[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #29677 [Internal Services/Tor Sysadmin Team]: evaluate password management options



#29677: evaluate password management options
-------------------------------------------------+-------------------------
 Reporter:  anarcat                              |          Owner:  tpa
     Type:  task                                 |         Status:
                                                 |  assigned
 Priority:  Low                                  |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Major                                |     Resolution:
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Old description:

> during the [[org/meetings/2017Montreal/Notes/BusFactor]] session, one of
> the things that was discussed was the password management system that is
> (was?) stored in SVN. Specifically:
>
>  * We need a better password management solution than the one we have in
> corporate SVN right now.
>  * We should look over if the password's in this database should be
> rotated.
>  * Figure out if the passwords for paypal have been rotated by Jon et al
> and ensure that it will be put in the password database. We should also
> look into the "paypal dongle" or 2-step authentication?
>
> I have some experience reviewing password managers, so I might be able to
> provide some advice here if someone expands on the requirements and
> problems with the current approach.

New description:

 during the [[org/meetings/2017Montreal/Notes/BusFactor]] session, one of
 the things that was discussed was the password management system that is
 (was?) stored in SVN. Specifically:

  * We need a better password management solution than the one we have in
 corporate SVN right now.
  * We should look over if the password's in this database should be
 rotated.
  * Figure out if the passwords for paypal have been rotated by Jon et al
 and ensure that it will be put in the password database. We should also
 look into the "paypal dongle" or 2-step authentication?

 I have some experience reviewing password managers, so I might be able to
 provide some advice here if someone expands on the requirements and
 problems with the current approach.

--

Comment (by anarcat):

 Known password managers:

  * TPA has a `tor-passwords` repository which uses
 [https://github.com/weaselp/pwstore/ weasel's pwstore]
  * administration also store passwords in SVN
  * Puppet generates passwords on the fly using a puppet-specific token
 (this might get replaced by trocla eventually, see #30009)
  * each worker probably has their own individual password managers,
 brains, and post-it notes on screens (hopefully no!) which we don't
 exactly know about

 anything else?

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/29677#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs