DBA password documents for continuity

First off – I am not an oracle DBA; I work in a risk role.

However, for audit/risk purposes, I am told is common for DBA’s to have documents containing passwords about the Databases they support, and host servers, in plain text. I believe this is for continuity purposes. Is this true?

For what reasons do you keep passwords in documents and what do you refer to such documents as?

Is there a risk in not having passwords documented anywhere?  Please elaborate in layman’s terms.
Who is Participating?
Guy Hengel [angelIII / a3]Connect With a Mentor Billing EngineerCommented:
consider this situation: there is only 1 dba account, and it's password is "lost/forgotten".
the only way to change it is with DBA powers, but that's exactly the issue ... you don't have DBA access...

so, the normal process is to have a secure place (like a "bank safe") where a dba or his replacement could just open it with a proper process and use it... and then normally change it...

the "workaround" is to have multiple dba accounts, but still at some point you come to the same "risk" analyis: 1 dba is off, the one "on shift " is ill, and third one will only come for the next shift in 8 hours and is right now not available by phone... : but you have a major database crash.
the risk is very low, but should be considered.
pma111Author Commented:
Ok thanks. Is this document referred to anything? I want to ask our DBA's on their procedures for securing such documents, but I am not sure how to phrase the name of the document?
slightwv (䄆 Netminder)Connect With a Mentor Commented:
I'm not sure if there is a standard name for this practice.  If your organization has a name for it, your system securitry folks should have it in policy somewhere.

Our security policy separates login accounts into two categories: user accounts and service accounts.

Service accounts are system level accounts like the admin accounts( DBA/sys admin), and application specific accounts.  Service level account passwords are stored in sealed envelopes and placed in a safe.

These are to be used in an emergency situation and once the envelope is opened, the password must be reset by the primary keeper of the accounts, placed in a new envelope and placed back in the safe.

This ensures there is not a single point of failure in the human aspect of systems.  It helps ensure continuity of operations (COOP).
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Geert GruwezConnect With a Mentor Oracle dbaCommented:
it also depends on how many passwords you have "memorize"

we have a password excel which is locked with a password.
then someone saved the file over the original one with a different password and left the company due to some disagreement

next thing was to invent "password algorithms"
like if you have PRD database and DEV database, you put some prefix and suffix...
this required only memorizing the algorithm
then you get people who don't really like that algorithm and start new algorithms on different systems
in the end you have an excel containing all the algorithms for the password and it's best to lock that with a password.

See where were going ?
Save it in an ordinary text file on a server directory where only the dba's have access to
> if the dba's are all sick, ask a network admin for admin access to the server directory and hey presto no more problems with passwords

you could also setup a database containing all the passwords
> but where do you save that password ?
slightwv (䄆 Netminder) Commented:
>>Save it in an ordinary text file on a server directory where only the dba's have access

I have to disagree with saving it electronically.  A compromised system is a compromised system.  I might compromise the server with the spreadshet then I now have access to your databases.

Even with the password protected Excel spreadsheet you mentioned:  Do you know how easy it is to crack password protected MSoft docs?

If you are going to store them, do it in a non-electronic method.

>>then someone saved the file over the original one with a different password and left the company due to some disagreement

FYI:  This is why backups exist?  If you have a good tape rotation, you should have been able to recover some version with the correct password.  Granted the passwords might be old but some should have been valid.
DavidConnect With a Mentor Senior Oracle Database AdministratorCommented:
In a previous assignment, the client had switched to Cyber Ark to manage over five hundred privileged accounts, including the generics for schema owners, admins, queries, and power users.  Not a plug intended, so here's the wiki instead of the vendor site: http://en.wikipedia.org/wiki/Cyber-Ark.  In addition, password rotation enforcement was diligent.  Other auditing steps I'm not at liberty to discuss.

Another excellent alternative to a spreadsheet is Roboform, which I've used for many years.  Encrypted storage, with multiple password levels.

If I have to use a site's spreadsheet, I'm going to push for it to be on an off-network node, encrypted, and ACL enabled.
pma111Author Commented:
Any specific term you use for the documents/respositiories storing the passwords, or are they included in another document set?
DavidSenior Oracle Database AdministratorCommented:
My SSO was sufficient for access to the browser-based front-end, and my access was role based.  Obviously, when leaving employment, Security disables the LAN account immediately.  For the lessor-privileged accounts, the business process owner (BPO) had ownership of who could use the generic accounts.  As per common best practices, schema owner accounts were locked down except for scheduled DDL and maintenance.

Does that answer your question?
Geert GruwezOracle dbaCommented:
>>the LAN account
most people in IT have passwords to several accounts
Geert GruwezOracle dbaCommented:
>slight, disagree with saving it electronically
anybody can run off too with a piece of paper
slightwv (䄆 Netminder) Commented:
>>anybody can run off too with a piece of paper

But you know 'someone' accessed it if secured in an envelope and it is stored in a secure location.  Then the 'audit' can start.

It is all about mitigating unauthorized access.  You will never stop it.
All Courses

From novice to tech pro — start learning today.