Password Ninjas

  • Comments posted to this topic are about the item Password Ninjas

  • I've used PasswordSafe, which is excellent, but changed over to KeePass about a year ago. The only thing about KeePass is it doesn't have the auto-lock feature like PasswordSafe does.

    When I was working field support for several different state agencies, users would always complain about having "all these different passwords" - until I mentioned I had upwards of 30 or so NOT counting my personal ones for either work or home I had to keep track of.

    I did run across an agency that had an interesting scheme for admin passwords. Whenever we had to work on a PC and needed admin credentials to diagnose/fix, we called the service desk and they gave us a temporary one that would work until we closed the ticket. If you couldn't get the work done in one session, they gave you a new one the next time you worked on it. Don't know if that's standard in other businesses, but not a half bad idea.

    ____________
    Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.

  • In addition to protecting login credentials of accounts, another layer of security is at the firewall configuration level with IP blocking. That way, even if someone finds a sticky note with the sysadmin's password, or somehow more people that necessary are added to a domain group access to the server, they can't gain ad-hoc access to SQL Server unless they login from a specific machine or under specific context.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I use KeePass and like it well enough. I able to synch the password file between my desktop, laptop and phone. Really makes it handy and since I have copies in different physical locations it serves pretty decent as a backup solution too. My only real issue that I switched to Win8 phone a few months ago. There is no version of KeePass available yet for windows phone. There is a password vault application that looks very similar to KeePass and will synch to your SkyDrive. This looks pretty cool but then I can't access it without my phone.

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/

  • This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

    I had to laugh.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

    Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.

  • Thumbs up for PasswordSafe.

    I'm living with it for some 5 years now.

    Couldn't live without it!

  • I have used Password Safe for years. It does a good job for me as I have close to 1,000 passwords across a huge number of systems that I need to use. I have transferred almost all of the ones I used to save in Excel years ago, prior to knowing about PS, but still have some need to access a few of those occasionally.

    Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.

    Anyone setting up one of these systems at a customer, knows the passwords for every customer of that product!

    In my case, probably 90% of the software our organization uses has at least one of these issues.

    Dave

  • Henry_Lee (7/18/2013)


    I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

    Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.

    How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.

  • djackson 22568 (7/18/2013)


    Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.

    Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.

  • How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.

    Hey Steve,

    Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

    Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

    Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.

  • Steve Jones - SSC Editor (7/19/2013)


    djackson 22568 (7/18/2013)


    Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.

    Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.

    For identifying weak SQL Server accounts, I use the following.

    -- There are several frequently used password lists posted on the web.

    -- Here are a few, but perhaps 100 or more could be inserted here.

    declare @PW table (pwtext varchar(180) not null primary key);

    insert into @PW (pwtext)

    values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');

    select name, type_desc, create_date, modify_date, password_hash

    from sys.sql_logins l

    join @PW pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

    -- Query accounts with empty password:

    select name, type_desc, create_date, modify_date, password_hash

    from sys.sql_logins

    where pwdcompare('', password_hash) = 1;

    -- Query accounts where password = account name:

    select name, type_desc, create_date, modify_date, password_hash

    from sys.sql_logins

    where pwdcompare(name, password_hash) = 1;

    As for 3rd party service accounts, we often times have to live with the fact that it has to exist, but we can still control what role membership and permissions it has. They may reccomend sysadmin, but you can grant them dbo membership on the application database, sqlagent, and perhaps view server state as needed.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Henry_Lee (7/19/2013)


    How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.

    Hey Steve,

    Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

    Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

    Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.

    that makes sense. For a minute you had me worried. 🙂

  • I've used passwordsafe previously and I'm currently using the portable version of KeePass Password Safe.

    However for my work network login I have my password list printed out in 18 pt and stuck up alongside my monitor.

    I have been harrassed by security for this and point out that they can try to hack my password. I'll even tell them which one I'm using.

    The password list contains makes and models the cars I've owned, the password is the registration number, possibly with a shifted number suffix to give enough characters.

    And if anyone knows the registration number of the Vauxhall Victor I owned in 1972 then they can have my account.

  • Rod at work (7/18/2013)


    This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

    I had to laugh.

    If I used text speak, I'd write LOL, but I don't so I won't. Still, it did raise a chuckle.

Viewing 15 posts - 1 through 15 (of 20 total)

You must be logged in to reply to this topic. Login to reply