What’s The Password?
Manging multiple machines or accounts involves remembering quite a few usernames and passwords. Every member on the team also has to use the same usernames and passwords as well. The challenge is to find a secure way of storing these login credentials so that everyone has an easy way to access them.
Originally we stored all the usernames and passwords in what we called the “Password Book”. This book was a simple notepad with the pertinent information stored in a cabinet close by. The main problem with this system was that the information was not available unless you were actually in the office. This made on-the-road troubleshooting almost impossible.
Currently we store all of the information in a blowfish encrypted database. The database is stored on a Wiki page (which I will talk about in another post) where it can be downloaded and stored on a usb key.
This database is then read by a program called Password Gorilla. The advantage to using Password Gorillia is that the client is available on a multitude of platforms, including mobile ones like Windows CE (but not Black Berry).
In reality, we just need to remember one password: the password to the encrypted database, and we have access to all the usernames and passwords we need in order to do our jobs.
|
Email This Post |
| , CBC.ca web site, Under the Hood |
Hmmmm that’s insane and goes against all notions of security as I understand it. Passwords should be memorized only, never written down anywhere, analogue or digital. Users are already dumb enough to give me their passwords to bank transaction software without even checking who I am over the phone, having passwords stored somewhere sounds deeply wacky to me.
Soo….what’s the password again?
Having to memorize over 30 usernames and passwords is just not possible. Plus with the employee churn rate we have here, it would be impossible to remember a new set of over 30 usernames and passwords each time an employee leaves.
Oh, one more thing. When I was producing for DNTO, I did a piece on how easy it was to hack systems. I hired a “white hat hacker” to try to hack into CBC’s content management system.
He did it in ten minutes.
Username: remote
Password: control
We could have changed the front news page of cbc.ca if we wanted to. (Don’t think I wasn’t tempted!)
And this, my friends, is why strong passwords (with uppercase letters, numbers, and symbols) is important.
Even today, at least in Vancouver, there’s a simple default password for everyone’s voicemail box (no I won’t reveal it here). Not many people change it from the default. If you know the “secret”, you can listen to lots of people’s voicemails.
Shouldn’t users be tasked with remembering their own user names and passwords? Like I told the lawyer in charge of security at the bank after I took over his computer in front of his very eyes… security is an illusion.
Why is it my friend was able to take over a hydro-electric damn with his laptop from inside the hydro network is beyond me. So storing passwords in a DB makes me nervous, just my 2 ¢.
I can remember maybe 5 randomly-generated passwords (the only kind worth having). If using an encrypted db with a ridiculously long passphrase means I can have 30 or 40 random passwords, thereby eliminating the crudest of attacks, that’s a decent tradeoff. Unfortunately security is all about tradeoffs.
>>Even today, at least in Vancouver, there’s a simple default password for everyone’s voicemail box
As I was saying about the Vancouver phone password before being rudely interrupted:
I and other people were told to keep the default password to make it easier to job share.
The thing about all this security is that, for the most part, I don’t have a lot to protect. The reason why most of us can’t find a perfect place in our brains to memorize fifteen different passwords is because all anyone is going to get access to on our work computers is audience mail (maybe), a bunch of corporate memos, and the meaningless (to anyone else) back-and-forth that makes up my job. Financial info, yeah, it’s worth protecting and I’m happy for that kind of security. My e-mail, I don’t see the point. I suppose if you can get into my e-mail, the logic is you can work your way back to something that’s really important if you wanted to take the trouble. I imagine most people would rather hack into a bank or a government department.