Managing Passwords (OT)

Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Sorry if this is not a Perl-specific question, but this kind of topic has been discussed here in the past so I thought I'd post it.

Our IT dept handles the creation and distribution of passwords to internal users. Most users need access to multiple services (FTP etc) on multiple servers, and every user needs access to a different set of machines. Right now there are a few hundred login-to-user pairs. This is an ASP, so many of these logins involve access to production-level machines for deployment, verification, etc.

My initial idea involves a page on the company intranet that displays the list of logins available to each person (authenticated by their NT account). IT admins would be able to manage access from this page as well. The actual passwords would be encrypted and stored in a database.

My question is: Is it enough to use SSL, NT authentication, and encrypted data, or am I missing something here? Has anyone else faced this problem and how did you solve it?

Also, what CPAN modules would you recommend for the encryption? I'm running ActiveState (5.6.1) with Apache on NT, though we may be switching to IIS.

Thanks in advance for your help,
A Monk

Comment on Managing Passwords (OT)

Replies are listed 'Best First'.
Re: Managing Passwords (OT) by John M. Dlugosz (Monsignor) on Feb 18, 2003 at 22:42 UTC
"...is it enough...?" Well, you can't answer that until you decide what the security issues are. What do you want to protect against? What are you not worried about (or not your responsibility)?	[reply]
Re: Managing Passwords (OT) by Abigail-II (Bishop) on Feb 19, 2003 at 00:00 UTC
It's not clear to me what kind of question you are actually asking. Are you suggesting that you want to make a website that gives people access to all their passwords? Why? If you can live with the fact you just need one password to access all your accounts (assuming that webpage needs a password), why not make all the passwords of a person the same to start with? Abigail	[reply]
Re: Re: Managing Passwords (OT) by Anonymous Monk on Feb 19, 2003 at 01:20 UTC
Sorry if I did not state the problem clearer. There are two requirements: 1) Create a place for IT to store all of the passwords issued, and determine which users have access 2) Find a way to distribute passwords to users and make them available when they forget them These passwords are not for internal NT accounts, but for the administration of the servers and services for our web-hosted application. The biggest problem is that most of these logins are shared among different sets of users. There are admin logins for services like JRun, Weblogic, databases, our integration engine, etc. There are logins to third-party web-based tools for monitoring and such. Also logins for remote share access, VNC, Timbuktu, etc. The web page I plan to build would be hosted on the company intranet, using SSL with Apache. Access to the intranet is password protected per user. My main concern with this are users that leave their machines unlocked while unattended. I have a way to minimize the risk of shoulder surfing. I'm relatively new to the IT side of things (coming from the web side), so I figured I had better post here and see if anyone can point out any gotchas I need to look out for. Or if someone has a better solution to the same problem. Or flat out say my idea sucks. :) I hope that's a bit clearer. Thanks for your help, A Monk	[reply]