Password Lists? whats the best way.

The_KiD

The_KiD

The_KiD

Permabanned
Joined
19 Apr 2006
Posts
2,333
Location
West Yorkshire
Right at work I have recently enforced a policy whereby we have different passwords for different items.

Until recently we merely used the domain admin password for everything.

I know this wasnt wise, but it was easy.

So I now have lots of different passwords:

Domain admin
Citrix admin
virus Server admin
mail server admin
workstation local admin
Server local admin
etc
etc

All is well and good and I dont have a problem with remembering the passwords, however other staff may need access to these passwords at some point. If I were to leave the company then my successor would need the passwords to get stuff done.

So my question is this, what is the best way to keep a secure password list?

I originally was going to keep it in a passworded excel spreadsheet, however that then means we still have 1 master password (for the sheet) and then anyone who managed to get in the sheet would have complete access to the network.
 
We have a directory secured by NTFS permissions for a handful of named users (not a group), and a copy of that document in both fire safes (to which only authorised people have a key).
 
The_KiD said:
Right at work I have recently enforced a policy whereby we have different passwords for different items.

Until recently we merely used the domain admin password for everything.

I know this wasnt wise, but it was easy.

So I now have lots of different passwords:

Domain admin
Citrix admin
virus Server admin
mail server admin
workstation local admin
Server local admin
etc
etc

All is well and good and I dont have a problem with remembering the passwords, however other staff may need access to these passwords at some point. If I were to leave the company then my successor would need the passwords to get stuff done.

So my question is this, what is the best way to keep a secure password list?

I originally was going to keep it in a passworded excel spreadsheet, however that then means we still have 1 master password (for the sheet) and then anyone who managed to get in the sheet would have complete access to the network.
Click to expand...

Forceing people to remember lots of different passwords is counter-productive, and just encourages them to write it down. Allow people to use one single password for all applications and enforce a minimum level of security for that password. Better that they use one hard password than 20 easy ones.
 
These aren't passwords for individual users though, these are for domain/system/service accounts. Not to be used for day to day shizzle (at least, not here).
 
Otacon said:
These aren't passwords for individual users though, these are for domain/system/service accounts. Not to be used for day to day shizzle (at least, not here).
Click to expand...

Ah, good point.

In that case I agree that the best bet is a hard copy of them, with copies held securely.
 
Write them on your hand in ink:p:D












































Actually please dont do this as thats the most stupidest thing any IT person can do imho lol and trust me i have met a few who have, only to find out that ink has somehow rubbed off and they cant remember the passwords for the server and domains etc etc.
 
We used to have a system pretty much the same as the one Otacon mentioned. 2 copies of the passwords written down and popped in an envelope and 1 placed in each firesafe.
 
My solution would be:

- Hardcopy of the password sheet kept in a fire safe AND
- Use NTFS permissions and EFS on the password spreadsheet. Check out WinXP - Using EFS and specifically look under Authorizing Multiuser Access to Encrypted Files . This means no extra passwords need to be remembered and there is some extra protection on the password file

OR, you can be the only one who has all the passwords and anyone who needs them has to either ask or pay you for them :p
 
I think possibly having them stored in hard copies in safes would be the best way.

Dont like the idea of storing it on a server even if it is NTFS permission protected.

All some nasty virus has to do is to capture someone's password and bingo they have access to the password list :S
 
Either:

Post-It Note on monitor with them all on

or

Make them all "password" - that way everyone will be able to remember them

or

Go with Otacons sensible suggestions.
 
You have to balance the need for security with practicality. If it's likely people are going to need semi-regular access to this information, then the need to keep going to the safe isnt really time efficient.. hell, you'll probably find that they either leave it out of the safe, or copy the passwords on postits.

There are other ways to secure the information and keep it on the network which you may want to consider, but they aren't as easily accesible. SQL server for instance.
 
i'd be tempted to pretty much go with the same password, but make it pretty complicated and modify if with a name for each system. That way you can remeber the generic password, and the descriptor, and combine them for the full password example

base password of "password"
for "email" system the password could be pEaMsAsIwLord
for "directory" system the password could be pDaIsRsEwCoTrOdRY
and the like :)
 
Put them in a txt file on a hidden share somewhere with NTFS permissions, store a hard copy with your backups.
 
You must log in or register to reply here.
Back
Top Bottom