What's the best technique for securely storing all the various credentials used throughout a business?

  • 1
    Are we talking passwords, usernames? What specifically?
  • 2
    If it's passwords, hash them and store the hashes, obviously use a good hashing algorithm, and you shouldn't need to retrieve the password just check if the hash matches when they enter a password.
  • 1
    ^^also add salt to the hash to prevent someone using rainbow tables to bruteforce
  • 1
    Adding to what the other guy said. Don't make up your own Algo, as they say, the cryptology course you took at uni doesn't make you exempt from this. Good algorithms exist for that already. Phpass is a simple but powerful php library that'll do this for you. Store the salt along with the hash then verify both are correct.
  • 0
    I don't think I was clear. I am talking about the usernames and passwords that are shared amongst multiple employees in a company. For example, say a company creates an admin portal for a client. The company creates a generic 'admin' username/password so they don't have to ask the client for credentials later when testing/troubleshooting. Generic, so the credentials aren't lost when people quit. Where should credentials like this be stored, so it's not laying around in some excel file in clear text?

    I've worked at 3 places in my career and they've all had tons of these types of credentials just lingering around.

    There's gotta be a better way.
  • 0
  • 1
    Passpack is decent enough for it.

    But you really should give each employee their own account so that you can:
    1) See who did what in your various systems.
    2) Revoke all access for a user when they leave the company (it really is a pain in the arse to change all passwords just because someone quit)
  • 1
    what we do is we generate tokens when they need to login as a client, the token will be stored against a userid and ip, so they are restricted, upon login the token is deleted so it can only be used one, we've backed it in our basic framework so every app we write we have this functionality
Add Comment