SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Password Ninjas


Password Ninjas

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)

Group: Administrators
Points: 276685 Visits: 19893
Comments posted to this topic are about the item Password Ninjas

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
lshanahan
lshanahan
SSCrazy
SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)SSCrazy (2.8K reputation)

Group: General Forum Members
Points: 2819 Visits: 438
I've used PasswordSafe, which is excellent, but changed over to KeePass about a year ago. The only thing about KeePass is it doesn't have the auto-lock feature like PasswordSafe does.

When I was working field support for several different state agencies, users would always complain about having "all these different passwords" - until I mentioned I had upwards of 30 or so NOT counting my personal ones for either work or home I had to keep track of.

I did run across an agency that had an interesting scheme for admin passwords. Whenever we had to work on a PC and needed admin credentials to diagnose/fix, we called the service desk and they gave us a temporary one that would work until we closed the ticket. If you couldn't get the work done in one session, they gave you a new one the next time you worked on it. Don't know if that's standard in other businesses, but not a half bad idea.

____________
Just my $0.02 from over here in the cheap seats of the peanut gallery - please adjust for inflation and/or your local currency.
Eric M Russell
Eric M Russell
SSC Guru
SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)

Group: General Forum Members
Points: 53505 Visits: 12402
In addition to protecting login credentials of accounts, another layer of security is at the firewall configuration level with IP blocking. That way, even if someone finds a sticky note with the sysadmin's password, or somehow more people that necessary are added to a domain group access to the server, they can't gain ad-hoc access to SQL Server unless they login from a specific machine or under specific context.


"The universe is complicated and for the most part beyond your control, but your life is only as complicated as you choose it to be."
Sean Lange
Sean Lange
SSC Guru
SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)SSC Guru (124K reputation)

Group: General Forum Members
Points: 124688 Visits: 18395
I use KeePass and like it well enough. I able to synch the password file between my desktop, laptop and phone. Really makes it handy and since I have copies in different physical locations it serves pretty decent as a backup solution too. My only real issue that I switched to Win8 phone a few months ago. There is no version of KeePass available yet for windows phone. There is a password vault application that looks very similar to KeePass and will synch to your SkyDrive. This looks pretty cool but then I can't access it without my phone.

_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Modens splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Rod
Rod
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13502 Visits: 2312
This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

I had to laugh.

Kindest Regards,Rod
Connect with me on LinkedIn.
Henry_Lee
Henry_Lee
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1132 Visits: 1661
I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.
Michael Meierruth
Michael Meierruth
SSCarpal Tunnel
SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)

Group: General Forum Members
Points: 4544 Visits: 2523
Thumbs up for PasswordSafe.
I'm living with it for some 5 years now.
Couldn't live without it!
djackson 22568
djackson 22568
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4314 Visits: 1268
I have used Password Safe for years. It does a good job for me as I have close to 1,000 passwords across a huge number of systems that I need to use. I have transferred almost all of the ones I used to save in Excel years ago, prior to knowing about PS, but still have some need to access a few of those occasionally.

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.

Anyone setting up one of these systems at a customer, knows the passwords for every customer of that product!

In my case, probably 90% of the software our organization uses has at least one of these issues.

Dave
Steve Jones
Steve Jones
SSC Guru
SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)

Group: Administrators
Points: 276685 Visits: 19893
Henry_Lee (7/18/2013)
I use PasswordSafe for work and like it. For home, though, I wanted something that could sync across devices as well as provide an offsite backup. I was very hesitant to use an online provider, however after a recommendation from a trusted source I went with LastPass.

Their model is such that my data is encrypted on my local machine prior to being sent to their servers. This means a rogue LastPass employee, data breach, NSA subpoena, etc will only get my encrypted blob and so long as my master password is sufficiently long / complex then brute forcing the blob is not a concern.


How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Steve Jones
Steve Jones
SSC Guru
SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)SSC Guru (276K reputation)

Group: Administrators
Points: 276685 Visits: 19893
djackson 22568 (7/18/2013)

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.



Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum







































































































































































SQLServerCentral


Search