THE SQL Server Blog Spot on the Web

Welcome to - The SQL Server blog spot on the web Sign in | |
in Search

Argenis Fernandez

DBA Best Practices - A Blog Series: Episode 2 - Password Lists


Digital World, Digital Locks

One of the biggest digital assets that any company has is its secrets. These include passwords, key rings, certificates, and any other digital asset used to protect another asset from tampering or unauthorized access.

As a DBA, you are very likely to manage some of these assets for your company - and your employer trusts you with keeping them safe. Probably one of the most important of these assets are passwords. As you well know, the can be used anywhere: for service accounts, credentials, proxies, linked servers, DTS/SSIS packages, symmetrical keys, private keys, etc., etc.

Have you given some thought to what you're doing to keep these passwords safe? Are you backing them up somewhere? Who else besides you can access them?

Good-Ol’ Post-It Notes Under Your Keyboard

If you have a password-protected Excel sheet for your passwords, I have bad news for you: Excel's level of encryption is good for your grandma's budget spreadsheet, not for a list of enterprise passwords.

I will try to summarize the main point of this best practice in one sentence: You should keep your passwords on an encrypted, access and version-controlled, backed-up, well-known shared location that every DBA on your team is aware of, and maintain copies of this password "database" on your DBA's workstations.

Now I have to break down that statement to you:

- Encrypted: what’s the point of saving your passwords on a file that any Windows admin with enough privileges can read?

- Access controlled: This one is pretty much self-explanatory.

- Version controlled: Passwords change (and I’m really hoping you do change them) and version control would allow you to track what a previous password was if the utility you’ve chosen doesn’t handle that for you.

- Backed-up: You want a safe copy of the password list to be kept offline, preferably in long term storage, with relative ease of restoring.

- Well-known shared location: This is critical for teams: what good is a password list if only one person in the team knows where it is?

I have seen multiple examples of this that work well. They all start with an encrypted database. Certainly you could leverage SQL Server's native encryption solutions like cell encryption for this. I have found such implementations to be impractical, for the most part.

Enter The World Of Utilities

There are a myriad of open source/free software solutions to help you here. One of my favorites is KeePass, which creates encrypted files that can be saved to a network share, Sharepoint, etc. KeePass has UIs for most operating systems, including Windows, MacOS, iOS, Android and Windows Phone.

Other solutions I've used before worth mentioning include PasswordSafe and 1Password, with the latter one being a paid solution – but wildly popular in mobile devices.

There are, of course, even more "enterprise-level" solutions available from 3rd party vendors. The truth is that most of the customers that I work with don't need that level of protection of their digital assets, and something like a KeePass database on Sharepoint suits them very well.

What are you doing to safeguard your passwords? Leave a comment below, and join the discussion!



Published Thursday, November 29, 2012 7:10 PM by Argenis

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS



Dale said:

And if you don't need that level, you can also just use a SharePoint list and lock it down with appropriate permissions.

November 29, 2012 9:34 PM

Jason Horner said:

We store our passwordsafe files in a sharepoint library. I also keep a copy up on skydrive in a private folder....

Don't laugh 8)

November 30, 2012 6:42 PM

paranoid admin guy said:

I feel it's too risky to keep critical passwords on any sort of local disk, network share, or cloud service.  (Think PCI compliance) I keep my list on an IronKey encrypted USB flash drive, which I carry with me everywhere I go.  It's remotely erasable should it be lost.  There's a printed copy of the passwords kept in a locked safe at the office, that the CEO can access in the event of my demise.

December 1, 2012 10:44 AM

Paul Smith said:

Keypass is our device of choice file is on a network share

3 copies of the encryption key

1 = oncall DBA (USB Key)

1 = IT Manager

1 = Firesafe

December 1, 2012 11:09 AM

HM said:

Password-protected Excel sheet and then compressed with Winzip encryption.

December 3, 2012 6:59 AM

SQL Server Monkey said:

I use a locally hosted installation of Secret Server ( for passwords, application license keys etc. Works well and easy enough to backup.

December 8, 2012 1:35 PM

Leave a Comment

Privacy Statement