Ask HN: Best practices for safeguarding master password in organization?
How does one protect a master password to a password manager? I am particularly interested in how this is handled in a small organization of under 10-50 people. You can share it among 2-3 top executives but ultimately doesn't there have to be someone who solely controls the changing and sharing of the password, and granting privileges? And what if that person gets fired or decides to become a malevolent actor? Is there any mechanism that would require multiple people to consent to a change in password and admin rights? Would be interested to hear how different organizations have dealt with this or if there are published industry standards on how to handle. Thank you.
52 comments
[ 1.2 ms ] story [ 340 ms ] threadI don't think a solution like this works directly for the specific situation that OP describes, but I do think it's a good solution for an AWS root account at an organization of the size he is talking about.
Put it in a shared vault which can be accessed by however many people require it. They access the shared vault via their own password manager account.
Shamir's Secret Sharing software, ssss, will let you encrypt a file and split it into pieces so that 3 of 5 people are needed to decrypt.
http://point-at-infinity.org/ssss/
Yeah it’d be better to use https since it lists some checksums, but it was last updated in 2018, and Debian packages are verified anyway.
Hopefully anyone interested for more than academic reasons does their research on the range of solutions more widely available.
If you are concerned, 0pointer.net has contact info.
Some of that is covered from a legal angle; they might be able to technically pull it off, but they'd also go to jail for doing so
I can imagine a company whose business is impacted by intentional deletion of data by an aggrieved ex-employee could make a convincing case in a civil suit, even if criminal charges don't stick.
[0]: https://mprimi.github.io/portable-secret/
RE: Sharing.
Nobody should be sharing a password manager account. If this is happening it usually means somebody doesn't want to pay for the seats to have individual accounts. You give each user their own account, and if you need more than one admin, you have more than one admin, but you shouldn't be sharing an admin account.
This would also apply if you're not talking about the pw manager's master password but something more like an AWS root account. That root account needs to exist, but its credentials should be a secret in the password manager vault that is shared with anyone who needs it (based on roles/access rules/principle of least privelege), and you should create additional administrative roles within the system you're securing instead of leveraging those root credentials (as much as possible) operationally.
RE: Bad actors
SSO is the answer here. You use a password manager with SSO integration, and you cancel the person's account the second they depart. At previous orgs they literally cancel the account while the person is still in the building and being walked down the hall to be informed that they're being asked to leave. It's definitely on the cruel side but if you're concerned or wanting to emphasize the security of the data first and foremost, that's what you do.
Both parts of the answer above involve $$$. Most services require paying for a higher tier if you want SSO integration (both on the side of the provider like Google Workspaces and the tool like 1Password), and both require paying for head count.
But this is the answer to "best practices". If there's a financial impediment that prevents you from doing these two things, then you can't use the "best practices". That's the unfortunate nature of the beast, and why there are so many online disagreements about the concept of an "SSO Tax".
EDIT: Lots of comments about sharing the root passwords in general. I made a few assumptions here that I thought were implied but outside of the direct scope of the question, so I'm going to add them here.
- MFA should be required, full-stop, and it should be provided by something connected to your SSO. Okta or Google Authenticator, or even better if you use hardware keys like a Yubikey. There's still risk in having shared access to the root account credentials but this helps mitigate it, as even if the person takes the password with them it'll be much much harder for them to use it.
- Password rotation. That's an obvious one. Just change the paswords every time there's a departure.
- Clarification on role-based access. With shared vaults on enterprise/team plans you can restrict who is able to actually see the items once dropped in to the password manager. You shouldn't expose the AWS Root Account to the whole org. You should expose it to whoever actually needs it, and you should use it as little as possible, that's what was meant by this statement:
> you should create additional administrative roles within the system you're securing instead of leveraging those root credentials (as much as possible) operationally.
As an example, here are AWS's guidelinesn for securing the root account:
https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user_s...
Most of them get distilled down to "don't actually use the root account for anything unless absolutely necessary, and share it with as few people as possible", with nuggets such as:
1. Don't create access keys for the root user
and
2. Never share your root user password or access keys with anyone
The idea being ...
You could also rotate the root password every time there's a departure from the teams that have visiblity if it's that big of a deal.
Note that revocation is insufficient to protect current passwords: The user may have made a copy. For that you need password rotation and second factors like a hardware token.
Regardless, shared credentials should be reserved for when there no other solution is technically possible. At the very least when shared credentials cannot be avoided, try to split it into multiple domains - read-only vs "production open heart surgery", devs vs prod admins, automation vs humans, etc. For automation, always make new tokens for each use - and never store them, as you can always make more. Consider only issuing credentials to people upon request, and revoking them after the fact. There are many mechanisms to reduce risk.
