Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

The Backup Passwords Expand / Collapse
Author
Message
Posted Thursday, May 26, 2011 9:14 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:05 PM
Points: 33,165, Visits: 15,299
Comments posted to this topic are about the item The Backup Passwords






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1115991
Posted Friday, May 27, 2011 12:06 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, May 26, 2011 11:59 PM
Points: 1, Visits: 0
We have implemented something we call a poker key server. To retrieve a database encryption key you have to enter a long (20 character) password of which ten characters are placed in sealed envelopes in two person's locked file cabinets. If you enter the password incorrectly, the server "calls" and you are required to prove your identity with an iButton (from Maxim/Dallas Semiconductor) containing a unique serial number which is then hashed by the server using SHA-384. If the iButton hashes correctly it gives you the option of entering the 20-character password again.

It sounds like a lot of work, but two-person control combined with a skeptical key server ensures our intellectual property remains safe.
Post #1116017
Posted Friday, May 27, 2011 12:29 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Friday, December 16, 2011 12:38 AM
Points: 1, Visits: 22
First though I have is a kind of function that returns a key base on some well know variables like: date when the backup run, user in charge of the backup and machine where the database is placed, and finally a variable value that few people know (you and another one). If the name of the backup include all the variables values (i.e. BCK_DDMMYYYY_NAME_XXXXBOX) except obviously the "secret" variable value, you can retrieve the password for the back up whenever you want and independently of who generate the backup and when it was generated.

The function to generate the variable should be protected accordingly.
Post #1116028
Posted Friday, May 27, 2011 2:53 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, August 12, 2014 2:53 AM
Points: 373, Visits: 662
I have a folder in my inbox marked 'passwords' in that i have folders named in the format yyyymmdd. every time the passwords change I create a new folder and save an email.

is this a good idea? no. is it the best option currently available to me? yes. it's either that or I keep a rolodex of passwords in my filing cabinet (probably a better idea)



Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Post #1116066
Posted Friday, May 27, 2011 3:22 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Thursday, May 3, 2012 4:03 AM
Points: 1, Visits: 7
Seems like a bit too much trouble for something as simple as keeping track of passwords for backups across time in a secure manner. There are a few simple alternatives here. Firstly one could use one of many simple programs available (many of which are free) for storing passwords with comments in a secure manner. The comments can be used to indicated the date stamp. Alternatively get someone in your company to create a simple app that saves your passwords and dates and an additional comment in an encrypted format. This will have two advantages over existing software. The first will be that it will be unique to your company and thus will not have a hack. The second will be that one can taylor the app to your individual company needs. To a person familiar with C++ or VB this should take no longer than an hour to develop and deploy.
Post #1116076
Posted Friday, May 27, 2011 3:26 AM


Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Tuesday, August 12, 2014 2:53 AM
Points: 373, Visits: 662
Well, being an analyst programmer, I ought really go and do that myself. I might get round to it somewhen.

Ben

^ Thats me!


----------------------------------------
01010111011010000110000101110100 01100001 0110001101101111011011010111000001101100011001010111010001100101 01110100011010010110110101100101 011101110110000101110011011101000110010101110010
----------------------------------------
Post #1116077
Posted Friday, May 27, 2011 5:53 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, August 13, 2014 3:41 PM
Points: 100, Visits: 402
KeePass (http://keepass.info) will archive old passwords for you. It also handles expiration, so you can look at your archived and know which dates it was active. Plus it has the nice benefit of having a URL/name that can be slightly rearranged for puerile entertainment. :)
Post #1116160
Posted Friday, May 27, 2011 6:34 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 7:24 AM
Points: 1,649, Visits: 4,695
Managing backups has never been my role, so I'm not too familiar with the technicals of how the various 3rd party solutions manage the keys. My question is: Does the database administrator really need to know the password for the backups in order to maintain the day to day backup process?
My thinking is that the passwords could be held by an executive manager. Even on those occasions where a restore from backup is required, the manager could supply the password remotely without revealing it to the database administrator. This may result in a slight delay of recovery time, but if one person holds the backups and another person holds the key, then one of them acting alone could not compromise the data, even if the password remains static over a long period of time.
Post #1116182
Posted Friday, May 27, 2011 7:07 AM


Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: 2 days ago @ 3:00 PM
Points: 22, Visits: 625
We have recently started using KeePass as well and consider it very useful.
Post #1116210
Posted Friday, May 27, 2011 8:15 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, January 27, 2014 10:14 AM
Points: 1,322, Visits: 1,091
I've not been responsible for backups for a long time, but here's how I think it should work.

Each backup set gets assigned a strong generated password that applies only to that set.

The Backup Set ID/Password pair is stored in:
a) A key server that the backup/restore software has access to based on user level permissions. Or...
b) A notebook in someone's office. Or...
c) Both (I actually prefer this as I don't trust the key server to not crash and burn.)

Backup tapes are moved offsite on a reasonably schedule (weekly?).

--
JimFive
Post #1116275
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse