Opened 12 months ago

Last modified 5 months ago

#29677 assigned task

evaluate password management options

Reported by: anarcat Owned by: tpa
Priority: Low Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Major Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by anarcat)

during the org/meetings/2017Montreal/Notes/BusFactor session, one of the things that was discussed was the password management system that is (was?) stored in SVN. Specifically:

  • We need a better password management solution than the one we have in corporate SVN right now.
  • We should look over if the password's in this database should be rotated.
  • Figure out if the passwords for paypal have been rotated by Jon et al and ensure that it will be put in the password database. We should also look into the "paypal dongle" or 2-step authentication?

I have some experience reviewing password managers, so I might be able to provide some advice here if someone expands on the requirements and problems with the current approach.

Child Tickets

Change History (5)

comment:1 Changed 12 months ago by anarcat

I just found out there's a password manager database in git, in ssh://, which is built with weasel's pwstore. not sure how it relates with the discussion in brussels.

comment:2 Changed 11 months ago by anarcat

there's also a KeePassXC instance somewhere used by jon, sue and sstevenson at least.

comment:3 Changed 11 months ago by anarcat

note that another form of password management is the hkdf() function implemented in puppet, for which I am considering using Trocla as a replacement. but that's not really a user-visible password manager, see #30009 for that discussion.

comment:4 Changed 6 months ago by anarcat

Description: modified (diff)

comment:5 Changed 5 months ago by anarcat

Description: modified (diff)

Known password managers:

  • TPA has a tor-passwords repository which uses weasel's pwstore
  • administration also store passwords in SVN
  • Puppet generates passwords on the fly using a puppet-specific token (this might get replaced by trocla eventually, see #30009)
  • each worker probably has their own individual password managers, brains, and post-it notes on screens (hopefully no!) which we don't exactly know about

anything else?

Note: See TracTickets for help on using tickets.