Discussion: better way to store passwords - system administration - Knowledgebase

Portal Home > Knowledgebase > Articles Database > Discussion: better way to store passwords - system administration

Discussion: better way to store passwords - system administration

Posted by sytker, 09-14-2008, 10:58 AM
Hello my friends, I'm a system administrator looking for better practices dealing with my customer passwords. My scenario: 1 x workstation at office 2 x laptops 1 x HTC Tytn II (windows mobile) PS: All 4 hardware always connected to internet. I'm looking for the best way to have confidential information protected, like passwords (user / root passwords / IPs etc.) Some thoughts: - Setup a virtual machine (linux with web/mysql server storing passwords and Ids) on each hardware (except tytn II) and with ssh keys for my customer's servers. It not seem the best option... - Store encrypted passwords in my server on internet MySQL database and keep hardware with ssh keys (on virtual machine or not?). I still can't see the best option to have passwords/ssh key access at hand and in a secure way. I would like to hear from you what are you using to control/secure/protect your customer information and passwords. Thanks
Posted by Xeentech, 09-14-2008, 10:02 PM
I have a USB token that does PKCS#11 encryption and signing. It's supported in Thunderbird to sign mail etc, PuTTY to authenticate the session and you can use it in encryption software to crypt files, though I don't bother, I just read stuff I need over SSH in PuTTY, even on my Kaiser / TyTN II though it's little slow for PuTTY though IMO, it's total overkill ;P I only have it around as it was required for a VPN app we used to use, though it does work with our new OpenVPN. You could store the info on your TyTN II's SD card, if you enable encryption... Start -> Settings -> System tab -> Encryption. Then be sure to set a personal key for the phone, and put the idle timeout to 0 mins (in case some one snatches it out of your hands.) When you have it plugged into the PC you'll be able to find the SD card in your "My Computer" if your on windows.. Along the same line of thinking.. have you seen the USB thumb drives that only make them self accessible after a fingerprint scan. This wouldn't work on your TyTN, or any other HTC, as they still haven't got USB-On-The-Go support! ARGH!
Posted by sytker, 09-15-2008, 10:50 AM
Well, very good to know about encryption on TyTN II. Would you store your ssh keys on your token for example? And is it possible to use ssh keys on pocket putty?
Posted by chrda, 09-15-2008, 11:06 AM
KeePass is good, also in portable edition.
Posted by sytker, 09-15-2008, 11:32 AM
Wonderful soft! About ssh keys, how is the best way to secure/protect them? Thanks
Posted by chrda, 09-15-2008, 11:34 AM
Truecrypt Container, also in Portable Edition
Posted by Xeentech, 09-15-2008, 12:19 PM
PocketPuTTY can use an RSA SSH Key Pair, like the standard build of PuTTY.. but it can not do PKCS#Anything... Wouldn't make must sense as there are about two devices in the wild that could manage the hardware involved. On the PC side of things, I use OpenSC. With this and a certain (patched) version of PuTTY you can store the actual RSA file the SSH Agent uses to sign the init connection. The agent is the bit that either does RSA DH keys, simple password or interactive keyboard. On the TyTN I use an ssh key for PuTTY that is stored on my encrypted drive. They ssh key is also encrypted with a very simple easy to type (on a bus for example), but this was more because the software that made the key insisted I set on.
Posted by Sheps, 09-15-2008, 12:51 PM
Here is a tip: Don't Don't store your passwords. Keys, well, you really can't remember a key and type it out manually, but then again, just generate a key for all your machines and take the pub key and put it on each of your clients servers. But I never write down my passwords. Memorize them and then your good.
Posted by sytker, 09-15-2008, 01:17 PM
The problem here is I can't use the same password for all my servers, and that I can't memorize more than 100 passwords