Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

Password Ninjas Expand / Collapse
Author
Message
Posted Wednesday, July 17, 2013 10:06 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:04 PM
Points: 32,780, Visits: 14,939
Comments posted to this topic are about the item Password Ninjas






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1474876
Posted Thursday, July 18, 2013 5:26 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, March 24, 2014 8:12 AM
Points: 117, Visits: 226
I've used PasswordSafe, which is excellent, but changed over to KeePass about a year ago. The only thing about KeePass is it doesn't have the auto-lock feature like PasswordSafe does.

When I was working field support for several different state agencies, users would always complain about having "all these different passwords" - until I mentioned I had upwards of 30 or so NOT counting my personal ones for either work or home I had to keep track of.

I did run across an agency that had an interesting scheme for admin passwords. Whenever we had to work on a PC and needed admin credentials to diagnose/fix, we called the service desk and they gave us a temporary one that would work until we closed the ticket. If you couldn't get the work done in one session, they gave you a new one the next time you worked on it. Don't know if that's standard in other businesses, but not a half bad idea.


____________
Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.
Post #1474981
Posted Thursday, July 18, 2013 8:06 AM


UDP Broadcaster

UDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP BroadcasterUDP Broadcaster

Group: General Forum Members
Last Login: Today @ 12:40 PM
Points: 1,477, Visits: 4,281
In addition to protecting login credentials of accounts, another layer of security is at the firewall configuration level with IP blocking. That way, even if someone finds a sticky note with the sysadmin's password, or somehow more people that necessary are added to a domain group access to the server, they can't gain ad-hoc access to SQL Server unless they login from a specific machine or under specific context.


"Winter Is Coming" - April 6, 2014
Post #1475052
Posted Thursday, July 18, 2013 8:26 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 2:24 PM
Points: 11,990, Visits: 11,007
I use KeePass and like it well enough. I able to synch the password file between my desktop, laptop and phone. Really makes it handy and since I have copies in different physical locations it serves pretty decent as a backup solution too. My only real issue that I switched to Win8 phone a few months ago. There is no version of KeePass available yet for windows phone. There is a password vault application that looks very similar to KeePass and will synch to your SkyDrive. This looks pretty cool but then I can't access it without my phone.

_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1475057
Posted Thursday, July 18, 2013 9:16 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Thursday, April 10, 2014 1:08 PM
Points: 721, Visits: 1,264
This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

I had to laugh.



Kindest Regards,

Rod
Post #1475084
Posted Thursday, July 18, 2013 10:11 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Today @ 11:10 AM
Points: 318, Visits: 1,447
I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.
Post #1475124
Posted Thursday, July 18, 2013 10:12 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Yesterday @ 4:00 AM
Points: 522, Visits: 2,013
Thumbs up for PasswordSafe.
I'm living with it for some 5 years now.
Couldn't live without it!
Post #1475125
Posted Thursday, July 18, 2013 10:18 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: 2 days ago @ 8:36 AM
Points: 442, Visits: 715
I have used Password Safe for years. It does a good job for me as I have close to 1,000 passwords across a huge number of systems that I need to use. I have transferred almost all of the ones I used to save in Excel years ago, prior to knowing about PS, but still have some need to access a few of those occasionally.

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.

Anyone setting up one of these systems at a customer, knows the passwords for every customer of that product!

In my case, probably 90% of the software our organization uses has at least one of these issues.


Dave
Post #1475130
Posted Friday, July 19, 2013 11:14 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:04 PM
Points: 32,780, Visits: 14,939
Henry_Lee (7/18/2013)
I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.


How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1475608
Posted Friday, July 19, 2013 11:16 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:04 PM
Points: 32,780, Visits: 14,939
djackson 22568 (7/18/2013)

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.



Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1475609
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse