Password Keeper App???

Its true that multiple people accessing the same account is HORRIBLE. and the lists we have arent becasue of bad archetecture. its becasue things are just so spread out (several networks that have nothing to do with eachother) and very few of them are "mission critical" machines which need to be very secure. the ones that do are locked down with a minimum number of people having access and their passwords being only help in memory. the lists are for accounts that we probably will never access (becasue we have domain admin accounts and what not) they are there "just in case" and the accounts are generally never used.


Im just arguing for the sake of arguing. It will generally bring out better points than just asking questions. ;) Im sure you will agree.

Quote:

---

Down here at "scrub" level you will quite often find apps that only allow for a single password, that have security implications, that have no self auditing and multiple users must have access to

---

Such applications should have their access limited and audited, such as via a terminal server and should require no password of their own.

Quote:

---

There are a couple of others within my organization that have similar issues, especially those where we report to funding sources etc. via their web sites where they give us only one login.

---

Authentication to these sites should be controlled by a proxy server, and again with access controlled and audited.

Your arguments about the way things are, should be considered as a starting point, not and ending one. And one someone asks for adivice it should be used only as comparison, not as a target.

cheers,

catch

Ahhh.... Here we go again.... :D

Quote:

---

Such applications should have their access limited and audited, such as via a terminal server and should require no password of their own.

---

There are many apps out there that run a "Single" user or "Multiple" user.... Guess what? We can't afford the multiple user version and, in real terms, it isn't really appropriate within our risk assessment..... but we still need a "solution". This is what we get and it is my job to secure it....

Funny, I just thought... This is why my job is so much more _fun_ than yours.... I have to be creative.... You just follow "procedure".... :cool:

Quote:

---

Authentication to these sites should be controlled by a proxy server, and again with access controlled and audited.

---

Silly statement.... C'mon, don't just throw random, "I could care less" statements at me - you know better than that.....

I have no control over access to those sites. They are publicly available. A simple piece of SE could glean the required credentials and be used from South Korea or anywhere else. So your suggestion would be????

Quote:

---

Your arguments about the way things are, should be considered as a starting point, not and ending one. And one someone asks for adivice it should be used only as comparison, not as a target.

---

Hmmm... Fun statement.... It doesn't mean much really. I have my starting point - It's called "no _actual_ control over my data". That's my starting point. Could you enlighten me as to how I can achieve my endpoint?

It's a problem.... I know.....

Your points aren't making sense.

Quote:

---

here are many apps out there that run a "Single" user or "Multiple" user.... Guess what? We can't afford the multiple user version and, in real terms, it isn't really appropriate within our risk assessment..... but we still need a "solution". This is what we get and it is my job to secure it....

---

Yeah, and I just gave you a viable option... use a terminal server to control access to such applications. One terminal server, with correct ACLs can audit and authenticate many single user applications.

Quote:

---

I have no control over access to those sites. They are publicly available.

---

If a site gives you an account, and you plug that accoun data into your proxy server, agian making use of availible ACLs, you now control access to that account. The trick is, don't give the password to anyone... make them authenticate via the proxy... now you do control access.

Quote:

---

It's called "no _actual_ control over my data". That's my starting point. Could you enlighten me as to how I can achieve my endpoint?

---

And I'm the one that isn't creative? No one is tellin you to have control over the data... merely the methods availible for accessing the data. If you can't do that, you are not in information security, you are a lame duck.

If someone asks for advice on being a lame duck, I'll direct them to you. ;) If someone asks how to make a system more secure... well the one thing you need to keep in mind with procedures and standards... they exist because someone else tried a zillion and one ways to do something and they finally found a method that bypasses most of the pitfalls. The idea is to take that procedure or standard and apply the IDEAL approach to it and viola! You constantly get better and better ways to do something.

cheers,

catch

I think the point tiger is trying to make is that in certain situations, the "ideal security" cannot be had or is not needed becasue it would cost more than the protect data. When doing security analysis cost is a HUGE factor, especially when you are working for companies like non-profits, or start ups. They just cane afford the security. And i have worked in many places where there really was very little they needed to secure (aside from employee info, etc) so the security didnt need to be so hardened and there are only a few people so they throught (and I agreed it would be reasonable) that they shared certain passwords.

Of course... I've made a number of posts here (and even a tutorial) on proper risk management. The poster never said they had a minimal budget.

My point, and a point that NO ONE else made is that what the original poster is trying to do is bad and perhaps the reasons why you have so many passwords should be looked at rather than ustilizing isolated systems and multiple encryption schemes and armed guards and whatever else was suggested.

If something is important enough to have a password, it is important enough to utilize a secure portal that your organization already most likely has and isn't using. (proxy server/terminal server)

If people just assume no budget and minimal security... hell what is the little tag line of this site? "Maximum Security" not "Ghetto-rigged security for stuff that doesn't even really need it." As soon as the site owner changes this, I'll change my answers. Otherwise many users here will never even be exposed to the "right way" to do things.

cheers,

catch

ol jeb:

I probably should have clarified the use of that password safe type of application I use. I have a separate database which I use it for my personal passwords to the millions of websites and apps I have accounts on. My team at work uses separate databases by functional area for ONLY applications which only allow 1 account (similar to what Tiger Shark is talking about) OR for the service accounts used by various applications.

We have siloed the functional areas off with separate dbs (thus separate passphrases) so that the network engineers dont see the system administrators stuff and so on. We also only use these databases if all else fails at using individual accounts.

catch: Your points are well spoken...and taken. However, like Tiger Shark, I have very little budget (if you actually call it a *budget*) and am faced with what I have tool-wise. Also, there are soooo many applications that dont allow multiple user accounts it's incredible. We ARE working toward moving as many of these bad applications over to point to our newly installed single LDAP directory. And these are only the ones that now have the multiple account functionality gained with recent upgrades.

As a security professional I am trully frustrated (and strong words than that at times) with the lack of security features in this software and/or lack of understanding of what security *means*. There are applications we have that cost tens of thounsands of dollars (US) that dont have basic password strength controls...that's udderly ridiculous...and we (I/S and Security) weren't given veto powers either!

sigh.

Quote:

---

I have very little budget (if you actually call it a *budget*) and am faced with what I have tool-wise. Also, there are soooo many applications that dont allow multiple user accounts it's incredible.

---

I understand this, but there really are so many better ways to control access to such applications. Even something as simple as a script that logs a user into the application in question. The ACLs on the script prevent viewing the source and audit and control access.

Suffice to say, there are ALWAYS better methods than just giving users multiple passwords.

Quote:

---

As a security professional I am trully frustrated (and strong words than that at times) with the lack of security features in this software and/or lack of understanding of what security *means*. There are applications we have that cost tens of thounsands of dollars (US) that dont have basic password strength controls...that's udderly ridiculous...and we (I/S and Security) weren't given veto powers either!

---

I have said this many, many times on this forum... never ever ever ever ever ever never ever never rely on application security. All authentication and access should be controlled by the operating system. InfoSec shouldn't have veto power over anything other than security tools and perimeter defense... to give them more than that and IT procurement will grind to a halt. ;) Securing a great application that has multiple user accounts built in, with all kinds of great encryption and whatever else should be no different than securing a single user application with no internal protections whatsoever.

cheers,

catch

Catch:

You are missing the point...... My data is held out there on a web site that _anyone_ in the world could locate. I am given one set of credentials and told to enter our data into the forms provided. Your suggestion that I enter the account information into a proxy server and control access from there does absolutely nothing to stop _you_ from getting to my data from _your_ house.

Remind me again please, how do I control access to my data? Controlling my users isn't so much the issue. It's what I said, "no actual control over my data".... Some idiot in government who can't even decide what a HIPAA form 837's format is even though it is set in stone by the law is securing the very data I am supposed to protect. I am bound by thier arbitrary decisions and idiotic implementations of things they don't understand. Protest? Yeah, right.... all that gets me is people laid off because the contracts/grants aren't renewed because some incompetent had it pointed out to them that they are a know-nothing and are now pissy enough to get the contract cut.....

Ahh... The real world.... :rolleyes:

Quote:

---

You are missing the point...... My data is held out there on a web site that _anyone_ in the world could locate. I am given one set of credentials and told to enter our data into the forms provided. Your suggestion that I enter the account information into a proxy server and control access from there does absolutely nothing to stop _you_ from getting to my data from _your_ house.

---

And how does a password list help this issue?

The use of irrelevant examples could be why I was confused, I was under the impression you wanted to control user access to the website.

If you have data on a website beyond your control and you disaprove its security... your company needs to have negotiated a better arangement. ;)

None of this addresses why educating the original poster about why password lists are bad was incorrect or not real world viable. (I'd hardly call a non-profit real world, everyone knows non-profit means "too disfunctional to be profitable." I've done some work for them in the past... never again)

cheers,

catch