How do you securely manage server privileged passwords?

[Alline Cliff]

It is difficult to securely manage access to thousands of privileged accounts? In our organization, I noticed that the passwords to server privileged accounts are often the same on many systems and rarely (if ever) changed.  Are there several technological approaches to more securely manage server privileged passwords?

[bmmcwhirt]

You didn't say how you were accessing them.

I manage several BSD servers and many VSphere VMs.

Best practice is to use 3 factor authentication with a single central authentication server. If your organization isn't large enough for that to be financial practical, the next best practice is to use keys not passwords. I mostly use SSH so it has that built in. There are plenty of tutorials on this and a google search will get you what you need.

If you are in a windows environment then a central authentication server is really mandatory. Then you need to implement password procedures such as changing passwords weekly and access control lists. As long as things are set up properly you don't need to pass out administrator passwords on the machines to everyone. Unfortunately Windows is by far the most expensive and tedious.

With OSX and apple workstations and servers it's far easier. They have a nice simple GUI that lets you configure kerberos access to any machine or server as long as each machine and server is a mac or supports kerberos. Most *nix OSes can be set up with kerberos. I do not know how to set up 3 factor authentication on OSX Server or if it is even possible.

I don't know if any of this helps, if not provide some additional details and we can go from there.

[OfTheWild]

I manage networking equipment for customers. It is fairly standard practice to make all the devices for each customer use the same 'privilege/enable/root' password. Without that all set the same, automation and scripting loop processes becomes exponentially more difficult. We do however, use tacacs to get into most things and that changes monthly for each user.

[bmmcwhirt]

I manage networking equipment for customers. It is fairly standard practice to make all the devices for each customer use the same 'privilege/enable/root' password. Without that all set the same, automation and scripting loop processes becomes exponentially more difficult. We do however, use tacacs to get into most things and that changes monthly for each user.

Yea this is pretty standard, anything that is physical access only (console port) or requires privileged access to even access(such as su/root or enable/secret) is usually the same across the entire company or per client. Then the methods to access these is usually restricted to on-site/vpn and not directly accessible from outside the local LAN.

Also, just because we are talking authentication and security I will bring this up. Most linux distributions are set so that su and sudo accept the user password if the user has privileges for su/sudo. This is because a default installation logs you in and does not give you the root password. On FreeBSD this is not the case if you su/sudo you need to have the root password. Since the root password is configured during install on FreeBSD it's easier for them to have this set this way. This is my preferred method and I change the way Linux handles this as part of my install. Since I have a VM template I don't have to do this much any more but I thought it was worth mentioning. Set up the FreeBSD way a privileged user still needs to know the root password to preform root actions. This is all personal preference of course but wanted to share.

Also CISCO switches and routers running IOS can be configured with kerberos, but I've never tried to make one authenticate off of an OS X server.

[tp4tissue]

write it down on a piece of paper..

Put it in a safe and/or a really dirty / undesirable location that people would be naturally adverse to checking.

[bmmcwhirt]

We are talking thousands of accounts and passwords and machines in a corporate environment. Paper is not practical and surely violates company policy.

If you write a password down on paper in my network and I find out, you don't get a second chance your access is revoked and you will no longer be employed.

write it down on a piece of paper..

Put it in a safe and/or a really dirty / undesirable location that people would be naturally adverse to checking.

[tp4tissue]

We are talking thousands of accounts and passwords and machines in a corporate environment. Paper is not practical and surely violates company policy.

If you write a password down on paper in my network and I find out, you don't get a second chance your access is revoked and you will no longer be employed.

write it down on a piece of paper..

Put it in a safe and/or a really dirty / undesirable location that people would be naturally adverse to checking.

Well.... for large scale,  the first protection is buying insurance against damages..   The actual data security side..  copy it out to an offline device is as much as you can do..

[OfTheWild]

Thats good info about the BSD setup. Thanks, I didnt know that.

I just recently started using a personal algorithm that allows me to use the same password but with a couple minor changes based on the site i'm logging into. After a few of those data breaches this year from some forums and such I realized I should figure out a way to use unique passwords instead. Especially considering how many forums i'm a member of and how up until this year i was using the same user/pass on all of them. And then theres the important sites like financial and stuff that was also using the same info 

A little side topic that might interest someone... I was in a security seminar a while back and discussed the corporate issue of trying to secure a userbase. It is fairly standard to force your users to change the password every month/quarter and set up additional criteria like capitals/numerics or for total asshats... special characters. Unfortunately what that does is make your users come up with something simple they can remember.. e.g. Febr2017! meets all your standard pass criteria... I'll let you guess what the password will be next month/year?
What they found was that cracking that password with bruteforce or library attempts (where you have gigs of password lists that you try) would take a few days weeks maybe even for something generally difficult to remember (and often written down somewhere insecure) like 'Hl7!n@1j'. However if you told users to come up with 5 random words and use that as your passphrase.. people would remember it, and it would be virtually uncrackable. e.g. 'Diethousepaperkeyboardsrunning' you could imagine a tiny-home with paper walls where your buckling spring keyboard sent people running. You just remembered a password thats 30 characters long that would be virtually uncrackable. Pretty cool.


Anyway, as for keeping track of logins at work or sites that I never remember my user/pass info I use Keepass. Its actually fantastic to store login info. Also great for sharing your desktop to people like Cisco and Juniper because they can just click the password for the devices you're in and its never shown on the screen.

[davkol]

xkcd #936


To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

[tp4tissue]

xkcd #936

Show Image

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

What example password does Davkol recommend



Does the fact that commonly people only know about 10,000 to 20,000 words make a difference.. 

