.png){kind=link}
 - Vertical.png){kind=link}
.png){kind=link}
 - Vertical.png){kind=link}
.svg){kind=link}
.png){kind=link}
Password Management Strategy
Company
- Establish a single source of contact
- Make employees responsible
- Change passwords when an employee leaves
-
Have audit trials (?). Use something like Azure AD
-
CIA Triad - Confidentiality, Integrity, Accessibility
- Stay accountable - have a different password for each user
- Only trusted DBAs should have the main password
- Have enterprise profiles that give permission to login to server
- All passwords can be modified by a master account/multiple ones.
- Idea: Shamir Secret Sharing
- Don't use MD5/SHA. Use adaptive hashing like bcrypt.
- Do: Password rotate after check-in/check-out e.g. Buttercup
- KISS: https://xkcd.com/936/
- IANA has key signing ceremonies
-
Password managers can do other things to add to your security. (Expand)
Share and manage your passwords between all your devices, including mobile devices.
Share and manage passwords and credentials with co-workers.
Store more than just passwords securely.
GPG and SSH keys and passphrases
One-time password generators
Recovery keys
Security questions
API keys
Notes
Credit cards (arguably better than saving them on web sites)
Bank accounts
Memberships
Software licenses
Inform you of insecure passwords
Reused passwords
Password breaches
Generate secure passwords
Auto-fill passwords (avoids being shoulder surfed)
Auto-record new accounts
Protection against ransomware (if it stores your vault elsewhere)
Users
- Store passwords hashed and salted
-
I guess - give option for full security vs managed security; or have verification systems.
-
NIST Guidelines https://www.n-able.com/blog/password-management
- Favour the user
- Longer, the better
- Forget composition
- No more expiration without reason - like phishing
- SMS should not be used for 2FA