IT Documentation - The Blog

Password Management

May 28, 2015

The way passwords are sometimes handled in companies can make your hair stand on end if you are a person who is aware of security issues. It is common use to store even critical passwords in plain, unprotected documents. How, after all, do these people make sure that passwords can only be looked up by persons who are authorised to so and who need the passwords to do their job in the company? Some people may even find it sensible to upload the password file to a public cloud, so that it is always available. While, indeed, you can choose to do all this, you better should not!

Passwords must not be available to everybody

The IT Grundschutz catalogues issued by the BSI include the safeguard on this topic: “S 2.22 Escrow of passwords”. This safeguard explains how password management should be handled by governmental authorities. However, other than required in the catalogues, you will not get around noting down some passwords. In principle, this is no problem, but this documentation must definitely meet certain requirements: The passwords must always be stored in a safe way, i.e. you cannot avoid data encryption. And when an employee leaves the company or you choose a different external service provider, it is essential that you disable the old passwords and define new ones. This needs to be organised one way or another. What can you do if the employee who is leaving work is the only person who knows a particular password? Lock him up until he gives it away? Not really realistic. And after all, how can you be aware of the fact that this person alone knows this password or noted it down somewhere? You better avoid such a situation at all. Define an internal process that satisfies this requirement.

There is no way around encryption

You need a solution which provides at least the following three features:

  • Passwords are stored with encryption
  • Access to individual passwords is restricted
  • Access to passwords is logged in an audit-proof manner

Each edition of the Docusnap documentation suite offers a solution to meet these challenges. On the one hand, passwords are stored in encrypted form in the database. For this purpose, Docusnap creates a unique encryption file which is required for accessing the passwords. On the other hand, access to individual passwords or the entire password management system can be controlled. This allows you to manage either individual passwords or password categories in a granular way. What is more, all accesses to individual passwords are logged so that you can trace at any time which password was accessed by which employee – and when this happened.

What could be an alternative? To find an alternative is difficult in any case as every paper-based documentation will always confront you with problems related to access control and to the availability of this information. And what about emergencies, e.g. a fire in the office where you cannot access your records any longer? Maybe the password list is locked up in your safe which, in the meantime, has become unreachable, because the police or firemen do not allow you to enter the building due to an intervention of the CIS team or danger of collapse. Of course, you can save your passwords in Microsoft Word or in a plain text file, but in this case, you should make sure not to assign it a telltale file name such as “Passwords.docx.” Life could not be easier for potential attackers. You would virtually hand over the information on a silver platter. Unfortunately, the access to plain files can only be restricted in a limited way. Administrators will have no major problems to retrieve the content of such a file if it is not encrypted. And simple “control mechanisms” such as protecting worksheets in Microsoft Excel do not constitute a real barrier either. Even a restriction on the file system level, e.g. by means of NTFS permissions, can generally be bypassed quite easily.

Therefore, it is recommended that you give the password management process some thoughts and properly map it once and for all. Maybe our blog post entitled “How to Document Your Passwords Safely” can help you on with this task and give you some useful suggestions.