Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 

Same or Different?

By Steve Jones,

The past few weeks I've seen a lot of posts on security and encryption, which has me questioning some of the practices that I've implemented at many of my previous jobs. Security is a tough thing to do well, and it requires regular vigilance. I also think it requires the ability to question what you've done on a regular basis and ensure you are not sticking with a flawed method of protection.

In most of my past jobs, I've implemented security like this:

  • Separate service accounts for all services, complex passwords not written down
  • Common administrator password for all machines (or for large groups of machines)
  • Common sa password for all instances
  • Change administrator and sa passwords regularly (30-60 days)

My logic has always been that we can change service account passwords, but we want these secure. So a long, random list of numbers, letters, characters that don't need to be stored. These might exist for years, so make them essentially un-crackable.

For passwords, we have to deal with these as humans, often daily as we log in and out of machines. So let's have something we can deal with. To me that's been a few passwords that we can remember (avoiding the sticky note problem) and then changing them often enough so that they can't easily be hacked.

I'm not sure that's the best method, or even a good one, but it appeared to work well for me. But for a Friday poll, I wanted to get some other opinions:

 

Do you use the same password for many instances or separate ones?

I'm wondering if you think that having separate passwords is a better way of implementing security without creating a huge management issue for your staff. At one company we used Password Safe to store a series of passwords for our machines, and allowed all admins access to the database on a share. However we still had large groups of servers with common passwords because changing them every 30 days was a huge chore. Separate passwords for every machine would likely have meant a 1/4 FTE or more just to handle changing passwords!

These days with encryption becoming a bigger part of our environments, I think you'd have to also add those keys to your list of security items. I'd think that you would have separate keys for encrypting data, but what about the passwords to secure those keys? Keep them the same and re-encrypt regularly?

Let us know this Friday how you handle your password security.

Steve Jones

 


The Voice of the DBA Podcasts

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. Comments are definitely appreciated and wanted, and you can get feeds from there.

You can also follow Steve Jones on Twitter:

Overall RSS Feed: or now on iTunes!

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.

I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.

Total article views: 84 | Views in the last 30 days: 1
 
Related Articles
FORUM

Passwords

Storing passwords securely

ARTICLE

Podcast Announcements

Podcast Feeds

ARTICLE

Serious Security

The password issue has Steve Jones concerned. So many of us that use computing devices don't do a go...

BLOG

Podcasting

A new video setup is on the way!!!! Actually I'll do a couple podcasts on podcasting over the hol...

ARTICLE

Password Handling

A system administrator can set a good example with the passwords they give to users or a bad example...

Tags
editorial    
friday poll    
passwords    
security    
 
Contribute

Join the most active online SQL Server Community

SQL knowledge, delivered daily, free:

Email address:  

You make SSC a better place

As a member of SQLServerCentral, you get free access to loads of fresh content: thousands of articles and SQL scripts, a library of free eBooks, a weekly database news roundup, a great Q & A platform… And it’s our huge, buzzing community of SQL Server Professionals that makes it such a success.

Join us!

Steve Jones
Editor, SQLServerCentral.com

Already a member? Jump in:

Email address:   Password:   Remember me: Forgotten your password?
Steve Jones