Friday, March 19, 2010

Your List of Passwords

Everyone has a list of passwords somewhere. The question is, how do you store and where?

I'm asking myself this question because a client recently had a breakin where a server storing backups was stolen. The server happened to contain a file that had a list of passwords. Lots of passwords. This particular organization was storing not just a few admin passwords for devices and such, but also the passwords for all users.

First, I'd argue that there is no need to store user passwords. If I need to log on as user, I can reset the password and then inform the user. Unfortunately in this scenario, we needed disable remote access, force password resets, and then enable remote access again only after passwords were changed. A hassle for everyone.

Now, for the ones you need to document, what do you do? Storing them on a server protected by file permissions is apparently not enough, because if anyone steals the server, getting around file permissions is trivial.

At this point, I'm thinking that encryption is the obvious solution. AxCrypt is a nice free solution for encrypting files as an EXE. It would be a bit of pain but it's certainly a step up from just putting a password on a Word doc.

No comments:

Post a Comment