McLean -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jeremy Stinson Sent: Tuesday, January 24, 2006 10:49 AM To: nanog@merit.edu Subject: Password Security and Distribution All, Our company is starting to grow rather quickly and we are starting to have growing pains. We are in the need for a better mechanism for sharing passwords between our engineers. Most of these passwords are for our client's systems where some of them are controlling the password schemes (aka requiring shared user accounts). We have a process in which we change passwords every X days but, distributing these passwords to everyone who needs them is starting to become a challenge. Also, handing off passwords to someone who is stepping in to help out at 3am securely is not easy. I have tried to do google searches but I have not been able to find a good way or process to do this. I am wondering if anyone has any ideas on how to handle this? In other companies we have used a PGP keyring to secure a text file that contained all of these passwords and then put them onto a shared customer portal. The problem with this strategy is what happens if you are not on your computer where PGP is installed? Any suggestions will be welcomed. Thanks in advance, Jeremy
One of my guys found a package called Password Gorilla, which is basically a GUI which sits on top of Password Safe that came out of Counterpane in 2002 or so. Either allows you to organize passwords by group and machine, and the whole database is encrypted by blowfish: http://www.fpx.de/fp/Software/Gorilla/ One thing I've been thinking of from my managed service/consulting background is to have a main database which has all users/passwords for all "companies" in a central database (LAMP architecture), then depending on what a user has access to, a custom Password Safe database is created for them. This would handle how to distribute password changes out to admins who have varying levels of access. Sounds like about a week's worth of work - if people voiced enough interest or if somebody cared to help me out, I'd finally get motivated to write it and put it up on Sourceforge... John On Tue, Jan 24, 2006 at 11:28:23AM -0500, McLean Pickett wrote:
Jeremy -
I've not found a better solution than PGP. Perhaps more a formalized process for communicating password updates proactively is all you need. Ideally, distributing passwords at 3am is too late.
In the past I've used small password database programs on a network share. You are then left with verbal or PGP encrypted communications to distribute a single new password to access the database versus distributing all of the changed passwords. If you're interested try http://www.anypassword.com
There are others who read this list that prefer distributing passwords on paper. You can't hack into a piece of paper :) and if you have physical access to the paper then you most likely have physical access to the network equipment as well...
McLean
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jeremy Stinson Sent: Tuesday, January 24, 2006 10:49 AM To: nanog@merit.edu Subject: Password Security and Distribution
All,
Our company is starting to grow rather quickly and we are starting to have growing pains. We are in the need for a better mechanism for sharing passwords between our engineers. Most of these passwords are for our client's systems where some of them are controlling the password schemes (aka requiring shared user accounts). We have a process in which we change passwords every X days but, distributing these passwords to everyone who needs them is starting to become a challenge. Also, handing off passwords to someone who is stepping in to help out at 3am securely is not easy. I have tried to do google searches but I have not been able to find a good way or process to do this. I am wondering if anyone has any ideas on how to handle this?
In other companies we have used a PGP keyring to secure a text file that contained all of these passwords and then put them onto a shared customer portal. The problem with this strategy is what happens if you are not on your computer where PGP is installed?
Any suggestions will be welcomed.
Thanks in advance,
Jeremy
Hi, That sounds like it could be useful. The major problem I have with password safe is that it is hard to do things like copy a group of passwords to another .dat file. That makes it hard to do anything put either keep several .dat files floating around for different users, aka accountants, programmers, managers.. Which leads to some of them being way out of date and people going back to the sticky note db method.. I have some of those myself I am sorry to say.. I also found this: http://jason.diamond.name/weblog/2005/04/07/cracking-my-password-safe He goes into a lot of detail on how password safe works.. He also has a link to what he did in Python.. http://jason.diamond.name/weblog/2005/10/04/pypwsafe-release-1 Thanks, Eric At 10:03 AM 1/24/2006, John Kinsella wrote:
One of my guys found a package called Password Gorilla, which is basically a GUI which sits on top of Password Safe that came out of Counterpane in 2002 or so. Either allows you to organize passwords by group and machine, and the whole database is encrypted by blowfish:
http://www.fpx.de/fp/Software/Gorilla/
One thing I've been thinking of from my managed service/consulting background is to have a main database which has all users/passwords for all "companies" in a central database (LAMP architecture), then depending on what a user has access to, a custom Password Safe database is created for them. This would handle how to distribute password changes out to admins who have varying levels of access. Sounds like about a week's worth of work - if people voiced enough interest or if somebody cared to help me out, I'd finally get motivated to write it and put it up on Sourceforge...
John
On Tue, Jan 24, 2006 at 11:28:23AM -0500, McLean Pickett wrote:
Jeremy -
I've not found a better solution than PGP. Perhaps more a formalized process for communicating password updates proactively is all you need. Ideally, distributing passwords at 3am is too late.
In the past I've used small password database programs on a network share. You are then left with verbal or PGP encrypted communications to distribute a single new password to access the database versus distributing all of the changed passwords. If you're interested try http://www.anypassword.com
There are others who read this list that prefer distributing passwords on paper. You can't hack into a piece of paper :) and if you have physical access to the paper then you most likely have physical access to the network equipment as well...
McLean
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Jeremy Stinson Sent: Tuesday, January 24, 2006 10:49 AM To: nanog@merit.edu Subject: Password Security and Distribution
All,
Our company is starting to grow rather quickly and we are starting to have growing pains. We are in the need for a better mechanism for sharing passwords between our engineers. Most of these passwords are for our client's systems where some of them are controlling the password schemes (aka requiring shared user accounts). We have a process in which we change passwords every X days but, distributing these passwords to everyone who needs them is starting to become a challenge. Also, handing off passwords to someone who is stepping in to help out at 3am securely is not easy. I have tried to do google searches but I have not been able to find a good way or process to do this. I am wondering if anyone has any ideas on how to handle this?
In other companies we have used a PGP keyring to secure a text file that contained all of these passwords and then put them onto a shared customer portal. The problem with this strategy is what happens if you are not on your computer where PGP is installed?
Any suggestions will be welcomed.
Thanks in advance,
Jeremy
participants (3)
-
Eric Frazier
-
John Kinsella
-
McLean Pickett