Storing rarely used single-purpose passwords

How do you handle the storage of passwords that, by nature of their usage, you can't expect administrators to memorize? Such as:

  • Administrator/root password when everyone logs on using their own account with administrator rights
  • Service account passwords that are only set during configuration, e.g. SqlServerAgent, SharePointSearchService, etc.
  • Web registrations for an entire company, e.g. Google Webmaster Tools, GoDaddy/VeriSign, MSDN, etc.

I certainly don't want to re-use a single password for so many different areas. Options we've considered:

  • Encrypted file on network share
  • Shared KeePass database
  • Password protected Wiki
  • Single base password with small modification for each area

This comes to mind as I try to install a password protected PFX file from home with the one-time use password stored in a notebook in my locked desk at work.


Solution 1:

I work at a show with several techs. We use Keepass/Keepassx and the files are stored in a subversion repository, that is only accessible via SSH with key-based authentication.

Using the VCS allows us to keep a copy of the password vaults offline and up-to-date. If you keep your password file on the server, what happens when that server fails, or if it stored on the internet, what happens when the internet fails.

Solution 2:

I use the open source PasswordSafe application for storing my personal passwords. I keep the database file on a DropBox volume, so it is accessible from anywhere. (hat tip: Joel)

There is no reason that the password database file can't be kept on a network share, and there is an option to open the password file in read-only mode.

Solution 3:

When i am setting up services that are rarely going to need to be logged into i try to use the most obscure password (start of an md5 hash for instance) and then just store it in an encrypted/password protected spreadsheet.

It keeps you from worrying about that if someone somehow got the password for your domain name that he could essentially gain access to the whole system.

Solution 4:

I save passwords in passwordsafe (or one of its variants) and keep the passwordsafe database in a folder shared by dropbox. (Dropbox syncs files online and across multiple computers).

I use Linux, and mostly use the command line pwsafe and occasionally MyPasswordSafe - both available in the ubuntu repositories.

Dropbox works on Windows, Mac and Linux, and there are programs that use the passwordsafe format on all three platforms aswell. The original works on Windows, there is a java version that works on Windows, Mac and Linux. For a fuller list, see the related projects page that shows platform support for Windows, Windows Mobile, Mac, Linux, BSD, Solaris, perl modules, C# support ...

Solution 5:

For single use passwords I set it and forget it. If I have to do something with it I reset it again knowing that it has a single purpose. This also keeps me from using the account for a second purpose. The account name will match the purpose and may be a long long winded name.