Following up on my post about passwords and physical security, I’d like to discuss a couple suggestions for secure password management.  This primarily applies to the unfortunate (but common) case where a team is sharing common logins and passwords.  We see this a lot with internal teams, especially in lab and development environments.

A few months ago I saw a good blog post by Joel Spolsky, where he suggested using a combination of Dropbox and Password Safe as a secure password management tool.  For those unfamiliar with it, Dropbox is an Amazon Cloud-based service that essentially acts as a network-based hard disk that can be synced across multiple machines.  Local copies of files are retained on the user’s machine and changes are synced with the main file server and distributed to the user’s other machines with the Dropbox client installed.

It’s a great tool and I would recommend it to anyone – and when used with Password Safe (install your encrypted password file on the dropbox-synced folder), it’s an effortless and secure method for an individual user to manage their passwords.

In an enterprise level IT environment, however, it’s probably not the best choice.  I can’t think of any responsible administrator who’d consider turning over a password list to an untrusted 3rd party, as anonymous or as encrypted as it may be.  It’s just not worth the risk.

The alternative, then, is to leverage a similar method using more secure means.  Our team uses a NAS device, which is an ideal and cost-effective candidate for similar functionality.  If your IT organization has large-scale production file servers which are regularly backed up and maintaned, that would be an even better candidate.

The missing piece in this suggestion is file synchronization – a killer feature of Dropbox.  There are a few different ways to take handle this – either using one of the many file synchronization tools, or a versioning system such as CVS or Subversion.  The choice is yours, but allowing the user to maintain a local copy of the folder is a critical component – because what happens if the file server goes down and the user forgets a shared password?

A careful security administrator will keep these circumstances in mind and plan for them accordingly.  Don’t be “that guy” who assumes his file servers will be up 100% of the time!  That’s what security is all about – hoping for the best, yet planning for the worst.

Password policy is one of the most frustrating subjects for any IT or Security administrator.  You’re stuck in a “Damned if you do, damned if you don’t” situation, where no matter what you do the users will complain.  Something that I like to keep in mind when considering password policies is the careful balance between security and usability.

On one hand, there are fairly well-established best practices regarding password policies.  Non-dictionary words, 8-15 characters, etc.  SANS has a great (if a little strict) password policy document here which is a great starting point for any security administrator.

On the other hand, users have a hard time remembering complicated passwords, especially ones that are frequently rotated.  A well-enforced password policy won’t let users choose their name, dictionary-based words, or any other ‘easy’ passwords, so the user is stuck with having to remember a complicated acrostic, or a random string of characters.  And what do users tend to do in this situation?  Write down the password.

So, what’s wrong with this practice?  Nothing!  It’s even been advocated by various security gurus for years.  But you need adequate physical controls around the password list.  That’s the rub – in a large IT organization,  how does one protect from users carrying around scraps of paper?  Adding a further layer of complication, what about the case of shared logins and passwords?  The problem can become overwhelming quickly.

In an IT environment where Role-Based Access Controls (RBAC) are implemented, I would be inclined to not explicitly discourage users from writing down their individual passwords – because we’re all pretty good at physically controlling pieces of paper (money, anyone?).  I may encourage the use of a tool such as Password Safe,  but there’s only so much that you can do to control the behavior of the users.

Where common usernames and passwords are shared between many people (a tragic case!), the problem of password management becomes much trickier.  I’ve seen systems with multiple versions of a common password list, with each user having their own copy.  I’ve seen password lists distributed betweeen a dozen users via unencrypted email.  I’ve seen printed sheets of passwords “hidden” underneath the keyboard of a common workstation.  I’ve seen post-it-notes on monitors.  All of these situations are terrible, but in reality, they’re also unavoidable.  The best an administrator control for is to provide adequate physical controls; limiting access to the password lists.  It would take a very highly-motivated attacker to get past a security guard, keycarded doors, and a staff that’s advised to pay attention to unrecognized people in the building – and your security response policy should take into account the situation of a password breach and have plans for rapidly shutting down access and rotating shared passwords.

In summary, there’s only so much that you can do to control the behavior of users, especially when asking them to remember complicated passwords.  I would advocate RBAC authenticating against a common directory server in all possible circumstances, so that a breached username and password can be compartmentalized, protecting against damage.  If that’s not possible, educating the users about controlling access to their passwords, and providing for adequate physical controls is about the best you can do.  And as always, having a response policy that takes into account the circumstances of a password breach is critical.  IT has evolved to the point where users are getting comfortable with the strictness of password policies, but as an administrator or security professional, it’s important to consider the vulnerabilities and to keep in mind the careful balance of usability and security.