Not necessarily. You can set up things so that that requires two persons (https://en.wikipedia.org/wiki/Two-man_rule), or any 3 out of a group of 5, etc (https://en.wikipedia.org/wiki/Shamir%27s_secret_sharing)
It's unfortunate that this site only is HTTP-only and doesn't offer SSL/TLS. For an application using cryptography, it strikes me as odd that it wouldn't be available over a secure channel.
It's also odd that there are SHA-1 hashes of the downloadable files since those hashes are also presented over an insecure channel.
On the other hand I think a two-person SSH is probably an easier thing to build in terms of recording what was done for audit, and maybe even require both parties to confirm commands before executing them. Also your SSH server could require both parties with different keys to login before it starts or something. I think this kind of stuff would be harder to implement in a web browser (but just as useful probably)
You can have 2 trusted people be administrators of the 1P account. Then you create a shared vault for anyone who needs access to the master credentials and store them all in said shared vault. You can have multiple vaults with multiple different sets of credentials and access (Ex a vault for HR is going to have different creds and people than a vault for DevOps). Note: The list of administrators and the list of people with access to the shared vault doesn't need to be the same people.
If someone who's in the trust circle quits or gets fired, you have someone else remove their access (just like any other offboarding) and go change the applicable credentials.
As for insider threat, there isn't a lot you can do if you give someone access to the credentials. For the admin, that should be easy - certainly, you can find 2 people in an organization who can be trusted implicitly (even if one of them is required to be the CEO/founder). If you're worried that someone is going to go rogue, then don't give them access to the information in the first place.
There is some stuff that just doesn't need to be broadly shared...lets say master passwords for AWS accounts. Really very very very few people will ever need those - mostly for "Break glass in case of emergency" purposes, right? So your Director of DevOps has access and maybe one other person. If you can't trust that Director of DevOps to have those credentials.... well honestly your organization has bigger issues.
What do you think about trying something like, "Good points about using a password manager. I think Bitwarden is better than 1password becuase it: is open source, it can be self hosted, and you could switch to a fork if they get shady."
Because you wouldn't be implicitly calling them ignorant this way, they're more likely to hear your message.
Isn't there still a "Secret Key" that you have to keep somewhere? It's a long random string, too, so you can't easily memorize it. I always lose this and have to keep it somewhere super-unsafe... it's the weakest part of my security, ironically.
https://support.1password.com/secret-key-security/
For larger companies, you'd use CyberArk, so you can grant roles, get audit logs, use a HSM, etc.
AWS recommends actually throwing away the root key after you grant full access to an IAM user. In the rare case you need it, you can recover it via support.
But generally speaking a password manager with built in credential sharing is your best bet. In most cases the CEO would own that account, or in a good org ownership is shared and/or split amongst a few top execs.
But if you want a model to not follow, don't just share the AWS root key with all devs. That's what we did at reddit when we first started, before any best practices existed (And before IAM existed).
Split the secret into 5 pieces and require any 2 pieces to recreate the master key. Give the five pieces to senior managers or technical resources.
Regenerate the secrets whenever someone leaves.
Store the encrypted secret in a folder where only the five users can access it, and access is logged to cybersecurity.
Or, print it and store it in a safe in an access controlled room.
100% of the things done to access/modify our secrets & infrastructure are logged in our cloud ecosystem in a manner completely outside our control (AWS or Azure hold the log). We cannot delete or edit these. All we can do is read them and receive reports or alerts.
If someone with global admin decides they want to become DBA over a highly-sensitive SQL Server instance, nothing would actually stop them from acquiring this access. We aren't protecting nuclear material or other defense/life-safety-critical items. If someone wants to risk their career to do the wrong thing with our data (or our customers' data), then I say go for it. I will lose exactly zero sleep terminating someone who does something that stupid. Our policy isn't even explicit. This is one of those "if you have to ask, you shouldn't be working here" kinds of things.
Fear is a much more efficient tool than key splitting schemes, physical vaults, armed guards, etc.
The developer signing keys are set to expire after one year, while the QMSK [Qubes Master Signing Key] and RSKs [Release Signing Keys] have no expiration date. The QMSK was generated on and is kept only on a dedicated, air-gapped “vault” machine, and the private portion will (hopefully) never leave this isolated machine.
Alternatively one could use split-gpg, but it's probably a tiny bit less secure: https://www.qubes-os.org/doc/split-gpg/.
See also: https://github.com/QubesOS/qubes-issues/issues/2818
For ultimate offline secrets like HSM, CA, or crypto private keys, buy new printers, print the secrets as QR codes and keep them in safety deposit boxes at 2-3 different banks.
For passwords you don't want any one exec to have, use N-person keying by splitting 1 or multiple keys into pieces such that a quorum of 2,3, etc. are needed to utilize the secret.
(Ok to be honest is related to a book I have in my room, so I feel like I'd at some point remember it when desperate...)