Passwords: Writing them down

I noticed over on Andy the ITGuy’s blog a post about writing down passwords. I agree completely that passwords should be recorded in a work environment. They are the property of the company as much as any piece of hardware or software. How you write them down and handle them is very important though.

Here is what we do. We keep all our sensitive passwords in an excel spreadsheet in our IT area on our file server. The folder is locked down tightly with group permissions to just the IT group. Next we turned on file and object auditing on the passwords subfolder in that area. Toss in Snare for Windows that sends all the object audit events to my kiwisyslog box. The file is encrypted via PGP. Keys of the local IT staff plus the key of a backup person in our corporate office are used. Finally the kiwisyslog sends its events to a mySQL database so I can run reports whenever I wish. This way I can tell exactly who goes into the folder and decrypts the file any time. The staff just deletes the file once done looking up the password they need.

You cannot just rely on domain permission lockdown alone. What happens if someone gets elevated privileges without authorization. So this is why we use PGP. Only people whose keys were used can get into the file should they even reach it.

Another advantage of using excel. If you rotate passwords you just make a new tab, copy the current tab into it and name the tabs appropriately. Over time you will have an entire history of all your previous passwords. This is important in larger environments where you may not have changed passwords on all equipment like you thought. You can look up older passwords to try without locking yourself out just because no one is around that remembers passwords from months or years ago.

Lastly, print a copy. Whenever we change any passwords we print a new copy of the entire excel workbook. Proper header-footers are set so we can tell which pages are older passwords. Next we seal that in an envelope signing and dating across the seal. Finally we drop it in a fire resistant safe.

Between these methods you have easy access to password lists, a secured electronic copy, the secured copy gets backed up with all other server based data and lastly a hard copy in case the backups or server is unavailable.

All this can still work in a smaller environment. Just that the backup key used to encrypt the file is likely to be a company officer than a second IT person.