Ask HN: How do you store Unix passwords for your servers?

5 points by georgerobinson ↗ HN
Happy Sunday!

I have a question for you HN readers about password security (or rather, storing passwords securely!).

I don't use password authentication (disabled in sshd_config) to SSH into my remote hosts. However, that doesn't mean I can simply throw away the password once PKA is set up. I might need to run su to login as root to install software, or to execute other privileged operations.

How do you store said passwords? Do you use a password manager? If so, do you ensure that your password manager is available even when you're away from your machine? Is there a particular software suite that you use, or would recommend?

5 comments

[ 6.3 ms ] story [ 20.7 ms ] thread
Have a general password generation rule for servers and accounts for eg : my/family name + website/server name + current month/year + !@# + some movie name etc ... i tend not to trust any one with passwords .
You might want to think through if that pattern isn't really on the list of the one terabyte of passwords and phrases that a good password cracker might build to filter through his GPU rack.

That is to say, I would venture that passwords by this or any other scheme is too easy to crack. Better have something like 1password generate them for you.

I dont completely agree or disagree . There are more factors like my native language being non english and what i type is translated version of language to english and some other factors , I find it more secure thn trusting some one else . Personal preference , although I would love some maths on the top of it , cant talk without numbers .
You're probably overthinking it. Use SSH keys to log in, and if you want to lock things down further than "admin users are simply in sudoers", then write a more complicated sudoers that permits only some commands for some users.

In practice, an attacker who gets a shell on one of your servers has game-over access to the data center the server's in.