Password Management within an Organisation

Question

Within an organisation there are many passwords such as those for root accounts on servers, hosting accounts, router logins and other such things, that need to be kept track of.

I know in some organisations its a case of either the head of IT only knows these passwords, the passwords are written down some where, stored on a wiki behind a login, or passwords are stored in a file on a server (perhaps encrypted).

My question is simply what is the most effective way of managing these password and storing passwords in a secure way. I know this topic has previously been discussed in regards to a home user here, but I am specifically interested in the best way to go about it for medium to large businesses. I would also be interested to hear what approach has been used within other peoples organisations even if its not the most effective.

Answer 1

Although I've seen many implementations of solutions to this problem, I believe that the most complete, if not perhaps the most convenient, was a Git repository restricted to super users only containing encrypted text files of passwords by environment. Managing the password rotation on the devices, mixed servers and dedicated devices such as modems, was handled separately.

This solution greatly simplified the distribution of new passwords as a simple update needed to be performed by users to receive the latest revision of the passwords as well as providing a traceable history of previous passwords for record keeping.

As I recall the files were GPG encrypted, but there are numerous solutions and viable approaches to handling the files themselves.

The obvious downside to this approach is that, especially when passwords have changed, you are decrypting one or more files searching for the required password(s). Of course, as with anything, the more frequently you use a password the more likely you are to memorize it and, depending on the device(s) in question, access may be an infrequent event which is not greatly hindered by having to go through a somewhat more lengthy process to gain the appropriate password.

If you are also interested in strategies and/or scripts for generating and/or changing passwords on servers and/or other devices I would be glad to share those that I employ as well.

--

I would be glad to.

I will assume that you are familiar with file encryption, PGP or otherwise. If this is erroneous please feel free to ask and I will be happy to provide some examples.

Setting up a Git repository is relatively straightforward and will display similarities to most any content management solution with which you may be experienced. One note with Git: it is, by design, fully open and, as such, will require additional steps to restrict access to specific files or repositories. This can be accomplished relatively simply by leveraging file system acl's (just one possible solution). That being said, I would certainly recommend that you use a solution with which you are comfortable and familiar, especially if alternate content management solutions are already in use at your organization.

The file(s) will, by definition, represent a password database correlating device identifier(s), such as hostname, to passwords and, potentially, to user names. For example: router-1.internetdomainwebsite.com administrator soopersekretpasswerd. Ideally you will never store the file unencrypted, however, following this strategy does make retrieving passwords relatively inconvenient. For this reason I recommend scripting an accessor to work within your encryption framework, perhaps taking an identifier as a search term and writing only the requested password to a file for one-time use by the requester.

Any device that supports password changes can be scripted. Since most devices support changing passwords from a CLI, I would recommend taking a look at the Expect language and/or its libraries for Perl, Python, or the language of your choice. I personally use a script that accepts the desired username, accepts the current password, accepts and verifies the desired password, then changes and verifies the change on all hosts passed or provided when prompted. Its fairly bare-bones Perl with Expect.

Answer 2

I run a digital agency and we often have to manage a range of passwords and share them between our team of developers/managers etc. so have been doing research on the best way to manage this. (We previously used KeePass synced over Dropbox, but it was becoming unmanageable.)

We've decided on a cloud/hosted solution that can be accessed from our computers as well as mobile devices when we're out of the office.

These are some of the options that made our shortlist:

• LastPass
  Individual entries can be shared with a free account, but it requires a premium ($12/year) account to share a single folder, or enterprise account ($24/year) to share multiple folders.

• 1Password
  $3-8 per user per month, depending on plan

• Passpack
  Free for 1 user, $18/year for 3 users, $48/year for 15 users.
  Unfortunately the user-interface isn't as friendly as it could be, but apparently a redesign is supposed to be happening in 2014.

• Dashlane
  Free basic account, or $40/user/month to sync across devices and share more than 5 items.

  See: Security analysis of Dashlane

• CommonKey
  Free for teams of 3, or $20/month + $2/user/month for company/enterprise features.

• Mitro
  Free, and great UI, but low on features.

• Meldium (now owned by LogMeIn)
  Starting at $29/month for 20 users.

• RoboForm Enterprise
  $37.95 per licence, once-off.

I can't comment on the security of each of them, but most now (thankfully!) perform encryption on the client side, so that even the developers and company admins can't access your passwords.

LastPass seems to meet most of our needs so we're currently trialing that. We originally had Passpack recommended to us, but found the interface pretty clunky and it refused to import our KeePass file containing a couple hundred accounts.

Please comment if you have extra details or any worthy additions to this list and I'll try and update it.

See also: How safe are password managers like LastPass?

Answer 3

As per your comment, that you're talking about systems and devices that insist on shared users / single-user-mode:

First off, try to avoid / minimize this as much as possible.

Second, avoid and minimize this as much as possible.

