Company-wide password scheme for different customers

Question

Consider a company that delivers a network of computers as part of its deliveries. And it does this for hundreds of different customers. All of the PCs need to have secure passwords. This at least means:

• The password should conform to the basic password rules (capitalization, numbers, special characters, etc.)
• The same password shouldn't be used for different customers.
• The password shouldn't be easily guessable.
• If possible, the same password shouldn't be used for different PCs in the network (but it may be acceptable to do so).
• Since there is also a need to maintain these systems as part of the delivery, the operators need to be able to retrieve a password for a specific system easily without causing any security problems (like forwarding passwords in emails, etc.).

Here are my questions regarding such a setup:

1. Is it advisable to create a password scheme such that the operators can "calculate" the password without having to look up? [Problem is, once the scheme is disclosed, all systems will have a security problem.]
2. How should the passwords be stored/retrieved for good security? [Is there a program that can be used to access a secure database with a web interface?]

I found WebKeePass during my investigation (which looks promising). One other option was to print the passwords and keep them in a locked filing cabinet in a disused lavatory in a basement with a sign on the door saying 'Beware of the Leopard'? but I believe that wouldn't be convenient for the operator. I wonder what are the other options would be...

Update: The "web" interface doesn't have to be open to public access (i.e., it can be accessible only within a VPN).

Answer 1

Since the users aren't able to choose their password, the passwords should be generated randomly. If the passwords are generated using some algorithm, as you stated, once the algorithm is cracked, all of the passwords can be cracked.

If you must store retrievable passwords, you should still encrypt and salt them. See adobe's recent issue where 150 million of adobe's encrypted passwords were leaked. The problem with unsalted passwords is that even if I can't crack the encryption, I can still see everybody who has the same password as me.

Admin Retrieval

For admin-only retrieval of passwords, you could use a password vault system, where one password entered by a staff member unlocks access to additional stored passwords. Ideally, you should have a system where you can select and display a single password on the screen. It should encrypt the passwords, log accesses, and be controlled by an administrator.

This could be a web-based system, but hosted internally on an intranet, perhaps accessed through a VPN. RDP or something similar may also be viable, perhaps even using two-factor authentication.

Unfortunately, we don't recommend products on StackOverflow.

End User Retrieval

We've designed a system in the past where you can recover a password via a HTTPS secured web site. You simply enter your username, and a random one-time-use retrieval code is delivered to the email address on record.

While we're not in control of the security level on their email account, we at least assume that only the user knows the password to access the email account. This forces the user to re-authenticate in some form in order to retrieve their password.

They then type the retrieval code into a web form and are shown their password. Again, this web site is secured with HTTPS. Additionally, the user must keep the web page open during the transaction (secure session), and the IP address must not change during the transaction.