Solved

Q for SYSADMINS: How to store passwords and other sensitive data

Posted on 2015-01-13
24
141 Views
Last Modified: 2015-01-31
*This is a question for sysadmins.

Hi guys, I am a systems integrator, and hope someone could advise me how to keep credentials and other sensitive data for accessing servers and other systems.

I am currently caught in a hammock of different solutions we used over the years, and wouldn't like to reinvent the wheel.

What I am searching for is _not_ a program, but a _system_ that could be utilized effectively and simply.

Thanks a lot in advance!
0
Comment
Question by:mrmut
  • 11
  • 4
  • 2
  • +4
24 Comments
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 40546577
I would be quite interested in the answers you get to this question too.

My current method for storing passwords to a variety of servers and systems is to use an analog to digital storage system.

I keep a couple pages bound into a notepad that is kept in a locked storage cabinet. The pages are printouts of a text document that actually contains the user/pwd combos. This file is kept on an encrypted sparse read/write image (DMG) that I store on my laptop.

Each time I need to add a new system pwd. I write it into the notepad. This goes for pwd resets too. Once I reach a set number of adds or changes I re-edit the text file, reprint and rebind the notepad. In cases where I don't want to carry my notepad with me, I take a picture of the pwd combos I need with my phone.

I find myself updating my notepad twice a year.

In the event that I lose the notepad, I can go back to text file to change, then recreate all my pwd combos. If I lose my laptop, the file is encrypted and I still have the notepad to change, then recreate my pwd combos.

Not the most elegant system, but it keeps me from having to remember where my pwds are.
0
 

Author Comment

by:mrmut
ID: 40546725
I asked a friend, but they use an password application (keepass), but that isn't very wise solution in a long-term scope.

I am really interested how other people are doing this, as password management problem is an ever-increasing  one.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 40570665
Not many responses here...

I suspect many admins don't really have a fail safe method to store passwords. I imagine there would be a highly secure way to keep them safe using an RSA key, or something with that type of theoretical security. But what happens when that key is lost?

An implant maybe? ;) But it would require a method to release or remove when staff changes occur... kinda messy. But if the information being protected is worth the effort, than the ROI is acceptable.

A key to keep the keys.

Great question mrmut!
0
 

Author Comment

by:mrmut
ID: 40570815
I also thought there would be more responses. It is strange that there are so few, given how prevalent this problem is.

I spent some time asking around about this, and got one amusing reply: A guy I know stores his passwords in a text file, on a floppy-disk. Interesting concept if you think about it. An obsolete media, which can get read, given a bit of effort, but is still inaccessible to most. - A technological obstacle.

Re your idea for implants, I don't think that would be very smart, as it would make us rewarding targets... :-) (Johnny Mnemonic comes to mind.)

I will ask some more around, and report back.

Password storage tools all run on a big, network-connected system. Take one good keylogger and you are doomed. And this is not rare by any means, each year I have 2-3 very serious infestations by malware that steals keys, keyloggers, etc., and this is on multi-tier protected systems. This year I had a client whose system was infected by something that was unremovable with any tool, but the bank (which reported the problem) could still register it and disable client account. (They didn't want to disclose what it was that they discovered.) One such peace of software on sysadmins computer, and dozens of systems would be compromised.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 40570864
I like the idea of using a floppy disk. But you better have a an extra floppy drive reader handy...

Keystroke loggers are all over the place. I would assume any infection is going to install one of these and keep an open connection via back doors.
0
 
LVL 42

Accepted Solution

by:
kevinhsieh earned 500 total points
ID: 40578884
Organize all passwords and sensitive information in Lastpass. Secure with two factor authentication. Information can be shared with multiple users and revoked. Information is always stored and transmitted encrypted, and is only decrypted locally by the local device.

https://helpdesk.lastpass.com/multifactor-authentication-options/
0
 

Author Comment

by:mrmut
ID: 40579181
Thank you. While this isn't exactly what I had in mind, I have to admit that this does look good. Now, there is a question of security and reliability.

That said, is there any local backup solution, and do you maybe know how is the encryption done? Only on user computer, or the encryption keys are also stored on the server (meaning - do they can decrypt my data).

Thanks.
0
 

Author Comment

by:mrmut
ID: 40579198
OK, found about the key - apparently, cryptography is local:

Your encryption key is created from your email address and Master Password. Your Master Password is never sent to LastPass, only a one-way hash of your password when authenticating, which means that the components that make up your key remain local. This is why it is very important to remember your LastPass Master Password; we do not know it and without it your encrypted data is meaningless. LastPass also offers advanced security options that let you add more layers of protection.

