Do you use the same root password for every device?
I'd like to say "yes, everywhere", but it's still "no" in some instances. My company is using Password Safe to manage passwords for our Customers, creating "safes" on a customer-by-customer basis. Many Customers have unique randomly-assigned passwords for root, local administrator, devices, etc. Unfortunately, some (either because of work done by prior vendors, or by laziness on our part) may have the same password used in multiple devices or on multiple server computers.
For my personal passwords I've gotten intereted in moving to a utility like Passwordmaker, which takes a "master passphrase" and some other fact (web site name, username, etc) and creates a random password from a secure hash function. As long as you know your "master password" and the "other fact", you can use the software to regerate your password each time you need it (i.e. the password is never stored anywhere, encrypted, plaintext, or otherwise).
I have yet to find a corporate password "vaulting" tool that does everything I want:
- SSL-based access from browsers as the UI
- LDAP authentication, permissions to access passwords in the database based on LDAP group membership.
- Maintains an audit trail of passwords accessed by each user (so I know what to change when someone leaves the company).
- Configuratable notifications for password expiration based on user (i.e. "Expire every password that 'bob' ever used since we're firing him"), based on date password last set, or based on number of unique users who have accessed the password ("The whole helpdesk, IT department, and janitorial staff have accessed this password-- expire it.")
- Metadata on each password including party to notify via email in the event of expiration, creation date, last changed date, notes.
- Optional plug-in system to allow the password system itself to connect to systems and update expired passwords automatically.
- Ideally runs on a Windows or Linux-based webserver, probably using sqlite as the back-end.
I'd be willing to throw money or development time at such a project, but I've never found anything that comes close or wanted to spend the time to get it off the ground.
I use SSH keys, use the same one for all servers, and maintain a good password on my keyfile. Saves a lot of aggravation.
For devices where this wouldn't work, I'd use a password that had a hard-to-guess core, then use the devices dns name, IP, or other common characteristic (such as OS or brand), to make the password unique for the device. This worked especially well for groups of similar devices. Just keep the pattern/mnemonic secret, along with the core, and you have a difficult, unique password that was easy to remember.