IT Blogs & News - Written by IT Professionals - iuvo Technologies

Managing Passwords

Written by Bryon Beilman | Jun 24, 2007 9:28:44 PM

by Bryon D Beilman

Is your IT password policy putting your business at risk? If someone asked you this question, the first thing that you might think about is using good passwords, encryption, enforcing and perhaps even the use of one time passwords. Instead, I am referring to the process of recording and storing the passwords to your routers, hosts and anything that requires a username and password. This includes your vendor and support accounts, admin accounts and any device that is important to you.

If you are relying on an IT admin to keep track of these passwords, or you are the IT person keeping track of them, then you may want to ask yourself a few of these questions.

  • Who has or knows these passwords?
  • How are they stored, (ie are they plaintext, encrypted), how does one access them?
  • If someone has access to a file, is the information segmented. ie, Does your network admin need to see the Windows Domain admin passwords?
  • Do you have different passwords for different classes of devices, or even different for each and every device?
  • Do you have off-line access to these passwords in the event of a computer or network failure ?
  • Is there a system in place to change access of this information in the event of a termination?

    • I have seen many solutions out there from using an encrypted word file, to a password encrypted database where each password was unique and had to be unlocked based on who you and even the use of a sticky note inside a desk. In my April 9th Blog, I talked about a program called Password Safe, which you can get at http://passwordsafe.sourceforge.net/ , that has a single password that unlocks the files containing usernames and passwords. This works well for smaller companies and could even be used in such a way that it would scale.

    Off-line access could be defined as being on someone (or multiple laptops), being printed and stored in a secure location.I have seen people put individually wrapped passwords into a secure envelope into and HR folder or secure location that can be opened during an emergency. Off-line storage of passwords has to be closely coupled with the change management process and make sure that the hard copy passwords are changed when the live passwords are to avoid confusion. During a disaster or critical event you do not want to find that you really don't have the password.

    If you work with someone who possesses critical passwords or data and they were hit by a truck, does someone have a way to get to the passwords in an emergency. Segmenting the passwords is a good idea, but make sure that there is a process to retrieve them if there is a problem. A public/private key system, such as PGP could be used, and there are a number of commercial applications that can help you manage your passwords. Your business will have to chose the right technology for them, but thinking of the secure storage of passwords is better done earlier rather than later.
    View full post