Tag Archives: password management

SHIPS have set sail

I was most pleased when I saw the release of the SHIPS software from TrustedSec. The problem with managing local admin accounts could be a thing of the past with this tool, and the best thing about it, it is open source. The idea about SHIPS is rotating the local admin password with a random generated password. It is client and server based, so you have a server part which holds the passwords in encrypted form, as well as a client part which sets the actual password for local admin user on every box where you have the SHIPS client installed. It can be installed on laptops, desktops and servers, it does not really matter, as long as it is running Windows. The communication between the SHIPS server and client relies on HTTPS so nothing is transmitted or stored in clear text.

The most used solution today which is is a tool called AdmPWD does not support encryption in the version that is publicly available, passwords are stored in clear text in Active Directory. Not everyone can read that attribute but it would feel better knowing those passwords were indeed encrypted. With SHIPS, that problem is solved.

This looks like a great boost for everyone on a blue team as this has been and still is a real hassle. This will definitely make the life harder for any penetration tester. I cant wait to try this out. Thanks to TrustedSec for releasing this tool, awesome job, now I just wait for a Linux version!

Password management for shared passwords

How do you in your company or organization store passwords that are shared among staff or teams? I hope you do not use an unencrypted spreadsheet located on a network share in a folder named Passwords.

Most probably use a password manager application such as Keepass and even though it is open source (which I like) and sounds very good, it has weaknesses. Even though it uses AES 256 bit encryption, the encryption is no good if the passphrase is chosen poorly. This is not a flaw of just Keepass, but any password manager software. Second, even if the passphrase is very good, it can still be defeated by a key-logger which sniffs the passphrase. So, no real joy.

Many password managers also comes with browser extensions for easy fill in the password functionality when browsing the web. This has been proven to be quite a bad idea as all it took was some javascript to defeat this. Kevin Mitnick and Dave Kennedy showed a demo of this at Derbycon, see this youtube video.

But the problem is still there, how do you share passwords in a secure manner? The storage of the passwords needs to be encrypted or secured in a physical way to prevent unauthorized access. But it also needs to be available for the people who require them. There in lies the problem, and it is a very difficult problem.

I have no real answer to this question, but there are things you can do that will slow an attacker down. Use a standalone network which cant be accessed from the Internet, actually it should only be accessible from a secure physical location. Do that, and the attacker will have to go to great lengths to retrieve data. It is when we get sloppy and just save our passwords in plain text on a network share that the attackers get that easy win. Do not make it that easy, make the extra effort and stay safe.