Password retention and storage

Date August 28, 2008

I got an email from a reader yesterday asking about how I generated and stored my passwords securely. The reader was interested in what methods were available to sysadmins for managing diverse passwords for different machines and devices.

I had to laugh at my password generation scheme (run 'fortune' a couple of times, pick some random words and throw a random character between them), and my password storage is nothing to brag about either.

What methods do you use in your infrastructure to generate / store passwords?

  • Jim

    As far as creating passwords goes, it depends on which one of us here creates it. If it is the Senior sysadmin, it's either he took something in the room and translated into bastardized 1337 or he takes a long song title or phrase and uses the first letter of each word and some random punctuation to create a password. Since I am not that creative, I use this to create my strong passwords.

    As far as storage goes, we have a homebrewed app that encrypts the passwords and stores them in a database.

  • Michael Janke

    Password Safe.

    The password safe .dat files are replicated to a remote data center, and treated somewhat specially in our DR plans.

  • Matt

    @Jim

    Ah, l33t passwords. I remember using those at my ISP. Oh, the fun. :-)

    @Michael

    I'd not heard of that, but it sounds great. I think I'll install it and give it a shot. thanks!

  • Dan C

    For system passwords apg(1) creates sufficiently random, but more importantly, pronounceable passwords. This can make 10 digit alphanumerics really easy to remember. Although unfortunately not every that I work with shares the same ability, I can easily recall 50 of our most common machine passwords.

    Alternatively for passwords that don't need to be remembered we use the same PC Tools link that Jim provided up there.

    For storing them, SpyProof provides us an encrypted volume against PKI (2 factor tokens in our case) that can be mounted by multiple people at the same time.

  • Craig March

    At my previous employer, to store passwords we had a red book...

    I argued that this was stupid, but the Sys Admin (I was lowly helpdesk fodder at the time) told me it was safer than an encrypted file. Am I alone in thinking this was nuts?

  • Matt

    @Dan_c

    I dig the idea of SpyProof, but it looks like a commercial front end for something like TrueCrypt. Does it offer any additional features?

    @Craig_Marsh
    How dare you question the great and powerful Oz?

    (and yes, I agree that it's a dumb idea, unless you keep it in a firesafe or something similar, but I can't say I've not been guilty of the same thing)

  • Dan C

    Matt> It is similar.

    Where they differ is that TrueCrypt will encrypt a volume to a single key and password.

    SpyProof allows you to authorise multiple users and store those keys on securely a PKCS#11 smartcard device.

    It's closest relative is PGPDisk. Except that this works and PGPDisk doesn't.

  • Matt

    @dan_c
    "Except that this works and PGPDisk doesn't."

    OK, I'll admit it. I laughed

    Sounds cool, I like the multiple passwords concept. Thanks for sharing, I'm going to look more into it.

  • Anonymous

    Because I was handed a list of passwords in a word doc when I started the first thing I did was setup some sort of password database.

    As the lone admin I have been using Revelation Password Manager for the eventual hand off to the next sysadmin.

    Hopefully my wiki docs are also appreciated.

  • Greg

    As far as creating passwords, I use the site that Jim mentioned. I stored the passwords in a spreadsheet that was encrypted. Being the only sysadmin, a hard copy was also printed out and stored in my boss' safe in case I was ever hit by a bus.

  • Anonymous

    I'm on the phone with Symantec tech support at the moment, so please excuse the brief post. We use KeePass for password storage, and Atory Password Generator for creation. KeePass can be used for password creation as well. I'm surprised neither of these have been mentioned thus far. Does anyone else use them? Are there any known reasons to shy away from them?

  • Craig March

    @Matt

    Well it wasn't kept safe, probably due to the fact that it was constantly being used. I bet it's still there!

    @Anonymous

    Use KeePass for personal use, have been thinking of using it with my current employers though...

  • James

    sudo apt-get install pwgen

    For the users (even though they'll probably never use it), I used PHP to make a web page of the output from pwgen.

  • Kenny

    One guy I used to work with would use htpasswd to create passwords. I wonder how upset our customers woudl have been if we had told them their root password was originally a four letter word beginning with F?

  • cmdln

    We currently use Keepass, it runs on Linux, Windows, and Mac. Its a nightmare!
    One of these days our developers and I are going to sit down and make a web based password manager that tracks access to the passwords. That way when someone leaves the company we can pull a report of every password they have ever had access to and every password they have ever retrieved so they can be changed.

  • Matt

    @cmdln

    That web-based idea is great, especially in the case of someone leaving, like you mentioned. Is there nothing free that does that already? It seems like an obvious void

  • Bill

    For USER passwords, I've always rolled my own - that way I can control the alphabet, the hash function, and dump the passwords in the cracking dictionary for future auditing.

    For ADMIN/SERVICE passwords, I used to use a pgp/gpg file with one of the symmetric ciphers. Since passwordsafe was released, I've switched and never looked back. It has all the features most admins & department groups need, including generation, encryption, categories, username & comments field, clipboard integration + db locking.

  • Anonymous

    i use the open source solution axcrypt for encrypting office documents like password documents. Its also useful for sending encrypted documents over email. The reciever also does not have to have the application installed if you use the .exe embedded self extracting option. if emailing it would have to be zipped to pass .exe filtering tho.

  • Philip J. Hollenback

    One simple option that works pretty well is a combination of pwgen and a gpg-encrypted text file. Use pwgen to generate passwords and manually paste them into the file. This is relatively transparent if you use emacs with the crypt++ extension of modify your vi config to open gpg-encrypted files (http://www.antagonism.org/privacy/gpg-vi.shtml).

    Obviously this doesn't scale very well but for a few hundred passwords or so it works just fine and is failrly robust. I recommend you set up a cron job to save backup copies of the password file to multiple locations just in case.

    One nice feature of this approach is you are not tied to any particular tool. Anywhere you can run gpg you can open the file.

  • Mats

    I am using Roboform for several years now and like it. It stores notes and logins for websites.