Now, there is only a Q how easy is local backup (for contingencies).
0
 
LVL 42

Expert Comment

by:kevinhsieh
ID: 40579243
Their servers are only for syncing your data. You don't need to have an Internet connection to access your data. You can have the software installed on your computer, phone, and tablet. You can make a copy of your encrypted blob and store that on a USB key. You can export to plain text. Do you need any other options?

https://lastpass.com/support.php?cmd=showfaq&id=1206
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40579273
I've used PGP to encrypt files with passwords in in the past. It's great for multi-user scenarios as each user can have their own key and multiple private keys can decrypt a single file.

There is a maintenance cost to this solution, you have to maintain and distribute your key stores, and you have to maintain the signatures on files. On the other hand the alternatives aren't cheap and aren't necessarily any less maintenance.

I worked around some of the maintenance problems by writing a little PowerShell wrapper which would let you (for example) encrypt a file so an AD group of people could decrypt it. You'd have to ensure you had public keys for each, but that's back to keystore maintenance.

Chris
0
 

Author Comment

by:mrmut
ID: 40579281
Thank you for your answer. I thought of a similar solution myself. Essentially, what the lastpass seemingly does is quite similar. I have to test a bit, but I think that 's the winner. Even 1$ option for mobile sync doesn't seem like much.
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 8

Expert Comment

by:davidanders
ID: 40579320
A database runtime stored on a flashdrive would be my choice. Images and other multimedia can be included. The runtime can be backed up securely with a free account with Wuala. The backup is encrypted on the computer before transmission and can reside on the flashdrive, no installation required.
I develope in Filemaker and royalty free runtimes are included in the Advanced version.
0
 

Author Comment

by:mrmut
ID: 40579328
Aren't you concerned about flash-drive reliability? I have had similar solution implemented before, with TrueCrypt container, which got damaged with time and data was lost. In general, I wouldn't ever store anything serious on a flash drive, they are too unreliable.
0
 

Author Comment

by:mrmut
ID: 40579529
Just got a reply from a firm that does system administration. Their company policy is a open excel table with all of the passwords, and unofficially they use keepass and lastpass.

So, it seems to me that there aren't much options. Either I build a system and encrypt myself, similar like ultralites mentioned, or use lastpass.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 40579531
There's a depressing prevalence of unencrypted password stores kicking around (many of which are Excel based). I find it's actually quite rare to find an IT department that wants to keep secure things secure :)

Chris
0
 

Author Comment

by:mrmut
ID: 40579554
I really didn't think it would be like this. :-)

My personal strategy was having passwords only on:

1. my own machine
2. fully encrypted drive
3. religiously scanned from malware

or

Using a vmware encrypted and LAN disable OS for management and storage of credentials.

It is amazing to learn that 3rd parties systems security depends on an open file on a _lan_share_, which also seems as the prevalent solution.
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40579571
I've moved to keepass "recently", and a USB thumbdrive does factor into my 'system'... but I also make certain I have a backup.

Keepass has the option of using some other binary file as part of your encryption key, which can be in a totally different directory and not part of your password 'system.'  :-)  (Just be certain to back that up 'somewhere else' too.)
0
 

Author Comment

by:mrmut
ID: 40579579
Thanks. I haven't yet tested lastpass, but as I presume my team will grow, option to have ability to delegate access to specific password groups and  2-step login look quite appealing. (Tho I myst admin that I still WILL print and lock all of the passwords. I don't trust technology that much. :-)
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 40579592
I've started making extensive use of automatic password generator, and the 'copy to clipboard' feature of keepass.  It only leaves your password in your clipboard briefly.  (Tip -- when you paste the password, use a ctrl-v, not right click-paste.  The mouse paste will LOOK okay, but the password always seems to fail.)  That makes passwords like '^¤"ç@´b«ÃòÕXk«É±¿õËÛpÖ4Wwt»ZÑ{#Èô£{ºfÛÒ.à¬äV¶' possible.  (And for my service accounts that don't get put in more than a couple times, that's perfect for me.  :-) )
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 40579819
nice to see the number of responses here. Thanks again for bringing this up mrmut.
0
 

Author Comment

by:mrmut
ID: 40580186
I think that this is my most productive non-trivial question yet. :-)
0
 
LVL 44

Expert Comment

by:Darr247
ID: 40581406
[description of my password generation algorithm deleted, since this question is closed]

I've explained my system in detail to my daughter, who got a good grasp of it in short order, but my wife totally does not get it, and continues to use names of previous pets + address numbers, which - oddly enough - websites that display 'password strength' with a red/yellow/green progress bar all judge hers "green."   :)
0
 

Author Comment

by:mrmut
ID: 40581419
I routinely use animal names + number combination + a sign for ordinary user passwords. Works fine. That, combined with increased pauses between password entering is pretty nice deterrent.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video discusses moving either the default database or any database to a new volume.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now