Best practices for management of client passwords?

Discussion in 'other security issues & news' started by gardanni, Jul 30, 2004.

Thread Status:
Not open for further replies.
  1. gardanni

    gardanni Registered Member

    Jul 30, 2004
    I work with a small technical services company. We have 5 techs who service a total of about 20 clients. Since we don't know which tech will be servicing any particular client, we make all passwords available to all our technical staff. Aside from the security issue of giving so many people access to so many passwords, we have faced great difficulties dealing with the having to change all passwords for all clients every time we have a staff change!

    Can someone recommend some best practices for password management in such a setting?


  2. Devinco

    Devinco Registered Member

    Jul 2, 2004
    Hi Dan and welcome to Wilders.
    Why not have just a separate database that contains just the client name and relevant passwords. Then restrict access to this password database to just mangement. Then, whenever the tech is ready to go out on call with a work order, they come to you (management) for the password just for that client. You could then write (or print) just that password on the work order or tech note list.
    As your client's business is at stake and your liability as well, you should take every precaution to protect those passwords as well as your customer database. As you know, it is your most important asset.

    Restrict and secure physical access to the "password" and/or "client DB" computer to management personel only.
    Secure that computer (too big for this post, that's what Wilder's is for). Isolate or restrict access to other computers on LAN. Isolate or at least restrict internet access. Do not use the important computer for anything else. No games, web surfing, file sharing, Instant Messaging, beta software testing, or other general purpose computing.

    You could use a dedicated password manager like Password Safe or others (just search the forum for password manager).
    Or, you could store them in your own database and then encrypt it.
    Use good encryption, Windows EFS is pretty much worthless.
    PGP Disk can create an encrypted volume that is encrypted with the AES (Rijndael) algorithm (pretty good). PGP Disk is convenient. What I didn't like was it's inability to edit a PGP Disk volume that was located on a CDRW disc. The file would corrupt unless you moved/copied it to the HD first.
    I have not tried yet for this purpose CryptoSuite, but it looks very promising and I will check it out when I get a chance.

    Hope that helps.
  3. meneer

    meneer Registered Member

    Nov 27, 2002
    The Netherlands
    Use a service account with admin/root equivalent rights on all managed systems and store the real admin/root account in an envelope.
    The real root admin/root account is only needed for infrastructural changes or in the case of a disaster. Most operational activities can be handled with equivalent accounts.

    Enable logging on all systems, so that you can trace all actions. Try to make sure that the systems accounts can only read the log(setting)s.

    Using a password management tool, as Devinco mentioned, is good practice. You could install the tool and the database on a usb token.
Thread Status:
Not open for further replies.