Password Management at the Application Server

External Module Password Management at the Application Server

  • Do not hardcode secrets (example: passwords, private keys, etc) in source code.
  • Keep secrets in a separate centralized configuration file, that can be referenced by different application modules.  The configuration file should have much restrictive access permissions.  It should not be added to Version Control Programs.  It should not be in the downloadable path of any web application.
  • Keep the configuration file contents encrypted using a separate application password.  The application can decrypt the file on-the-fly to retrieve the secret information and leave the file encrypted after use.
  • If the configuration file contents cannot be encrypted, at least store them in encoded format (Base 16, Base 32, Base 64, etc), so that they cannot be easily memorized.
  • Access to the configuration file should also be logged by the Operating System into a Central log server.

References:

https://security.web.cern.ch/security/recommendations/en/password_alternatives.shtml

http://security.stackexchange.com/questions/15040/standards-for-encrypting-passwords-in-configuration-files

https://ostermiller.org/calc/encode.html

Password Management at the Application Server

Personal Password Management

Difficulty in Managing Passwords

In today’s digital world, there is a need for users to be authenticated to a vast number of applications, sites and services.  This has presented many problems as people find it difficult to come up with strong passwords, which can easily be remembered, one for each site they login to.

Best Practices for Personal Password Management

1) Use the GRC’s Brute Force Password Search Space calculator to derive a password which is both strong, and at the same time, can be easily remembered. 

Research has shown that the most widely used passwords are – 123456, password, qwerty, baseball – and more could be referenced here.  Make sure that your password is not widely used or easily guessable.  

2) For absolute password security, use GRC’s Perfect Password Generation tool to derive a password which is near to impossible to crack (maximum entropy).  Such passwords should be managed through a Password Manager application (described later), as the passwords cannot be remembered by human beings.

3) Use Password Manager Applications such as KeePass and LastPass to manage your passwords.  They store your password in an encrypted container whose encryption key is derived from your main password for the Password Manager application.  Make sure that the main password used for the application is as strong and memorable as possible!

Never use the same/similar password for two different sites.  This presented the risk that if one site was compromised, then the user’s credential for all other sites get’s compromised too.

Never physically write down your passwords, or store them as plaintext, or use password protected excel sheets/documents.  Even though excel docs could be password protected, they do not encrypt the contents of the file and excel password protection maybe easily breakable.  

KeePass

KeePass is an open source cross-platform software.  KeePass stores the password database in local storage.  The database is encrypted with latest encryption algorithms – AES or Twofish.  Access to the KeePass database is controllable using a password or a key file.  

KeePass is more suitable for your accounts that you want to be extremely closely guarded – such as bank accounts – and for applications invoked through a client program in the computer (other than the browser).

LastPass

LastPass is freemium Password Management application.  Passwords in LastPass are protected by a master password, encrypted locally, and synchronized to any other browser and also to the LastPass server cloud. LastPass has a form filler that automates password entering and form filling. It also supports password generation, site sharing and site logging.

LastPass is more suitable for your online site, service and web application which are invoked through a browser on your computer.

LastPass – Ideal Logout Configuration Improved Security

It is advisable to configure LastPass plugin in Browsers to logout automatically when the browser has been closed or when the computer has been idle for 5 minutes.

The configuratyion screen could be reached by: Click on LastPass Extension Icon > Preferences > General > Security.

LastPass_Logout_Configuration

KeePass – Multi-User Support

KeePass databases support multi-user login modes.  Anybody with the password / key file to the KeePass database could load and work with the database.  It offers Microsoft Office-Style locking / Synchronize or Overwrite capabilities for multiple user support.  Refer to this link for more details.

Small teams in Organizations tend to store their shared passwords using Microsoft Excel.  KeePass would be an excellent replacement for Microsoft Excel based password management.

KeePass and LastPass Portable Versions

Both KeePass and LastPass offer portable versions (which can be invoked from a USB thumb drive / USB hard disk) for people who access their sites from untrusted locations – internet cafe, public computers, etc.

 

Other References:

http://www.online-tech-tips.com/ms-office-tips/how-to-remove-crack-or-break-a-forgotten-excel-xls-password/

https://en.wikipedia.org/wiki/KeePass

Where is LastPass database stored? https://lastpass.com/support.php?cmd=showfaq&id=425

https://en.wikipedia.org/wiki/LastPass

Personal Password Management