Manage Client Usernames & Passwords - security

What do you guys use to manage all your clients' login credentials? For each client I have 4-5 sets of usernames and passwords saved in an encrypted excel spreadsheet. I hate doing it this way.
I'm looking for some kind of software or service that can:
Save my client contact info, notes, etc
Securely store the various credentials.

You didn't really specify what the login credentials were used for but I'd recommend you take a look at implementing a SQL database (MySQL, PostgresSQL, etc) for this. You can encrypt the passwords via a hashing algorithm (usually SHA-1 or MD5). You can also add everything else (client contact info, notes, etc) in the database.

What about http://www.mypasswords7.com/ ?
I have tried it and use it for 3 years.

Related

How to allow administrators to store encrypted data for users, but not developers or others, of an application?

I have a set of encrypted financial data for investors and need to store it in a database. The investors must be able to see the data when logged in to the app but the developers and everyone else mustn ot be able to see it.
Additionally the investors are not tech savvy and can not be given a key to use apart from a username and password.
What technologies/encryption approaches can I take with the app so that the financial data can be kept secret from me and other developers by the company, I'm assuming they encrypt it before uploading it for example, but allow the valid users to access it.
Is there a way to do this without putting a technical burden on the investors so that they don't have to have anything more than a username and password whilst also not storing their "keys" in the database so that a developer could technically decrypt it.

Store passwords securely in SQL Server for use with dynamic datasources - SSIS

We make heavy use of dynamic datasources. We retrieve server name and database names from a table in a SQL Server database. A package loops through the server names and database names and executes once for every server, for every database.
These values are then put into the ServerName and InitalCatalog fields of the dynamic connection. User and password are pre-defined (and therefore the same for every connection). I would like to fill the user + password from a table too but then I have to store the passwords as clear text in that table.
Is there a way to store the password encrypted in that table and decrypt it when I need to use it? Any person having access to the SSIS package is allowed to know the passwords but they should not be easily read from the table containing the connection strings.
All suggestions to handle this (f.e. using different approaches) are very much appreciated !
The preferred solution is to keep using integrated security.
Normally the job will try execute the step under the account of the SQL Agent, that is not what you want.
Proxy account is a replacement for the credentials for the SQL Agent account (msdn.microsoft.com/en-us/library/ms175834.aspx), also not helpfull in this case.
I remember that on Windows 2000 we used a trick by creating same local accounts with identical username and passwords on all servers to overcome the SSO limitation, it will probably work in your situation.
Yes, you can encrypt/decrypt a column. See Microsoft's walkthrough here:
https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encrypt-a-column-of-data?view=sql-server-2017
Best practice is to then create a view that decrypts the column and then grant user-level (i.e., SELECT, ALTER, INSERT, UPDATE, etc.) access to the view only because the view must have the symmetric key to decrypt the data. Exposing the key can be a security vulnerability, so you want that locked down as much as possible. A view with limited user access is the best place to allow a key to be exposed (if there is ever a good place to expose a key, which there is not).
But, Ako is correct. Use integrated security.

Company-wide password scheme for different customers

Consider a company that delivers a network of computers as part of its deliveries. And it does this for hundreds of different customers. All of the PCs need to have secure passwords. This at least means:
The password should conform to the basic password rules (capitalization, numbers, special characters, etc.)
The same password shouldn't be used for different customers.
The password shouldn't be easily guessable.
If possible, the same password shouldn't be used for different PCs in the network (but it may be acceptable to do so).
Since there is also a need to maintain these systems as part of the delivery, the operators need to be able to retrieve a password for a specific system easily without causing any security problems (like forwarding passwords in emails, etc.).
Here are my questions regarding such a setup:
Is it advisable to create a password scheme such that the operators can "calculate" the password without having to look up? [Problem is, once the scheme is disclosed, all systems will have a security problem.]
How should the passwords be stored/retrieved for good security? [Is there a program that can be used to access a secure database with a web interface?]
I found WebKeePass during my investigation (which looks promising). One other option was to print the passwords and keep them in a locked filing cabinet in a disused lavatory in a basement with a sign on the door saying 'Beware of the Leopard'? but I believe that wouldn't be convenient for the operator. I wonder what are the other options would be...
Update: The "web" interface doesn't have to be open to public access (i.e., it can be accessible only within a VPN).
Since the users aren't able to choose their password, the passwords should be generated randomly. If the passwords are generated using some algorithm, as you stated, once the algorithm is cracked, all of the passwords can be cracked.
If you must store retrievable passwords, you should still encrypt and salt them. See adobe's recent issue where 150 million of adobe's encrypted passwords were leaked. The problem with unsalted passwords is that even if I can't crack the encryption, I can still see everybody who has the same password as me.
Admin Retrieval
For admin-only retrieval of passwords, you could use a password vault system, where one password entered by a staff member unlocks access to additional stored passwords. Ideally, you should have a system where you can select and display a single password on the screen. It should encrypt the passwords, log accesses, and be controlled by an administrator.
This could be a web-based system, but hosted internally on an intranet, perhaps accessed through a VPN. RDP or something similar may also be viable, perhaps even using two-factor authentication.
Unfortunately, we don't recommend products on StackOverflow.
End User Retrieval
We've designed a system in the past where you can recover a password via a HTTPS secured web site. You simply enter your username, and a random one-time-use retrieval code is delivered to the email address on record.
While we're not in control of the security level on their email account, we at least assume that only the user knows the password to access the email account. This forces the user to re-authenticate in some form in order to retrieve their password.
They then type the retrieval code into a web form and are shown their password. Again, this web site is secured with HTTPS. Additionally, the user must keep the web page open during the transaction (secure session), and the IP address must not change during the transaction.

