Home page logo

basics logo Security Basics mailing list archives

Re: Password Change Management
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Wed, 01 Mar 2006 19:14:52 -0500

Matt Alexander wrote:
For example, let's say you have a group of admins with root/admin passwords to everything. Someone either leaves the company or leaves their cellphone (with all their passwords) in a taxi. What procedures do you follow to change the passwords as quickly as possible?

Responsible $user immediately changes passwords that were lost. If unable to for any reason (no access to the network, etc.) $user is to immediately contact another administrator who can change the passwords immediately.

How do you securely distribute new passwords to your admins?

Do you keep a central password repository? If so, how do you ensure that the repository is completely secure?

Administrative passwords are stored in a data file used by "Password Safe" (http://www.schneier.com/passsafe.html) or similar. Data file itself is encrypted with a password and stored on an EFS encrypted volume. EFS certificates and NTFS permissions are used to protect the data file. The password used to encrypt the data file is only verbally communicated between users and policy is that it is *NEVER* to be written down or stored anywhere other than the mind. Administrators sign written document agreeing to policy, which provides for immediate termination upon determination of a violation.


Jeremy L. Gaddis
GCWN, MCP, Linux+, Network+

The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]