I am trying to figure out industry standards, best practices, and quality ideas for how my IT department should manage our 10-20 master passwords. Many of these passwords do not change, some are hard coded onto devices, etc etc…
One of our Tech’s insists we should not store the passwords electronically in a device that is accessed using a password…saying somehow this is a violation of “best practices” to protect what you are protecting with what you are protecting. How can I validate whether there is any truth to this claim? (He recommends a piece of paper hidden somewhere and locked up.)
What do you think? How does your IT department manage such things?
Put them on a post it note and stick it to your monitor, when eSecurity gets mad, move it to under your keyboard.
I believe lock and key is best practices - ours are just known by three people at different physical sites and changed when one of those people leaves.
Typed out on paper, in a file in a safe. Plus a copy somewhere else.
But your passwords should change. When a tech who knows the password of a privileged account leaves, then that account should have its password changed. Ideally, of course, technicians shouldn’t need to know the passwords - the privileged accounts are members of privileged groups and you make the technician’s admin account a member of of that group.
Well, if you actually need to access the passwords occasionally, the paper will quickly get copied and/or left out of the safe. If you just want to keep a backup of what everyone already knows (in case of a tragic margaretta explosion at an offsite teambuilding), that’d probably work fine.
We had password management software for the several dozen passwords we had to keep track of. Had some security policies in place to keep it a little more secure and the password to the pwman was closely guarded and a royal PITA to type in, but we actually used those passwords semi-regularly. There was also a policy against writing/typing/saying aloud any password, so new guys were shown the sw and had the technique for figuring out the password to get in explained. Very handy, but like everything else, it could be compromised by someone with access to it, just as the hardcopy in the safe could.