What hash algorithm is being used by #Password formula?

Does anyone know what hash algorithm is being used by #Password formula? My client keeps user accounts in standalone LDAP server. They need to sync passwords from LDAP to Domino internet password in person documents. We are trying to find a way how to accomplish this having only hashed version of password in LDAP. If Domino #Password would use some known hash algorythm like MD5, SHA etc. we can store password in LDAP this way and simply replace it in person documents.
Any idea here?
The following link is the public details on the Encryption methods in Domino.
http://publib.boulder.ibm.com/infocenter/domhelp/v8r0/topic/com.ibm.help.domino.admin.doc/DOC/H_NOTES_AND_DOMINO_ENCRYPTION_2250_OVER.html
Depending on how you have your server set up, using #Password may not work. The administrator can set "Use more secure Internet passwords" option.
This generates a personalised salt for each user in the $SecurePassword field of the person document (the field is protected as well). To correctly hash the password in this instance you need to use #Hashpassword. If the administrator knows what they are doing then the related password fields will be locked down by the xACL to prevent external access (for security reasons).
It is a little unclear what you are trying to achieve though. You can use Directory Assistance in Domino to authenticate against a third party LDAP.

How do you support a web app with hashed or encrypted passwords?

When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here:
Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in the middle. There is no way to retrieve the user's password. Unless the user provides it (not encouraged), there is no way to log in as that user.
Many web app's have personalization and complex authorization. Different users have different roles (admin, manager, user) with different permissions. Sometimes users can only see their data -- their customers or tasks. Some users have read-only access, while others can edit. So, each user's view of the web app is unique.
Assume that in an enterprise environment, it isn't feasible to go to the user's desk, or to connect directly to their machine.
How do you handle this situation?
Edit: I want to reiterate that in a large financial institution or typical Fortune 500 company with hundreds of thousands of employees all of the country, and around the world, it is not possible for a mere developer in some IT unit to be able to directly access a user's machine. Some of those are public-facing web apps used by customers (such as online banking and stock trading). And, many of those are intranet applications rely on Active Directory or an SSO, meaning that user credentials are the same for many applications. I do thank you all for your suggestions; some may be highly useful in other kinds of environments.
A number of these ideas inconvenience the user, either by forcing them to change their password, or by occupying their desktop for your debugging session.
Markc's idea is the best: augment your authentication logic to allow superusers to log in as a particular user by supplying not the user's credentials, but the user's name plus their superuser credentials.
I've done it like this in the past (pseudo-ish python):
if is_user_authenticated(username, userpassword):
login the user
else if ':' in userpassword:
supername, superpassword = userpassword.split(':')
if is_superuser_authenticated(supername, superpassword):
login the user
In other words, if the username and password don't authenticate, if the password has a colon, then it's actually the admin username and admin password joined by a colon, so login as the username if they are the right admin username and password.
This means you can login as the user without knowing their secrets, and without inconveniencing them.
For our web applications we use a process that for lack of a better term is defined as 'hijacking' a user's account.
Basically, administrators can 'hijack' a user's account with a simple button click. In the code, you simply use a unique identifier (user id works in a less secure environment) that then establishes the necessary credentials in the session so that they can then work within that user's profile. For a more secure environment you could use a unique hash for each user.
In order to ensure that this hijack method is secure, it always first verifies that the request is being made by an authenticated administrator with the appropriate rights. Because of this it becomes necessary for either the administrator's session to be hijacked or for their authentication credentials to be captured in order for someone to ever exploit the hijack function within the application.
I had 4 ideas. While I was typing 3 of them were already suggested (so I upvoted them)
Variant on idea 3 - impersonation:
To make this as "identical as possible" to a normal login with minimal code changes, you might add the ability to impersonate directly at login by supplying Admin credentials plus an alternate username, e.g. login as Admin:user, adminpassword. The system would treat this exactly as logging in as user with userpassword.
Idea 4: Can you access the password store? If so, temporarily replace the user's hash with the hash of a known password. (the passwords are often stored online in a database. A SQL Query tool can do the swaps )
An administrator should be able to change a user's password. Change the password for the user to something you know. You can then log in as that user.
Tell the user to reset his/her password after you are done debugging.
Usually by some sort of remote control software that can be used to view their desktop. If they're on a Windows terminal server, then the built in admin tools can be used for that. Otherwise I'd use something like VNC across an internal network, or an external service like LogMeIn (http://www.logmein.com/).
Could you have a testing environment where there is a regular cut of live data copied to (obviously sanitised to meet any security or data protection issues). A user similar in setup to the one having trouble could be used to troubleshoot or indeed the very user if this is allowed.
Use a remote desktop client as mentioned in other answers, but again this may not be practical for you. If you have these rights within the domain, I have heard of error handling even doing a screenscrape and including this in logs! but this sounds a little odd to me.
Could you have an admin tool to clone a user into a demo account?
The solution we have used in our web apps is to have the authN/authZ return the desired user as the effective user. We do this by having an admin feature to setup a masquerade, and then when we ask for the currently logged in user (current_user), we handle the masquerade:
def current_user_with_effective_user
if masked?
current_user_without_effective_user.masquerade_as
else
current_user_without_effective_user
end
end
alias_method_chain, :current_user, :effective_user

Resources