Third, this should definitely be a consideration when evaluating products/services - if it has such an inherent insecurity, you might not want it after all. It's likely that there are other issues there too...

Fourth, double check with the vendor/provider to see if there is a way to configure it securely.

Fifth, consider building a thin "proxy" type application, that will enforce user authentication, and then use its own single account for the device, with its own internal random password.

Sixth - if aaaalll the above are not relevant / don't work (seriously??) - I have seen places that have an ACLed, encrypted folder - or better, a cryptosafe - with access granted only to the admins, and in it stored file/s with the randomly generated passwords.
Depending on your culture/type of org, it might be better to print out the passwords and store them in in ACTUAL safe, protected by your security officers, and the combination given only to the admins....

Answer 4

Passwords are the problem, not the solution. The general problem is secure authentication and authorization, often viewed as part of "Identity Management".

LDAP or Kerberos/AD can be used to centralize authentication and keep passwords in sync. Using SSH and public/private key authentication is another good option.

The most modern approach is to solve that problem in a more general and convenient way, that also helps folks to move from passwords to secure tokens or other more robust ways to authenticate. A single-sign-on system that allows people to authenticate once and then leverage that authentication for authorization to access other services is a common solution.

Technical approaches for doing that include OAuth, SAML, Shibboleth, and InfoCard.

Answer 5

Root passwords and Administrator accounts of all types should be done in the following manner:

3 key stakeholders assign them randomly with maximum-sized very pseudo-random assortment of characters.

They write them down (without memorizing them) and put them in envelopes and store/secure them safely. They rotate them every year with new passphrases.

Daily use is done via group administrator accounts tied to real names, separating contractors by both account name (e.g. admcjsmith instead of admjsmith) and domain (if possible). Unix/LDAP is done in a similar fashion e.g. via sudo.

Named accounts like root and Administrator should never be used or known. In a similar way, cloud Access key / API key accounts need to be compartmentized and secured.

Answer 6

We use KeePass to store the passwords. Each team lead in IT (Security, Systems, Clinical, Business, Ancillary) is responsible for their teams KeePass database and maintaining the contents. If anyone with access to a given database leaves the department or the organization all passwords in that database must be changed.

I have seen and reviewed applications that proxy the authentication to support auditing and password management. These worked for some of our more common applications, but did not address the industry-specific applications we use.

Answer 7

I've worked with "Secret Server" at http://www.thycotic.com/ . I can provision a single password and share it among as many or as few individuals as I want.

There is an audit trail, and a great search functionality built into the web application. There is also an online "cloud" version of the application that is free for one user.

You can create a new secret for each device you own, and add your own as needed:

All access to this database is secured by local, or Active Directory credentials. If you choose to do so, you can have seamless login (SSO) to access the database for the currently logged in user over Kerberos/NTLM.

Overall, I think this is a good choice for a team, and general repository for corporate security information.

Answer 8

I agree with nealmcb that in a controlled environment with competent administrators a single-sign on solution is probably the best.

For tracking credentials for 3rd party websites or services you could have a look at lastpass.com's enterprise solution which allows you to share logon credentials with users and specific roles.

I have also heard "Clipperz" mentioned in this context before but I have no experience with it.

Answer 9

I really like Password Manager Pro. Its a website that is tied to your ad/ldap that will share out passwords to your organization to whatever grouping you want, people can also store passwords of their own.

It will does some solid policy work, historics, audits, and what not.

It also has change capabilities, I have wired up some nice pam scripts to do some changes right from PMP that would have been pains to do otherwise.

Some of the hard passwords, like your network solution password, a helping hand remote datacenter passwords and stuff like that, it has some canned logic for that can be tuned. Amazing when you get all that work done to see how much you have hanging out there and how much you should have more / multiple sets of users and so forth.

Answer 10

It mainly depending on the company's policy and requirements.

For example if most of the credentials are used by automated tools (for continuous integration purposes), you can use Ansible Vault feature which allow you to keep sensitive data such as passwords or keys in encrypted files. These files can be under version control and people accessing them they can always run ansible-vault view some-encrypted-file.

If you're not planning to use Ansible, you can simply use GPG Tools and commit encrypted files into code repository.

If you're using cloud platforms extensively (such as Amazon Services), certain cloud management platforms (such as Scalr) allows you to organise passwords and private keys online.

If your passwords just needs to be managed by people, you can use passwords managers as mentioned in the other answer, such as Dashlane which supports syncing and sharing passwords securely. If you're after free and open-source solutions, try using tools such as KeePass.

Answer 11

Passpack seems to be a service developed exactly for this purpose. It allows storing password (and other info) online in encrypted form and share rights to passwords within a team. Also supports one-click login by browser bookmark script.

I don't have yet any experience of using it. But after doing small research on the topic today Passpack looks a like the solution we're going to use in our 7-person team.