[davkol]

Best practice is to use 3 factor authentication with a single central authentication server. If your organization isn't large enough for that to be financial practical, the next best practice is to use keys not passwords.

QFT

[happylacquer]

xkcd #936

Show Image

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

What example password does Davkol recommend



Does the fact that commonly people only know about 10,000 to 20,000 words make a difference..

Do you even know what side of the argument you're on?

[OfTheWild]

xkcd #936

Show Image

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

Well there ya go! He did a fantastic job of explaining it in far less time than the seminar was lol.

[cribbit]

The only way to be really secure is to use the same password everywhere, put sticky notes with the password on every machine and have the password hint be the password.

[yuppie]

It is difficult to securely manage access to thousands of privileged accounts? In our organization, I noticed that the passwords to server privileged accounts are often the same on many systems and rarely (if ever) changed.  Are there several technological approaches to more securely manage server privileged passwords?

SSH keys. A key for each account. No passwords. Unless you're not talking linux, then ur ded 2 me.

[jal]

In my shop[1], root is set to a long gibberish string. User authentication is via LDAP and ssh key authentication, authorization uses sudo, with sudo configuration generated for each server based on where it is and what it does. Ssh keys are also auto-installed/removed for users based on where the owners are allowed to be by Puppet.

So the result is that privileged passwords are basically never used. Everyone uses their user password for everything that isn't handled by their ssh key. I've had to look up the root password twice, I think. Once to verify it was correct when I thought it might have been being set to something else by mistake, and once when I was a moron and knocked a physical machine off the network with a configuration mistake.

[1] I only work on our production hosts, which are Unix or Linux. The windows folks deal with AD for Mac/Win desktop stuff, which I don't deal with. We keep the two LDAP DBs separate, with some synchronization glue to handle folks who live in both worlds.

[Alline Cliff]

Would a server privilege management solution be able to help us with this? A  friend recommended the one from BeyondTrust. Do you think it'll help us do the job?

[TacticalCoder]

xkcd #936

Show Image

To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

That XKCD has done lots of harm... It's true that the tr0b4udor83 thinggy ain't cutting it but the example he give is insanely insecure by modern standards.

The rarest word is staple, at position 7114 in the "most commonly used words in english".

A cracker testing all possible four words combination of the first 10000 words would crack this. It's, what, 10 000 trillion tries at most?  Cluster of GPUs cracking 500 billion passwords per second were common things 5 years ago.  I've read about crackers trying 73 trillion passwords per second (no idea which kind of hash nor which kind of hardware but I remember that number: it's not far-fetched seen the state of the art in 2012).

Crackers have been reported pwning passphrases like the following:

Code: [Select]

allineedislove
ilovemySister31,
all of the lights
ilovetofunot
iloveyousomuch
and of course the usual "eleet" ones like: "k1araj0hns0n"

Also people have been know trying every single sentence of books (the bible, lord of the rings, but really many many many books), starting from any word of the book, up to x words, and finding sentences used to protect cryptocurrency wallets that have then been emptied (back when cryptocurrencies wallets could be protected by user-chosen passphrases: which is kinda not the case anymore, at least not the best practice anymore).

And saying that regular people shouldn't worry about crackers having offline copies of hashes as it does was shortsighted too: there are several documented cases of theft (plus all those we don't know about) of user+hashes of hundreds of millions and even several billions (Yahoo!) of accounts.

I love XKCD but I always found this particular one to be particularly bad and I feel for those who followed that and ended with their password cracked because they used four common words and were part of the hundreds of millions or billions of hashes stolen :(

P.S: I ofc don't mean that 44 bits of entropy ain't better than 28... I'm saying 44 bits of entropy in this day and age where you can buy a single GPU that has thousands of core (and when many enthusiasts have farms of these, to GPU mine GPU friendly cryptocurrencies for example) and even soon consumer-grade FPGA-like programmable hardware (I read something about Intel coming up with this), 44 bits of entropy is not anywhere near enough. And several documented cases of hashes stealing + password cracking are proving this to be true!
 

[davkol]

iloveyousomuch

What's the probability of choosing those words in that order randomly?

Yes, humans are pretty bad at generating random data. Hence the dadaist methods.

You can't do better with passwords, unless control is delegated to a password manager (which has its own share of different issues—somewhat similar to, say, a hardware token).

[iLLucionist]

You didn't say how you were accessing them.

I manage several BSD servers and many VSphere VMs.

Best practice is to use 3 factor authentication with a single central authentication server. If your organization isn't large enough for that to be financial practical, the next best practice is to use keys not passwords. I mostly use SSH so it has that built in. There are plenty of tutorials on this and a google search will get you what you need.

If you are in a windows environment then a central authentication server is really mandatory. Then you need to implement password procedures such as changing passwords weekly and access control lists. As long as things are set up properly you don't need to pass out administrator passwords on the machines to everyone. Unfortunately Windows is by far the most expensive and tedious.

With OSX and apple workstations and servers it's far easier. They have a nice simple GUI that lets you configure kerberos access to any machine or server as long as each machine and server is a mac or supports kerberos. Most *nix OSes can be set up with kerberos. I do not know how to set up 3 factor authentication on OSX Server or if it is even possible.

I don't know if any of this helps, if not provide some additional details and we can go from there.

I am facing the same dilemma. For EVERY dev project in django, it is advised to store your (encrypted) password in bashrc env variable and then reference it in config.

But... doesn't this expose everything? Is there a better way?