Main Nav

Hello-

 

Could anyone share a best practice with regard to the storage and safe keeping of the collection of all system passwords?  Is using a keepass type application the best approach?  What about redundancy in the event you can’t get to the stored list or it is corrupt?

 

Any advice and/or opinions would be very helpful.

 

Thanks

Stacy

Comments

We use Keepass….

 

If you are talking about a personal store of passwords, an application like that (there are others as well that are good, both for windows and mac) can work well, but as you point out, you need to keep a backup of that encrypted DB on a different systems somewhere and ensure it is being regularly backed up or synced.

 

If you want to talk about this issue at a larger level, products like Cyber-Ark and their competitors offer some very helpful solutions, but obviously at a cost.

 

Quinn R Shamblin
------------------------------------------------------------------------------------------------
Executive Director of Information Security, Boston University
CISM, CISSP, GCFA, PMP  –  O 617-358-6310  M 617-999-7523

 

We use Keepass with the database file stored on a departmental file share. The share is backed up nightly so in the event there is corrupt we could go back to a previous version. A few of us also periodically copy the database locally in the event that the file share is inaccessible or we are mobile.

 

I use Keepass also and store the database in my dropbox to solve the access from anywhere problem and for added security .... Dropbox upgrades security with two-factor authentication My 2 cents Joel --On Monday, August 27, 2012 8:47 AM -0600 "SCHALIP, MICHAEL" wrote: > We use Keepass.... > >

We do the exact same thing with KeePass.

 

 

Tim Cappalli, ACMP CCNA | (802) 626-6456

Office of Information Technology (OIT) | Lyndon

» cappalli@lyndonstate.edu | oit.lyndonstate.edu

 

 

Sent from Windows 8 and Outlook 2013

 

We use Thycotic's Secret Server (http://www.thycotic.com/products_secretserver_overview.html), which is server-based (Win2k8 + ASP.NET + SQL Server). It supports multi-user access, two-factor authentication, audit logging, and all that good enterprise-level stuff. We've been using it for a little over a year now and have been quite happy with it.


--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu




We use Keepass as well...  Backed up nightly...


-----
Shawn A. Kohrman, Security Architect

Azusa Pacific University
Information & Media Technology
901 E. Alosta Ave., PO Box 7000
Azusa, CA 91702-7000

P:  626.815.2054 | F:  626.815.2061 | http://www.apu.edu/
-----



We use Password Manager Pro from ManageEngine. We have it in an active/passive configuration that allows high availability (active service at one data center and the passive/standby at the other data center).  It allows for both departmental and personal accounts and a variety of access options based on role and group memberships. An access log is maintained to allow auditing (including justification and approval(optional) for access) and regulatory compliance, and it works with both local and central authentication (Active Directory/LDAP) support.

For us, the tough part is getting people to discipline themselves to populate and maintain system passwords.

http://www.manageengine.com/products/passwordmanagerpro/

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"
From: "Stacy Slocum" <sslocum@SJFC.EDU>
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Sent: Monday, August 27, 2012 10:28:38 AM
Subject: [SECURITY] Password keepers

Hello-

 

Could anyone share a best practice with regard to the storage and safe keeping of the collection of all system passwords?  Is using a keepass type application the best approach?  What about redundancy in the event you can’t get to the stored list or it is corrupt?

 

Any advice and/or opinions would be very helpful.

 

Thanks

Stacy

We do very similar with a program called Secret Server.  I love the auditing features and one click change all system passwords and employee had access to.  Very helpful during staff turnover.

http://www.thycotic.com/products_secretserver_overview.html

On 8/27/2012 1:16 PM, Clifford Collins wrote:
We use Password Manager Pro from ManageEngine. We have it in an active/passive configuration that allows high availability (active service at one data center and the passive/standby at the other data center).  It allows for both departmental and personal accounts and a variety of access options based on role and group memberships. An access log is maintained to allow auditing (including justification and approval(optional) for access) and regulatory compliance, and it works with both local and central authentication (Active Directory/LDAP) support.

For us, the tough part is getting people to discipline themselves to populate and maintain system passwords.

http://www.manageengine.com/products/passwordmanagerpro/

Clifford A. Collins
Information Security Officer
Franklin University
201 South Grant Avenue
Columbus, Ohio 43215
"Security is a process, not a product"
From: "Stacy Slocum" <sslocum@SJFC.EDU>
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Sent: Monday, August 27, 2012 10:28:38 AM
Subject: [SECURITY] Password keepers

Hello-

 

Could anyone share a best practice with regard to the storage and safe keeping of the collection of all system passwords?  Is using a keepass type application the best approach?  What about redundancy in the event you can’t get to the stored list or it is corrupt?

 

Any advice and/or opinions would be very helpful.

 

Thanks

Stacy

We use this as well.

 

Daniel Bennett

IT Security Analyst

Adjunct Faculty

Vice-Chair North Central PA Members Alliance

 

Pennsylvania College of Technology

One College Ave

Williamsport, PA 17701

 

P:570.329.4989

E:dbennett@pct.edu

 

ITS and Penn College will never solicit you for your username or password in an e-mail.

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of David Curry
Sent: Monday, August 27, 2012 11:18 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Password keepers

 

We use Thycotic's Secret Server (http://www.thycotic.com/products_secretserver_overview.html), which is server-based (Win2k8 + ASP.NET + SQL Server). It supports multi-user access, two-factor authentication, audit logging, and all that good enterprise-level stuff. We've been using it for a little over a year now and have been quite happy with it.

 

 

--

DAVID A. CURRY, CISSP • DIRECTOR OF INFORMATION SECURITY

THE NEW SCHOOL • 55 W. 13TH STREET • NEW YORK, NY 10011

+1 212 229-5300 x4728 • david.curry@newschool.edu



For personal / single user use I recommend to people the free LastPass (http://www.lastpass.com) solution. The best balance of strong security and convenient usability I've seen.  For shared / multi-user use in enterprise I recommend the free open-source WebPasswordSafe (http://www.webpasswordsafe.net) solution [full disclosure: as the author I'm a bit biased].  It is a cross-platform Java web application server you can customize the strong security controls and deploy to fit your environment.

Either way, to fully answer your question, encrypted digital offsite backups with the key separate from the data out-of-band is the way to go. But if immediate availability in disaster is a huge risk for you where a digital solution can't be depended on, printing unencrypted export (both of the above solutions support that) physical copy and keeping it safe with your usual physical security controls (sealed envelope, locked, access log, cameras, etc) is what you are left with.

Thanks,
~Josh

Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.