in order for us to store passwords(admin password of VMs, Databases, ... ) and to be able to share it in a team, we use Onenote and it's password protected but we need something that is easier to use and more resilient. I would appreciate if someone could help me finding a good solution.
we also use azure platform in case it affects finding the best solution.
Related
Will CKAN be the best solution for a portal like asiapacificenergy.org?
If yes, can you provide an estimate of how much effort, time and developers would be required?
Any tips or best practices you can share for an inexperienced team? Any pitfalls to avoid?
Thank you very much.
Any help would be highly appreciated!
Kind of hard to say. Depends exactly what you want to do exactly.
From ckan.org:
CKAN, the world’s leading Open Source data portal platform CKAN is a powerful data management system that makes data accessible – by providing tools to streamline publishing, sharing, finding and using data.
CKAN is like wordpress but instead of blog posts its datasets. It helps manage and inventory datasets for an organization. It has other cool and powerful features too but that site you mentioned reminds me of ArcGIS kind of. There is also Socrata or many other vendor offerings. I prefer CKAN though.
There is a demo site (demo.ckan.org) you can play with, add and remove stuff from, etc to get a feel for it.
They have decent documentation as well that you can follow https://docs.ckan.org/en/2.8/user-guide.html . You could setup a local version to get a feel for how hard or easy it is. https://docs.ckan.org/en/2.8/maintaining/installing/install-from-source.html
I'd say you need someone with python and server experience to get you setup and then basic usage and administration can be delegated. But it can be learnt.
Gov.uk uses ckan for their data catalogue and have some helpful docs available as well. https://docs.publishing.service.gov.uk/manual/data-gov-uk-supporting-ckan.html
I searched a lot about what is the best way to secure your program and I found many results and there were two good ways.
The first one is to hash the mac address of the computer and link it with an activation code but it's still vulnerable.
And the second one is to use a usb device but I didn't find any detail so can anybody tell me in details what is the best way and how to implement it please.
First of all, you need to consider that it doesn't matter what you do, someone will be able to crack it, and because of this is that you need to consider a balance between the security of your application and how hard you will make it for legitimate users (since you don't want to punish a user who already paid for your product, just because you want to protect your applications from the guys who don't want to pay).
Having this in mind, you could go with digital signatures using asymmetric encryption, where you'll sign your license "activation" with your private key, and then your application will use its public key to verify that the received license was submitted by you. You should also take a look at this discussion (I recommend you to focus on the 2nd answer, not the selected one) and this one.
But again, your objective should be to just make things hard for bad guys, but without punishing your legitimate users, because for an attacker, it could be as easy as de-compiling your program and removing your logic to validate the license (unless you're creating an "always online" application, but usually users don't like that, and I'm saying this as a user).
I'm an independent contractor / sole proprietor who manages half-a-dozen servers and numerous services.
I've started using key-based authentication more and more often instead of passwords, but now it's becoming a challenge to keep the keys both: a) secure and b) remotely accessible to myself.
I could make them accessible by putting them in a cloud-based service like Dropbox, but that wouldn't keep them secure. I could put them within a password-protected file in Dropbox, but that seems counter-intuitive to the point of using keys. Although, it would provide the benefit of having fewer passwords to deal with overall, so maybe that is the best way to do it.
I know that there are numerous solutions for businesses, but as business of one, I need a solution that is affordable and has low overhead.
Any insight or recommendations would be appreciated.
Plenty of commercial options like LastPass. However, if you want to do the DIY thing make sure to add pass-phrases to your private keys so they are unusable without entering the secret. In place of Drop Box you might consider SpiderOak as it features end to end encryption, what is stored on the cloud is encrypted and your the only party with the key phrase.
Is it considered good practice to store passwords in a Github private repository?
[Related to, but very different from, this question]
I'd like to break this question into two parts:
Is it a good practice to store passwords in source control? No. Credentials are not versioned in the same way. For example, you should be able to change your password without releasing a new build of your software.
Is it a good practice to store passwords in the cloud? That's really up to your tolerance for security and reliability. In this case, you're outsourcing both to GitHub. If GitHub loses your data, do you have a backup elsewhere? If GitHub gets hacked (e.g. your private repo briefly becomes public) or if they don't securely destroy old drives, what's the impact if an unauthorized person has your credentials?
Also, when you store credentials, encrypt them and store the key elsewhere.
It's certainly not 'good practice'.
Whether it's tolerable depends on your security requirements. For SCI clearance type work that ** won't fly.
For a private fun project its probably ok. But putting sensitive passwords anywhere on the cloud is probably not a good idea.
Projects that are serious about security usually don't keep plaintext passwords in their security files.
I don't believe it's ever a good practice to store passwords anywhere else than where absolutely necessary. GitHub doesn't strike me as meeting such conditions.
I am looking for advice on where to store encryption keys and other sensitive application data. Is a certificate on a USB stick really the way to go here? What can you do to keep your secret keys safe?
Keep them on a smart card, or use the Trusted Platform Module (TPM) that is present in many machines sold these days.
A keystore (see: getKey()) is often a place where a secret, like a privet key is kept. In order to access this key store a password. These are created using a symmetric cipher.
If it's a secret and you have to store it somewhere, then at some point it can't really be considered a secret anymore because one way or another somebody will be able to find it, etc. Security is always best considered on a case by case basis, what is acceptable for one solution is not for another and therefore there is not any "fits all" answer. However, where possible (or always) make sure you use a tried and tested method rather than roling your own. Hopefully that does help, but is such a wide open question.