[TriLUG] Password Security

Kevin Flanagan flanagannc at gmail.com
Mon Jul 23 21:14:15 EDT 2007 

With a decent system you can have a shared password that is only partially
written down, here's how we managed passwords for over a hundred systems
across 6 admins.

All passphrases were a two part deal.

part 1
    a "magic word" for the site or group of systems, must be 8 characters,
not one word.
    This part can be kept in a list in your wallet, system/group and magic
word
   IE: BigCustomerOne


Part 2
    a date, surrounded by dollar signs.  IE: $17-Nov-1957$
    This is communicated around, usually by email, every month when it's
changed.


Resulting password:  BigCustomerOne$17-Nov-1957$

The two parts of the passphrase are never in the same place.




This scheme worked pretty well, that way you could carry around a list of
two things, with no context, and have the other half of the message in your
head, assemble the full one on demand.



It worked for us....



Kevin


On 7/23/07, Ron Joffe <rjoffe at yahoo.com> wrote:
>
> In addition to Linux logins we have a large number of other types of
> usernames/passwords to keep track of. This includes everything from oracle
> logons, vnc passwords, vpn tunnel authentication, Application passwrods,
> Windows domain logons, etc etc etc. We work in quite a complex multi
> application environment, and we have 10 completely separate clients to
> worry
> about.
>
> The solution we are looking for can not be handled purely by sudo, PAM,
> etc.
> Although I appreciate the pointers, we are looking for a far wider
> solution
> for password management.
>
> Thanks,
>
> Ron
>
>
>
> On Monday 23 July 2007 18:53, Andrew C. Oliver wrote:
> > Linux authentication can take place with a series of stackable modules
> > via PAM (http://www.kernel.org/pub/linux/libs/pam/modules.html).  There
> > are all manner of modules that could authenticate against some internet
> > accessible server (be careful to encrypt the stream, avoid DNS, etc).
> > You could ask that customers maintain some pam module that uses your
> > directory server (LDAP or otherwise) and your admins could just login
> > using their normal username.  They could also be listed in Sudo
> > http://en.wikipedia.org/wiki/Sudo so they could always become root.  In
> > fact on Ubuntu, an ever popular linux distribution, you generally create
> >   a user account and it has sudo access.  You generally don't actually
> > ever type the root password.
> >
> > -Andy
> >
> > Ron Joffe wrote:
> > > On Monday 23 July 2007 14:28, Andrew C. Oliver wrote:
> > >>> Now what do you do when you have to keep a list of passwords sync'd
> > >>> between a set of support technicians ?
> > >>
> > >> This is a REALLY bad idea procedurally to share a set of passwords
> > >> between users if that is what you mean.
> > >
> > > I have 4 people responsible for after hours support on a growing
> number
> > > of client systems. Could you please post your suggestions as to how
> they
> > > all should gain privs on those servers? I have my own ideas, but
> rather
> > > then taint your answer, I would like to get a fresh perspective.
> > >
> > > Thanks,
> > >
> > > Ron
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>



-- 
+---------------------------------------------------+
Doing my part to piss off the religious right.

More information about the TriLUG mailing list